Analysis Overview
SHA256
7a8aee0ff7f0eb5c8eda7fecdad3616e44adf6da1cd89dac50ae7e322f9d9ce3
Threat Level: Likely malicious
The file Newfolder4.rar was found to be: Likely malicious.
Malicious Activity Summary
NirSoft WebBrowserPassView
Detected Nirsoft tools
NirSoft MailPassView
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
UPX packed file
Browser Information Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: CmdExeWriteProcessMemorySpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 02:23
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
135s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/3004-0-0x0000000000400000-0x000000000041C000-memory.dmp
memory/3004-1-0x0000000000400000-0x000000000041C000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20240903-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe"
Network
Files
memory/2204-0-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2204-1-0x0000000000400000-0x0000000000426000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20241023-en
Max time kernel
141s
Max time network
122s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe"
Network
Files
memory/2156-0-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2156-1-0x0000000000400000-0x000000000044F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Reads user/profile data of web browsers
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe"
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
WebBrowserPassView.exe /stext WebBrowserPassView_11102024_KHBTHJFA_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
SkypeLogView.exe /stext SkypeLogView_11102024_KHBTHJFA_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
RouterPassView.exe /stext RouterPassView_11102024_KHBTHJFA_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
pspv.exe /stext pspv_11102024_KHBTHJFA_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PasswordFox.exe /stext PasswordFox_11102024_KHBTHJFA_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
OperaPassView.exe /stext OperaPassView_11102024_KHBTHJFA_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
mspass.exe /stext mspass_11102024_KHBTHJFA_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
mailpv.exe /stext mailpv_11102024_KHBTHJFA_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
iepv.exe /stext iepv_11102024_KHBTHJFA_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
ChromePass.exe /stext ChromePass_11102024_KHBTHJFA_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
ChromeHistoryView.exe /stext ChromeHistoryView_11102024_KHBTHJFA_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
BrowsingHistoryView.exe /stext BrowsingHistoryView_11102024_KHBTHJFA_Admin.txt
C:\Windows\system32\PING.EXE
ping -n 5 127.0.0.1
Network
Files
memory/1880-4-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2312-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2304-2-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2312-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2580-11-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2944-15-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1816-16-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2580-14-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2944-19-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1816-21-0x0000000000400000-0x000000000041C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass_11102024_KHBTHJFA_Admin.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe"
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20241023-en
Max time kernel
141s
Max time network
120s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe"
Network
Files
memory/2392-0-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2392-1-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/2692-0-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2692-1-0x0000000000400000-0x0000000000426000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Reads user/profile data of web browsers
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
Files
memory/1672-0-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1672-1-0x0000000000400000-0x000000000044F000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
149s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
137s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2660-0-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2660-1-0x0000000000400000-0x0000000000452000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20241010-en
Max time kernel
14s
Max time network
20s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe"
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
146s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/3644-0-0x0000000000400000-0x0000000000419000-memory.dmp
memory/3644-1-0x0000000000400000-0x0000000000419000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20240729-en
Max time kernel
17s
Max time network
17s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe"
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
140s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20240903-en
Max time kernel
141s
Max time network
121s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe"
Network
Files
memory/2192-0-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2192-1-0x0000000000400000-0x0000000000452000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
135s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20240903-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe"
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20240708-en
Max time kernel
141s
Max time network
124s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe"
Network
Files
memory/2084-0-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2084-1-0x0000000000400000-0x0000000000419000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20240903-en
Max time kernel
141s
Max time network
121s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe"
Network
Files
memory/3052-0-0x0000000000400000-0x000000000041C000-memory.dmp
memory/3052-1-0x0000000000400000-0x000000000041C000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
141s
Command Line
Signatures
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
134s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
WebBrowserPassView.exe /stext WebBrowserPassView_11102024_YLFOGIOE_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
SkypeLogView.exe /stext SkypeLogView_11102024_YLFOGIOE_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
RouterPassView.exe /stext RouterPassView_11102024_YLFOGIOE_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
pspv.exe /stext pspv_11102024_YLFOGIOE_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PasswordFox.exe /stext PasswordFox_11102024_YLFOGIOE_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
OperaPassView.exe /stext OperaPassView_11102024_YLFOGIOE_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
mspass.exe /stext mspass_11102024_YLFOGIOE_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
mailpv.exe /stext mailpv_11102024_YLFOGIOE_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
iepv.exe /stext iepv_11102024_YLFOGIOE_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
ChromePass.exe /stext ChromePass_11102024_YLFOGIOE_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
ChromeHistoryView.exe /stext ChromeHistoryView_11102024_YLFOGIOE_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
BrowsingHistoryView.exe /stext BrowsingHistoryView_11102024_YLFOGIOE_Admin.txt
C:\Windows\system32\PING.EXE
ping -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/5072-0-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2424-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1080-2-0x0000000000400000-0x0000000000419000-memory.dmp
memory/3988-3-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2424-10-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView_11102024_YLFOGIOE_Admin.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/5072-14-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1080-12-0x0000000000400000-0x0000000000419000-memory.dmp
memory/3988-16-0x0000000000400000-0x0000000000426000-memory.dmp
memory/556-17-0x0000000000400000-0x000000000041C000-memory.dmp
memory/556-19-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1700-21-0x0000000000400000-0x000000000044F000-memory.dmp
memory/1700-24-0x0000000000400000-0x000000000044F000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/2396-0-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2396-1-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe"
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-10 02:23
Reported
2024-11-10 02:26
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
151s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |