Malware Analysis Report

2024-11-15 05:40

Sample ID 240604-b1kpdagg5x
Target 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
SHA256 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0
Tags
collection discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0

Threat Level: Shows suspicious behavior

The file 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery spyware stealer

Checks computer location settings

Executes dropped EXE

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies system certificate store

outlook_office_path

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:36

Reported

2024-06-04 01:40

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\System32\cmd.exe
PID 2128 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\System32\cmd.exe
PID 2128 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\System32\cmd.exe
PID 2696 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2696 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2696 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2696 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2696 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2696 wrote to memory of 2596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 2696 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2696 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2696 wrote to memory of 2748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2696 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 2696 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 2696 wrote to memory of 2600 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 2600 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3048 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3048 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3048 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3048 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3048 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3048 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3048 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3048 wrote to memory of 1144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2600 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2924 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2924 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2924 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2924 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2924 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2924 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2924 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2924 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1396 wrote to memory of 1876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 1396 wrote to memory of 1876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 1396 wrote to memory of 1876 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 1876 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 3060 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3060 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3060 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3060 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3060 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3060 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3060 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3060 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 3060 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1876 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\system32\cmd.exe
PID 2980 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2980 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2980 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2980 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2980 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2980 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2980 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

"C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\schtasks.exe

schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

"C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Windows\system32\taskeng.exe

taskeng.exe {516A6D92-DB09-48B2-903D-A145346237E1} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
GB 149.88.44.159:80 149.88.44.159 tcp
DE 173.212.209.190:4001 173.212.209.190 tcp
NO 4.235.34.94:80 4.235.34.94 tcp
NL 206.189.109.146:80 206.189.109.146 tcp
FR 5.196.181.135:443 tcp
IL 185.217.98.121:80 185.217.98.121 tcp
IL 185.217.98.121:8080 185.217.98.121 tcp
IL 185.217.98.121:443 tcp
US 170.187.149.4:8098 170.187.149.4 tcp
US 15.204.227.3:7171 15.204.227.3 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
DE 173.212.209.190:4001 173.212.209.190 tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 208.95.112.1:80 ip-api.com tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
GB 149.88.44.159:80 149.88.44.159 tcp
DE 173.212.209.190:4001 173.212.209.190 tcp
NO 4.235.34.94:80 4.235.34.94 tcp
NL 206.189.109.146:80 206.189.109.146 tcp
FR 5.196.181.135:443 tcp
IL 185.217.98.121:80 185.217.98.121 tcp
IL 185.217.98.121:8080 185.217.98.121 tcp
IL 185.217.98.121:443 tcp
US 170.187.149.4:8098 170.187.149.4 tcp
US 15.204.227.3:7171 15.204.227.3 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
DE 173.212.209.190:4001 173.212.209.190 tcp
NL 206.189.109.146:80 206.189.109.146 tcp
FR 5.196.181.135:443 tcp
IL 185.217.98.121:80 185.217.98.121 tcp
IL 185.217.98.121:8080 185.217.98.121 tcp
IL 185.217.98.121:443 tcp
US 170.187.149.4:8098 170.187.149.4 tcp
US 15.204.227.3:7171 15.204.227.3 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
GB 149.88.44.159:80 149.88.44.159 tcp
DE 173.212.209.190:4001 173.212.209.190 tcp
NO 4.235.34.94:80 4.235.34.94 tcp
NL 206.189.109.146:80 206.189.109.146 tcp
FR 5.196.181.135:443 tcp
IL 185.217.98.121:80 185.217.98.121 tcp
IL 185.217.98.121:8080 185.217.98.121 tcp
IL 185.217.98.121:443 tcp
US 170.187.149.4:8098 170.187.149.4 tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 206.189.109.146:80 206.189.109.146 tcp
FR 5.196.181.135:443 tcp
IL 185.217.98.121:80 185.217.98.121 tcp
IL 185.217.98.121:8080 185.217.98.121 tcp
IL 185.217.98.121:443 tcp
US 170.187.149.4:8098 170.187.149.4 tcp
US 15.204.227.3:7171 15.204.227.3 tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
DE 173.212.209.190:4001 173.212.209.190 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
GB 149.88.44.159:80 149.88.44.159 tcp
DE 173.212.209.190:4001 tcp
NO 4.235.34.94:80 4.235.34.94 tcp
NL 206.189.109.146:80 206.189.109.146 tcp
FR 5.196.181.135:443 tcp
IL 185.217.98.121:80 185.217.98.121 tcp
IL 185.217.98.121:8080 185.217.98.121 tcp
US 170.187.149.4:8098 tcp
NL 149.154.167.220:443 api.telegram.org tcp
FR 45.147.99.158:8080 45.147.99.158 tcp
N/A 127.0.0.1:2206 tcp
N/A 127.0.0.1:2206 tcp
IL 185.217.98.121:443 tcp

