Analysis Overview
SHA256
85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0
Threat Level: Shows suspicious behavior
The file 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Reads user/profile data of web browsers
Loads dropped DLL
Reads WinSCP keys stored on the system
Executes dropped EXE
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
outlook_office_path
Modifies system certificate store
Suspicious use of SetWindowsHookEx
outlook_win_path
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:40
Reported
2024-06-03 05:45
Platform
win7-20240419-en
Max time kernel
297s
Max time network
301s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
"C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\schtasks.exe
schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
"C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
C:\Windows\system32\taskeng.exe
taskeng.exe {8B35FAEC-F54F-435F-947B-38563E901DAA} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:5378 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| GB | 149.88.44.159:80 | 149.88.44.159 | tcp |
| DE | 173.212.209.190:4001 | 173.212.209.190 | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:5378 | tcp | |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| GB | 149.88.44.159:80 | 149.88.44.159 | tcp |
| DE | 173.212.209.190:4001 | 173.212.209.190 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2412-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp
memory/2412-1-0x0000000000910000-0x0000000000934000-memory.dmp
memory/2412-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
memory/2412-5-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
| MD5 | b37058a1a6fa72cf11d4bda54e15790a |
| SHA1 | b8663b93cac0b88168d207fd648da5c2f9b775de |
| SHA256 | 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0 |
| SHA512 | 4848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818 |
memory/2224-9-0x0000000001190000-0x00000000011B4000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar309A.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\zxqaiiy6en\p.dat
| MD5 | 543e83748234f7cbab21aa0ade66565f |
| SHA1 | d09127a8d4c0c1e347fb707bd7bc7db0f3e98bd3 |
| SHA256 | 966243b9a39f6ddeb9f55a905ff4b0b696423d6cae0a37eb07e090bae6d8d570 |
| SHA512 | b6e3a430add4705d2d5e51dca7ac35b43364ca4fb386e0b3da15fdb926289054640d0209666d5ae7d5e3d6528852163dcb330551c8145dd228ea5d1c1adc3d91 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 00d6dfbb96bd00bb7d725f0b73ed1669 |
| SHA1 | 87022defc02b654986f886350d58a2d96678ba3f |
| SHA256 | 2c7e7b9e733203f406ff51f3fba968df09dfc08c9744a80ba815a8f151b89e08 |
| SHA512 | 1d3c8788c855c29354ca16dc5e734b295f1ce7252ff7e087a855791bfdf869e78eb8c84c71b088f4130ad309fc23ee472341f10d06e2de1910e3339f32f7b9b2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:40
Reported
2024-06-03 05:45
Platform
win10-20240404-en
Max time kernel
298s
Max time network
308s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe | N/A |
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
"C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout /t 3
C:\Windows\system32\schtasks.exe
schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
"C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe
"C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\torrc.txt"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:2749 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| AU | 49.194.93.54:9001 | tcp | |
| CA | 198.245.49.6:443 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:49892 | tcp | |
| RU | 45.140.170.187:9001 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| FR | 45.147.99.158:8080 | 45.147.99.158 | tcp |
| GB | 149.88.44.159:80 | 149.88.44.159 | tcp |
| DE | 173.212.209.190:4001 | 173.212.209.190 | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 159.44.88.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.99.147.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.209.212.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| N/A | 127.0.0.1:2749 | tcp | |
| DK | 185.38.175.71:443 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| US | 8.8.8.8:53 | 189.40.188.131.in-addr.arpa | udp |
| FR | 37.59.29.77:9111 | tcp | |
| DE | 148.251.46.115:9001 | tcp | |
| US | 8.8.8.8:53 | 115.46.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.29.59.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| FR | 37.59.29.77:9111 | tcp | |
| DE | 148.251.46.115:9001 | tcp | |
| DE | 84.247.160.4:9001 | tcp | |
| US | 8.8.8.8:53 | 4.160.247.84.in-addr.arpa | udp |
| N/A | 127.0.0.1:2749 | tcp | |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:2749 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:2749 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:2749 | tcp |
Files
memory/4656-0-0x00007FFE5C983000-0x00007FFE5C984000-memory.dmp
memory/4656-1-0x0000015FECE90000-0x0000015FECEB4000-memory.dmp
memory/4656-2-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp
memory/4656-6-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp
C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
| MD5 | b37058a1a6fa72cf11d4bda54e15790a |
| SHA1 | b8663b93cac0b88168d207fd648da5c2f9b775de |
| SHA256 | 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0 |
| SHA512 | 4848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe.log
| MD5 | d51a38b0538aafbb39cd4743767cf2a3 |
| SHA1 | ec819ad7959110e2244b2978e4a60e4c5e99961d |
| SHA256 | 8678df64deb4a7203a8ac3eaa5af8b767111e753385d286f9e1c121d45830e22 |
| SHA512 | 51ffb0c793f034843cf749716680bb6dd81c840bbe22f6426c8d14ffd62a7b4fab974325aa978e62ba57575b836aff4e00a810688818749021f658b623fd41f2 |
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe
| MD5 | 07244a2c002ffdf1986b454429eace0b |
| SHA1 | d7cd121caac2f5989aa68a052f638f82d4566328 |
| SHA256 | e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf |
| SHA512 | 4a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca |
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libevent-2-1-7.dll
| MD5 | a3bf8e33948d94d490d4613441685eee |
| SHA1 | 75ed7f6e2855a497f45b15270c3ad4aed6ad02e2 |
| SHA256 | 91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585 |
| SHA512 | c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28 |
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libssl-1_1.dll
| MD5 | 945d225539becc01fbca32e9ff6464f0 |
| SHA1 | a614eb470defeab01317a73380f44db669100406 |
| SHA256 | c697434857a039bf27238c105be0487a0c6c611dd36cb1587c3c6b3bf582718a |
| SHA512 | 409f8f1e6d683a3cbe7954bce37013316dee086cdbd7ecda88acb5d94031cff6166a93b641875116327151823cce747bcf254c0185e0770e2b74b7c5e067bc4a |
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libwinpthread-1.dll
| MD5 | 19d7cc4377f3c09d97c6da06fbabc7dc |
| SHA1 | 3a3ba8f397fb95ed5df22896b2c53a326662fcc9 |
| SHA256 | 228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d |
| SHA512 | 23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a |
\Users\Admin\AppData\Local\zxqaiiy6en\tor\zlib1.dll
| MD5 | 6f98da9e33cd6f3dd60950413d3638ac |
| SHA1 | e630bdf8cebc165aa81464ff20c1d55272d05675 |
| SHA256 | 219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773 |
| SHA512 | 2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c |
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libgcc_s_sjlj-1.dll
| MD5 | bd40ff3d0ce8d338a1fe4501cd8e9a09 |
| SHA1 | 3aae8c33bf0ec9adf5fbf8a361445969de409b49 |
| SHA256 | ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c |
| SHA512 | 404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1 |
memory/1620-100-0x00000000740F0000-0x00000000741EB000-memory.dmp
memory/1620-102-0x0000000000F00000-0x0000000001314000-memory.dmp
memory/1620-101-0x0000000073FD0000-0x0000000073FF6000-memory.dmp
\Users\Admin\AppData\Local\zxqaiiy6en\tor\libcrypto-1_1.dll
| MD5 | 6d48d76a4d1c9b0ff49680349c4d28ae |
| SHA1 | 1bb3666c16e11eff8f9c3213b20629f02d6a66cb |
| SHA256 | 3f08728c7a67e4998fbdc7a7cb556d8158efdcdaf0acf75b7789dccace55662d |
| SHA512 | 09a4fd7b37cf52f6a0c3bb0a7517e2d2439f4af8e03130aed3296d7448585ea5e3c0892e1e1202f658ef2d083ce13c436779e202c39620a70a17b026705c65c9 |
\Users\Admin\AppData\Local\zxqaiiy6en\tor\libssp-0.dll
| MD5 | b77328da7cead5f4623748a70727860d |
| SHA1 | 13b33722c55cca14025b90060e3227db57bf5327 |
| SHA256 | 46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7 |
| SHA512 | 2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2 |
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\torrc.txt
| MD5 | 433cfb3eee127bdf1182d75837b26484 |
| SHA1 | 65bf41c89e51817d344bc070727fff1b0c10a134 |
| SHA256 | aa83b60b3f4f24a4d4fb94b45c24935d078bdc3fee5c544b9ba1c35889a554b9 |
| SHA512 | 344a790e982c016ec302e73821cf5e592ebf139f1eccaab8fa0082e1db975f16604624f068c242afce91cfa5406db30c37a5125d6618b2e35bb74c6c1bb4bc5a |
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\host\hostname
| MD5 | a1d3abf2af88d29f014fe2296e71377f |
| SHA1 | 0391746c8e9f437373c541401d48ae55c882ff11 |
| SHA256 | af5816d003b872f17394c6bf71c032fd9f316b45c4e468f94d82544770d37110 |
| SHA512 | 3093bc7f6fc94acccf4870eaaa6f5d7af63aeac72b653d998afd310c3bf7009517216164088ba1817e384adfc08e8496cab8be60265fe3d3748fbe6aabc47dad |
memory/1620-114-0x00000000741F0000-0x0000000074234000-memory.dmp
memory/1620-115-0x00000000740F0000-0x00000000741EB000-memory.dmp
memory/1620-113-0x0000000000F00000-0x0000000001314000-memory.dmp
memory/1620-121-0x0000000073B30000-0x0000000073BB1000-memory.dmp
memory/1620-120-0x0000000073CD0000-0x0000000073FC6000-memory.dmp
memory/1620-116-0x0000000074000000-0x00000000740E6000-memory.dmp
memory/1620-118-0x0000000073FD0000-0x0000000073FF6000-memory.dmp
memory/1620-119-0x0000000073BC0000-0x0000000073CC4000-memory.dmp
C:\Users\Admin\AppData\Local\zxqaiiy6en\p.dat
| MD5 | d37b3ca37106b2bfdeaa12647e3bb1c9 |
| SHA1 | 2816ea4edd21439dd60534564fe087bbfdc83448 |
| SHA256 | a3b4f619337e9bf6bd25e441434bec390aab03819c2724a614938326bfb3bf8a |
| SHA512 | 1d74aa19f761eae47cf039372774f82b98ae9b118d88ea7575c19cf7348e92a2324fd48d3fa81d21918997b52817173a80365997c9aa212053151ae08222d74c |
memory/1620-124-0x0000000000F00000-0x0000000001314000-memory.dmp
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\data\cached-microdesc-consensus.tmp
| MD5 | b34dba796a1c13447b4406a4d71f619c |
| SHA1 | 1fc1fcc7538877a664767ef90e0f230f2434d05a |
| SHA256 | 986b2c7e0171a7b228f7066cde478161a4178ed12253072871af99d3ba627930 |
| SHA512 | 082bf4555b7f4fe9c1c551b4bb42d8bd3b8f6b9552fb2bbce5c46b770f59f3562bc035c4f47d00346c9d6c21b5e3e68a6f80395f60e43bc506d7ae2778903a57 |
memory/1620-144-0x0000000000F00000-0x0000000001314000-memory.dmp
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\data\cached-microdescs.new
| MD5 | 234e7ade8914975e774f4199e369a303 |
| SHA1 | ba77049ddfc64a0aecf5378ece72c60416ccaaa6 |
| SHA256 | 457502703b947f7808c79122d61c000c969e03d2ff571af4d8651e201e8196fa |
| SHA512 | 555c192d6a32c7aaf153def9bb33ca9a2c64aabc063a210705ae45a3b537aded07b69ed3a1a6076f2571c29ea185154233bac827bf29bba773b6d8a989e171fe |
memory/1620-157-0x0000000000F00000-0x0000000001314000-memory.dmp
memory/1620-165-0x0000000000F00000-0x0000000001314000-memory.dmp
memory/1620-178-0x0000000000F00000-0x0000000001314000-memory.dmp
memory/1620-193-0x0000000000F00000-0x0000000001314000-memory.dmp