Malware Analysis Report

2024-11-30 07:54

Sample ID 240603-gcx8fsdd9t
Target 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0
SHA256 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0
Tags
collection discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0

Threat Level: Shows suspicious behavior

The file 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery spyware stealer

Deletes itself

Reads user/profile data of web browsers

Loads dropped DLL

Reads WinSCP keys stored on the system

Executes dropped EXE

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

outlook_office_path

Modifies system certificate store

Suspicious use of SetWindowsHookEx

outlook_win_path

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:40

Reported

2024-06-03 05:45

Platform

win7-20240419-en

Max time kernel

297s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\System32\cmd.exe
PID 2412 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\System32\cmd.exe
PID 2412 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\System32\cmd.exe
PID 2680 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2680 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2680 wrote to memory of 2880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2680 wrote to memory of 2684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2680 wrote to memory of 2684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2680 wrote to memory of 2684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2680 wrote to memory of 2756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2680 wrote to memory of 2756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2680 wrote to memory of 2756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2680 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 2680 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 2680 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 2224 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2224 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2224 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2896 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2896 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2896 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2896 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2896 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2896 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2896 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2896 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2224 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2224 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2224 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 1340 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1340 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1340 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1340 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1340 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1340 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1340 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1340 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1340 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2088 wrote to memory of 568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 2088 wrote to memory of 568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 2088 wrote to memory of 568 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 568 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 804 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 804 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 804 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 804 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 804 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 804 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 804 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 804 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 568 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2044 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2044 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2044 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2044 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2044 wrote to memory of 2280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2044 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

"C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\schtasks.exe

schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

"C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Windows\system32\taskeng.exe

taskeng.exe {8B35FAEC-F54F-435F-947B-38563E901DAA} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

Network

Country Destination Domain Proto
N/A 127.0.0.1:5378 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
GB 149.88.44.159:80 149.88.44.159 tcp
DE 173.212.209.190:4001 173.212.209.190 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:5378 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
GB 149.88.44.159:80 149.88.44.159 tcp
DE 173.212.209.190:4001 173.212.209.190 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2412-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

memory/2412-1-0x0000000000910000-0x0000000000934000-memory.dmp

memory/2412-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

memory/2412-5-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

MD5 b37058a1a6fa72cf11d4bda54e15790a
SHA1 b8663b93cac0b88168d207fd648da5c2f9b775de
SHA256 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0
SHA512 4848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818

memory/2224-9-0x0000000001190000-0x00000000011B4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar309A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\zxqaiiy6en\p.dat

MD5 543e83748234f7cbab21aa0ade66565f
SHA1 d09127a8d4c0c1e347fb707bd7bc7db0f3e98bd3
SHA256 966243b9a39f6ddeb9f55a905ff4b0b696423d6cae0a37eb07e090bae6d8d570
SHA512 b6e3a430add4705d2d5e51dca7ac35b43364ca4fb386e0b3da15fdb926289054640d0209666d5ae7d5e3d6528852163dcb330551c8145dd228ea5d1c1adc3d91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00d6dfbb96bd00bb7d725f0b73ed1669
SHA1 87022defc02b654986f886350d58a2d96678ba3f
SHA256 2c7e7b9e733203f406ff51f3fba968df09dfc08c9744a80ba815a8f151b89e08
SHA512 1d3c8788c855c29354ca16dc5e734b295f1ce7252ff7e087a855791bfdf869e78eb8c84c71b088f4130ad309fc23ee472341f10d06e2de1910e3339f32f7b9b2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:40

Reported

2024-06-03 05:45

Platform

win10-20240404-en

Max time kernel

298s

Max time network

308s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

Signatures

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\System32\cmd.exe
PID 4656 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\System32\cmd.exe
PID 2500 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2500 wrote to memory of 2572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2500 wrote to memory of 1484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2500 wrote to memory of 1484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2500 wrote to memory of 4512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2500 wrote to memory of 4512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2500 wrote to memory of 4288 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 2500 wrote to memory of 4288 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 4288 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe
PID 4288 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe
PID 4288 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe
PID 4288 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\SYSTEM32\cmd.exe
PID 4288 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\SYSTEM32\cmd.exe
PID 4424 wrote to memory of 4780 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4424 wrote to memory of 4780 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4424 wrote to memory of 2308 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4424 wrote to memory of 2308 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4424 wrote to memory of 2468 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4424 wrote to memory of 2468 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4288 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\SYSTEM32\cmd.exe
PID 4288 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\SYSTEM32\cmd.exe
PID 4788 wrote to memory of 772 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4788 wrote to memory of 772 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4788 wrote to memory of 2688 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4788 wrote to memory of 2688 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4788 wrote to memory of 2776 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4788 wrote to memory of 2776 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

