Malware Analysis Report

2024-11-15 09:55

Sample ID 241110-cvj2bsxdqk
Target Newfolder4.rar
SHA256 7a8aee0ff7f0eb5c8eda7fecdad3616e44adf6da1cd89dac50ae7e322f9d9ce3
Tags
discovery upx spyware stealer collection
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

7a8aee0ff7f0eb5c8eda7fecdad3616e44adf6da1cd89dac50ae7e322f9d9ce3

Threat Level: Likely malicious

The file Newfolder4.rar was found to be: Likely malicious.

Malicious Activity Summary

discovery upx spyware stealer collection

NirSoft WebBrowserPassView

Detected Nirsoft tools

NirSoft MailPassView

Reads user/profile data of web browsers

Accesses Microsoft Outlook accounts

UPX packed file

Browser Information Discovery

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 02:23

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3004-0-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3004-1-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20240903-en

Max time kernel

141s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe"

Network

N/A

Files

memory/2204-0-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2204-1-0x0000000000400000-0x0000000000426000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20241023-en

Max time kernel

141s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe"

Network

N/A

Files

memory/2156-0-0x0000000000400000-0x000000000044F000-memory.dmp

memory/2156-1-0x0000000000400000-0x000000000044F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
PID 2204 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
PID 2204 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
PID 2204 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
PID 2204 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
PID 2204 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
PID 2204 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
PID 2204 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
PID 2204 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
PID 2204 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
PID 2204 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
PID 2204 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
PID 2204 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
PID 2204 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
PID 2204 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
PID 2204 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
PID 2204 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PID 2204 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PID 2204 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PID 2204 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PID 2204 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
PID 2204 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
PID 2204 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
PID 2204 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
PID 2204 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
PID 2204 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
PID 2204 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
PID 2204 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
PID 2204 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
PID 2204 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
PID 2204 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
PID 2204 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
PID 2204 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
PID 2204 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
PID 2204 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
PID 2204 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
PID 2204 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
PID 2204 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
PID 2204 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
PID 2204 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
PID 2204 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
PID 2204 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
PID 2204 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
PID 2204 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
PID 2204 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
PID 2204 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
PID 2204 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
PID 2204 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
PID 2204 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2204 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2204 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe

WebBrowserPassView.exe /stext WebBrowserPassView_11102024_KHBTHJFA_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe

SkypeLogView.exe /stext SkypeLogView_11102024_KHBTHJFA_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe

RouterPassView.exe /stext RouterPassView_11102024_KHBTHJFA_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe

pspv.exe /stext pspv_11102024_KHBTHJFA_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe

PasswordFox.exe /stext PasswordFox_11102024_KHBTHJFA_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe

OperaPassView.exe /stext OperaPassView_11102024_KHBTHJFA_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe

mspass.exe /stext mspass_11102024_KHBTHJFA_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe

mailpv.exe /stext mailpv_11102024_KHBTHJFA_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe

iepv.exe /stext iepv_11102024_KHBTHJFA_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe

ChromePass.exe /stext ChromePass_11102024_KHBTHJFA_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe

ChromeHistoryView.exe /stext ChromeHistoryView_11102024_KHBTHJFA_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe

BrowsingHistoryView.exe /stext BrowsingHistoryView_11102024_KHBTHJFA_Admin.txt

C:\Windows\system32\PING.EXE

ping -n 5 127.0.0.1

Network

N/A

Files

memory/1880-4-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2312-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2304-2-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2312-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2580-11-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2944-15-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1816-16-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2580-14-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2944-19-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1816-21-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass_11102024_KHBTHJFA_Admin.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20241023-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe"

Network

N/A

Files

memory/2392-0-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2392-1-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 103.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/2692-0-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2692-1-0x0000000000400000-0x0000000000426000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp

Files

memory/1672-0-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1672-1-0x0000000000400000-0x000000000044F000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2660-0-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2660-1-0x0000000000400000-0x0000000000452000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20241010-en

Max time kernel

14s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe"

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3644-0-0x0000000000400000-0x0000000000419000-memory.dmp

memory/3644-1-0x0000000000400000-0x0000000000419000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20240729-en

Max time kernel

17s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20240903-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe"

Network

N/A

Files

memory/2192-0-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2192-1-0x0000000000400000-0x0000000000452000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe"

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20240708-en

Max time kernel

141s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe"

Network

N/A

Files

memory/2084-0-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2084-1-0x0000000000400000-0x0000000000419000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20240903-en

Max time kernel

141s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe"

Network

N/A

Files

memory/3052-0-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3052-1-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe"

Signatures

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

134s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
PID 1316 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
PID 1316 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
PID 1316 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
PID 1316 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
PID 1316 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
PID 1316 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
PID 1316 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
PID 1316 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
PID 1316 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
PID 1316 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
PID 1316 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
PID 1316 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PID 1316 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PID 1316 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PID 1316 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
PID 1316 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
PID 1316 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
PID 1316 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
PID 1316 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
PID 1316 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
PID 1316 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
PID 1316 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
PID 1316 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
PID 1316 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
PID 1316 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
PID 1316 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
PID 1316 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
PID 1316 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
PID 1316 wrote to memory of 1844 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
PID 1316 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
PID 1316 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
PID 1316 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
PID 1316 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
PID 1316 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
PID 1316 wrote to memory of 4540 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
PID 1316 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1316 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe

WebBrowserPassView.exe /stext WebBrowserPassView_11102024_YLFOGIOE_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe

SkypeLogView.exe /stext SkypeLogView_11102024_YLFOGIOE_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe

RouterPassView.exe /stext RouterPassView_11102024_YLFOGIOE_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe

pspv.exe /stext pspv_11102024_YLFOGIOE_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe

PasswordFox.exe /stext PasswordFox_11102024_YLFOGIOE_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe

OperaPassView.exe /stext OperaPassView_11102024_YLFOGIOE_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe

mspass.exe /stext mspass_11102024_YLFOGIOE_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe

mailpv.exe /stext mailpv_11102024_YLFOGIOE_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe

iepv.exe /stext iepv_11102024_YLFOGIOE_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe

ChromePass.exe /stext ChromePass_11102024_YLFOGIOE_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe

ChromeHistoryView.exe /stext ChromeHistoryView_11102024_YLFOGIOE_Admin.txt

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe

BrowsingHistoryView.exe /stext BrowsingHistoryView_11102024_YLFOGIOE_Admin.txt

C:\Windows\system32\PING.EXE

ping -n 5 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/5072-0-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2424-1-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1080-2-0x0000000000400000-0x0000000000419000-memory.dmp

memory/3988-3-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2424-10-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView_11102024_YLFOGIOE_Admin.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/5072-14-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1080-12-0x0000000000400000-0x0000000000419000-memory.dmp

memory/3988-16-0x0000000000400000-0x0000000000426000-memory.dmp

memory/556-17-0x0000000000400000-0x000000000041C000-memory.dmp

memory/556-19-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1700-21-0x0000000000400000-0x000000000044F000-memory.dmp

memory/1700-24-0x0000000000400000-0x000000000044F000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe"

Signatures

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/2396-0-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2396-1-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe"

Signatures

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-10 02:23

Reported

2024-11-10 02:26

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe

"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A