Files

memory/2128-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

memory/2128-1-0x00000000008D0000-0x00000000008F4000-memory.dmp

memory/2128-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

memory/2128-5-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

memory/2600-9-0x0000000001390000-0x00000000013B4000-memory.dmp

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

MD5 b37058a1a6fa72cf11d4bda54e15790a
SHA1 b8663b93cac0b88168d207fd648da5c2f9b775de
SHA256 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0
SHA512 4848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar441A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f987b544aa889cf6df8a1adf50c9ca41
SHA1 e531e4778ffc5d8ddce4fbdafb0a8e4009f543b8
SHA256 b88378a066c4dfc9f318efdae040171a7a4a3ec10c1efcf7c3b5853466da8bac
SHA512 8b054b5dd06930acede75d18a521ae4be8ec015fa279ac51276785257af4d50c0e932de7334429556f656980a0d219de89537a65bef214b3b6af86af59430505

C:\Users\Admin\AppData\Local\zxqaiiy6en\p.dat

MD5 fea9c11c4ad9a395a636ed944a28b51a
SHA1 0ad0144e12526132b8bd147b23f0b12e971796f6
SHA256 153ebeeacf6b8a97825becc9658657e044db07ed9b9db6c4b997ef9c44c2e021
SHA512 0219b7c9eece7a84ba17c1efc52d4d911040962b9c3e300f56129e477b8b3c7fb4ba92825b5565062a6db776b23d3cabb7cd76313846833c347e8a7dd08f786b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44a8741dcef750c56dc9f1560a8327fa
SHA1 cdbee3cdc4482b83302196b053a9622b01159088
SHA256 b0870b084f4c4ceb70006e07cef55a57983d7b506de9608409965f559bc0d759
SHA512 b971dfed9f112a8e2cda21312985fce8e722aec5274e1bdf47457cc235de9d89b14e03ab45508ef9af2b02e59203e9bc7d505729f68b47aecc14eb3adc5f341f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:36

Reported

2024-06-04 01:40

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\System32\cmd.exe
PID 1860 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\System32\cmd.exe
PID 4060 wrote to memory of 4272 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4060 wrote to memory of 4272 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4060 wrote to memory of 4660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4060 wrote to memory of 4660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 4060 wrote to memory of 3296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4060 wrote to memory of 3296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4060 wrote to memory of 1988 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 4060 wrote to memory of 1988 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe
PID 1988 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe
PID 1988 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe
PID 1988 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe
PID 1988 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\SYSTEM32\cmd.exe
PID 1988 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\SYSTEM32\cmd.exe
PID 2300 wrote to memory of 1124 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2300 wrote to memory of 1124 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2300 wrote to memory of 3740 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2300 wrote to memory of 3740 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2300 wrote to memory of 928 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2300 wrote to memory of 928 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1988 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\SYSTEM32\cmd.exe
PID 1988 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe C:\Windows\SYSTEM32\cmd.exe
PID 4504 wrote to memory of 868 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4504 wrote to memory of 868 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 4504 wrote to memory of 2184 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4504 wrote to memory of 2184 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 4504 wrote to memory of 3516 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4504 wrote to memory of 3516 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

"C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout /t 3

C:\Windows\system32\schtasks.exe

schtasks /create /tn "85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

"C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe"

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe

"C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\torrc.txt"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\findstr.exe

findstr "SSID BSSID Signal"

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 198.255.21.2:443 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 2.21.255.198.in-addr.arpa udp
FR 45.147.99.158:8080 45.147.99.158 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
GB 149.88.44.159:80 149.88.44.159 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 158.99.147.45.in-addr.arpa udp
US 8.8.8.8:53 159.44.88.149.in-addr.arpa udp
DE 128.0.64.148:9001 tcp
US 94.154.159.96:9001 tcp
NO 4.235.34.94:80 tcp
US 170.187.149.4:8098 tcp
US 15.204.227.3:7171 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 128.0.64.148:9001 tcp
US 94.154.159.96:9001 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:2462 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 127.0.0.1:50165 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 173.212.209.190:4001 tcp
N/A 206.189.109.146:80 tcp
N/A 5.196.181.135:443 tcp
N/A 185.217.98.121:80 tcp
N/A 185.217.98.121:8080 tcp
N/A 185.217.98.121:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 127.0.0.1:2462 tcp
N/A 127.0.0.1:2462 tcp

Files

memory/1860-1-0x00007FF86A0E3000-0x00007FF86A0E5000-memory.dmp

memory/1860-0-0x000001BEE3820000-0x000001BEE3844000-memory.dmp

memory/1860-2-0x00007FF86A0E0000-0x00007FF86ABA1000-memory.dmp

memory/1860-6-0x00007FF86A0E0000-0x00007FF86ABA1000-memory.dmp

C:\Users\Admin\AppData\Local\RobloxSecurity\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe

MD5 b37058a1a6fa72cf11d4bda54e15790a
SHA1 b8663b93cac0b88168d207fd648da5c2f9b775de
SHA256 85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0
SHA512 4848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\85b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0.exe.log

MD5 fc1be6f3f52d5c841af91f8fc3f790cb
SHA1 ac79b4229e0a0ce378ae22fc6104748c5f234511
SHA256 6da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910
SHA512 2f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe

MD5 07244a2c002ffdf1986b454429eace0b
SHA1 d7cd121caac2f5989aa68a052f638f82d4566328
SHA256 e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf
SHA512 4a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libcrypto-1_1.dll

MD5 6d48d76a4d1c9b0ff49680349c4d28ae
SHA1 1bb3666c16e11eff8f9c3213b20629f02d6a66cb
SHA256 3f08728c7a67e4998fbdc7a7cb556d8158efdcdaf0acf75b7789dccace55662d
SHA512 09a4fd7b37cf52f6a0c3bb0a7517e2d2439f4af8e03130aed3296d7448585ea5e3c0892e1e1202f658ef2d083ce13c436779e202c39620a70a17b026705c65c9

memory/4404-105-0x0000000000BD0000-0x0000000000FE4000-memory.dmp

memory/4404-104-0x0000000074C60000-0x0000000074C86000-memory.dmp

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\torrc.txt

MD5 90dd9da0c1b1448ee22142309ac6b3b1
SHA1 6ebff1446318c04e2e9779ccbc5238481abe0d5e
SHA256 9e7174fa9463c4dec5ec58cb5a95218224428d9648375c3e4e68b0e6dd60b309
SHA512 ca845694b28c79078c0948b0a03bb3402f767a7c2da4ac08a4dd8f013e30adac44f362c68136bb5fde581db1d9460634b95009a6ccc0e6fd8965e5a805231f0a

memory/4404-103-0x0000000074D80000-0x0000000074E7B000-memory.dmp

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libgcc_s_sjlj-1.dll

MD5 bd40ff3d0ce8d338a1fe4501cd8e9a09
SHA1 3aae8c33bf0ec9adf5fbf8a361445969de409b49
SHA256 ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c
SHA512 404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libwinpthread-1.dll

MD5 19d7cc4377f3c09d97c6da06fbabc7dc
SHA1 3a3ba8f397fb95ed5df22896b2c53a326662fcc9
SHA256 228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d
SHA512 23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\host\hostname

MD5 ad7c77325942d286b5b30a642d72bb40
SHA1 3b1fa2afdc8f35dee151004b1377d519cc7e1c1e
SHA256 ee5292d5a97f0573991f792e9673c5ec927fef489b45ac0ab814b2fac02441c0
SHA512 0080940e38474f82982256789cbe5033f6a69cfd5cf513aba8510689d867888e8130097db666363d53a7920bbb5e03e884cc1a3268b51c7018657d296bb712b9