"C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\schtasks.exe

schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

"C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe

"C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\torrc.txt"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:2749 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
AU 49.194.93.54:9001 tcp
CA 198.245.49.6:443 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:49892 tcp
RU 45.140.170.187:9001 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
FR 45.147.99.158:8080 45.147.99.158 tcp
GB 149.88.44.159:80 149.88.44.159 tcp
DE 173.212.209.190:4001 173.212.209.190 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 159.44.88.149.in-addr.arpa udp
US 8.8.8.8:53 158.99.147.45.in-addr.arpa udp
US 8.8.8.8:53 190.209.212.173.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:2749 tcp
DK 185.38.175.71:443 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
FR 37.59.29.77:9111 tcp
DE 148.251.46.115:9001 tcp
US 8.8.8.8:53 115.46.251.148.in-addr.arpa udp
US 8.8.8.8:53 77.29.59.37.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FR 37.59.29.77:9111 tcp
DE 148.251.46.115:9001 tcp
DE 84.247.160.4:9001 tcp
US 8.8.8.8:53 4.160.247.84.in-addr.arpa udp
N/A 127.0.0.1:2749 tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
N/A 127.0.0.1:2749 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:2749 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
N/A 127.0.0.1:2749 tcp

Files

memory/4656-0-0x00007FFE5C983000-0x00007FFE5C984000-memory.dmp

memory/4656-1-0x0000015FECE90000-0x0000015FECEB4000-memory.dmp

memory/4656-2-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp

memory/4656-6-0x00007FFE5C980000-0x00007FFE5D36C000-memory.dmp

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

MD5 b37058a1a6fa72cf11d4bda54e15790a
SHA1 b8663b93cac0b88168d207fd648da5c2f9b775de
SHA256 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0
SHA512 4848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe.log

MD5 d51a38b0538aafbb39cd4743767cf2a3
SHA1 ec819ad7959110e2244b2978e4a60e4c5e99961d
SHA256 8678df64deb4a7203a8ac3eaa5af8b767111e753385d286f9e1c121d45830e22
SHA512 51ffb0c793f034843cf749716680bb6dd81c840bbe22f6426c8d14ffd62a7b4fab974325aa978e62ba57575b836aff4e00a810688818749021f658b623fd41f2

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe

MD5 07244a2c002ffdf1986b454429eace0b
SHA1 d7cd121caac2f5989aa68a052f638f82d4566328
SHA256 e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf
SHA512 4a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libevent-2-1-7.dll

MD5 a3bf8e33948d94d490d4613441685eee
SHA1 75ed7f6e2855a497f45b15270c3ad4aed6ad02e2
SHA256 91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585
SHA512 c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libssl-1_1.dll

MD5 945d225539becc01fbca32e9ff6464f0
SHA1 a614eb470defeab01317a73380f44db669100406
SHA256 c697434857a039bf27238c105be0487a0c6c611dd36cb1587c3c6b3bf582718a
SHA512 409f8f1e6d683a3cbe7954bce37013316dee086cdbd7ecda88acb5d94031cff6166a93b641875116327151823cce747bcf254c0185e0770e2b74b7c5e067bc4a

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libwinpthread-1.dll

MD5 19d7cc4377f3c09d97c6da06fbabc7dc
SHA1 3a3ba8f397fb95ed5df22896b2c53a326662fcc9
SHA256 228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d
SHA512 23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

\Users\Admin\AppData\Local\zxqaiiy6en\tor\zlib1.dll

MD5 6f98da9e33cd6f3dd60950413d3638ac
SHA1 e630bdf8cebc165aa81464ff20c1d55272d05675
SHA256 219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773
SHA512 2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libgcc_s_sjlj-1.dll

MD5 bd40ff3d0ce8d338a1fe4501cd8e9a09
SHA1 3aae8c33bf0ec9adf5fbf8a361445969de409b49
SHA256 ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c
SHA512 404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

memory/1620-100-0x00000000740F0000-0x00000000741EB000-memory.dmp

memory/1620-102-0x0000000000F00000-0x0000000001314000-memory.dmp

memory/1620-101-0x0000000073FD0000-0x0000000073FF6000-memory.dmp

\Users\Admin\AppData\Local\zxqaiiy6en\tor\libcrypto-1_1.dll

MD5 6d48d76a4d1c9b0ff49680349c4d28ae
SHA1 1bb3666c16e11eff8f9c3213b20629f02d6a66cb
SHA256 3f08728c7a67e4998fbdc7a7cb556d8158efdcdaf0acf75b7789dccace55662d
SHA512 09a4fd7b37cf52f6a0c3bb0a7517e2d2439f4af8e03130aed3296d7448585ea5e3c0892e1e1202f658ef2d083ce13c436779e202c39620a70a17b026705c65c9

\Users\Admin\AppData\Local\zxqaiiy6en\tor\libssp-0.dll

MD5 b77328da7cead5f4623748a70727860d
SHA1 13b33722c55cca14025b90060e3227db57bf5327
SHA256 46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7
SHA512 2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\torrc.txt

MD5 433cfb3eee127bdf1182d75837b26484
SHA1 65bf41c89e51817d344bc070727fff1b0c10a134
SHA256 aa83b60b3f4f24a4d4fb94b45c24935d078bdc3fee5c544b9ba1c35889a554b9
SHA512 344a790e982c016ec302e73821cf5e592ebf139f1eccaab8fa0082e1db975f16604624f068c242afce91cfa5406db30c37a5125d6618b2e35bb74c6c1bb4bc5a

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\host\hostname

MD5 a1d3abf2af88d29f014fe2296e71377f
SHA1 0391746c8e9f437373c541401d48ae55c882ff11
SHA256 af5816d003b872f17394c6bf71c032fd9f316b45c4e468f94d82544770d37110
SHA512 3093bc7f6fc94acccf4870eaaa6f5d7af63aeac72b653d998afd310c3bf7009517216164088ba1817e384adfc08e8496cab8be60265fe3d3748fbe6aabc47dad

memory/1620-114-0x00000000741F0000-0x0000000074234000-memory.dmp

memory/1620-115-0x00000000740F0000-0x00000000741EB000-memory.dmp

memory/1620-113-0x0000000000F00000-0x0000000001314000-memory.dmp

memory/1620-121-0x0000000073B30000-0x0000000073BB1000-memory.dmp

memory/1620-120-0x0000000073CD0000-0x0000000073FC6000-memory.dmp

memory/1620-116-0x0000000074000000-0x00000000740E6000-memory.dmp

memory/1620-118-0x0000000073FD0000-0x0000000073FF6000-memory.dmp

memory/1620-119-0x0000000073BC0000-0x0000000073CC4000-memory.dmp

C:\Users\Admin\AppData\Local\zxqaiiy6en\p.dat

MD5 d37b3ca37106b2bfdeaa12647e3bb1c9
SHA1 2816ea4edd21439dd60534564fe087bbfdc83448
SHA256 a3b4f619337e9bf6bd25e441434bec390aab03819c2724a614938326bfb3bf8a
SHA512 1d74aa19f761eae47cf039372774f82b98ae9b118d88ea7575c19cf7348e92a2324fd48d3fa81d21918997b52817173a80365997c9aa212053151ae08222d74c

memory/1620-124-0x0000000000F00000-0x0000000001314000-memory.dmp

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\data\cached-microdesc-consensus.tmp

MD5 b34dba796a1c13447b4406a4d71f619c
SHA1 1fc1fcc7538877a664767ef90e0f230f2434d05a
SHA256 986b2c7e0171a7b228f7066cde478161a4178ed12253072871af99d3ba627930
SHA512 082bf4555b7f4fe9c1c551b4bb42d8bd3b8f6b9552fb2bbce5c46b770f59f3562bc035c4f47d00346c9d6c21b5e3e68a6f80395f60e43bc506d7ae2778903a57

memory/1620-144-0x0000000000F00000-0x0000000001314000-memory.dmp

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\data\cached-microdescs.new

MD5 234e7ade8914975e774f4199e369a303
SHA1 ba77049ddfc64a0aecf5378ece72c60416ccaaa6
SHA256 457502703b947f7808c79122d61c000c969e03d2ff571af4d8651e201e8196fa
SHA512 555c192d6a32c7aaf153def9bb33ca9a2c64aabc063a210705ae45a3b537aded07b69ed3a1a6076f2571c29ea185154233bac827bf29bba773b6d8a989e171fe

memory/1620-157-0x0000000000F00000-0x0000000001314000-memory.dmp

memory/1620-165-0x0000000000F00000-0x0000000001314000-memory.dmp

memory/1620-178-0x0000000000F00000-0x0000000001314000-memory.dmp

memory/1620-193-0x0000000000F00000-0x0000000001314000-memory.dmp