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\zlib1.dll

MD5 6f98da9e33cd6f3dd60950413d3638ac
SHA1 e630bdf8cebc165aa81464ff20c1d55272d05675
SHA256 219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773
SHA512 2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libevent-2-1-7.dll

MD5 a3bf8e33948d94d490d4613441685eee
SHA1 75ed7f6e2855a497f45b15270c3ad4aed6ad02e2
SHA256 91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585
SHA512 c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libssl-1_1.dll

MD5 945d225539becc01fbca32e9ff6464f0
SHA1 a614eb470defeab01317a73380f44db669100406
SHA256 c697434857a039bf27238c105be0487a0c6c611dd36cb1587c3c6b3bf582718a
SHA512 409f8f1e6d683a3cbe7954bce37013316dee086cdbd7ecda88acb5d94031cff6166a93b641875116327151823cce747bcf254c0185e0770e2b74b7c5e067bc4a

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\libssp-0.dll

MD5 b77328da7cead5f4623748a70727860d
SHA1 13b33722c55cca14025b90060e3227db57bf5327
SHA256 46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7
SHA512 2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\data\cached-microdesc-consensus.tmp

MD5 9d02f78cd5005830652cae892abc2d6b
SHA1 d094b808bff283ce01de399ed3d77f8725543178
SHA256 56a630dc10a939fd8dbc20983e016bc79d9c2adf97453fb83f8a16edccdb667c
SHA512 bcff9d7db4191f4aacf8de6770c3a09a3bda9b9b73455dc456126eb520aedd4471a8468264d919980e9f24f74b8df14dfa101a8cb511d33b085d6c43d14f1c3b

C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\data\cached-microdescs.new

MD5 7409d80d8d2e9e94e4ba15db7a26e7a4
SHA1 9a5986c9ad7797906c805e83e7332fe860efdbf6
SHA256 ff780f7834f2ac474dc566e4640db98e3e9caa1186b58db94bfc773168fe5fc4
SHA512 9ace1b26e577aec81a0e002f066bad299b557f4760c352e4e9697c9ad93a5582b2f6dc525344589a2b57626d6078c20320a392785ab5d39df8d722d328d6b5d7

memory/4404-140-0x0000000074AC0000-0x0000000074BC4000-memory.dmp

memory/4404-141-0x00000000747C0000-0x0000000074AB6000-memory.dmp

memory/4404-139-0x0000000074BD0000-0x0000000074C51000-memory.dmp

memory/4404-138-0x0000000074C60000-0x0000000074C86000-memory.dmp

memory/4404-134-0x0000000000BD0000-0x0000000000FE4000-memory.dmp

memory/4404-137-0x0000000074D80000-0x0000000074E7B000-memory.dmp

memory/4404-136-0x0000000074C90000-0x0000000074D76000-memory.dmp

memory/4404-135-0x0000000074E80000-0x0000000074EC4000-memory.dmp

C:\Users\Admin\AppData\Local\zxqaiiy6en\p.dat

MD5 10c66082c124f8afe3df4886f5e516e0
SHA1 5a879155f08a8a1463612521d6fc9a7906256574
SHA256 1b5318434397d6eec58afbac28836ffe3254baabb665b87ce6b678394b97ee2c
SHA512 3258f6f1daae683eb1b28989d0c8e915693ca8b4ccdfdbc39f203f5df4b3378b13d626dd89bbfe403a71366543168f113420309697ba98a6b84f5ed5dd171618

memory/4404-143-0x0000000000BD0000-0x0000000000FE4000-memory.dmp

memory/4404-158-0x0000000000BD0000-0x0000000000FE4000-memory.dmp

memory/4404-175-0x0000000000BD0000-0x0000000000FE4000-memory.dmp

memory/4404-183-0x0000000000BD0000-0x0000000000FE4000-memory.dmp

memory/4404-191-0x0000000000BD0000-0x0000000000FE4000-memory.dmp

memory/4404-203-0x0000000000BD0000-0x0000000000FE4000-memory.dmp