Analysis Overview
SHA256
7a8aee0ff7f0eb5c8eda7fecdad3616e44adf6da1cd89dac50ae7e322f9d9ce3
Threat Level: Likely malicious
The file New folder (4).rar was found to be: Likely malicious.
Malicious Activity Summary
Detected Nirsoft tools
NirSoft WebBrowserPassView
NirSoft MailPassView
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Browser Information Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 03:58
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241007-en
Max time kernel
140s
Max time network
93s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe"
Network
Files
memory/3536-0-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3536-1-0x0000000000400000-0x000000000044F000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe"
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\robuxboi.bat"
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
WebBrowserPassView.exe /stext WebBrowserPassView_11102024_GMTYKXRU_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
SkypeLogView.exe /stext SkypeLogView_11102024_GMTYKXRU_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
RouterPassView.exe /stext RouterPassView_11102024_GMTYKXRU_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\pspv.exe
pspv.exe /stext pspv_11102024_GMTYKXRU_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\PasswordFox.exe
PasswordFox.exe /stext PasswordFox_11102024_GMTYKXRU_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
OperaPassView.exe /stext OperaPassView_11102024_GMTYKXRU_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
mspass.exe /stext mspass_11102024_GMTYKXRU_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
mailpv.exe /stext mailpv_11102024_GMTYKXRU_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
iepv.exe /stext iepv_11102024_GMTYKXRU_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
ChromePass.exe /stext ChromePass_11102024_GMTYKXRU_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromeHistoryView.exe
ChromeHistoryView.exe /stext ChromeHistoryView_11102024_GMTYKXRU_Admin.txt
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
BrowsingHistoryView.exe /stext BrowsingHistoryView_11102024_GMTYKXRU_Admin.txt
C:\Windows\system32\PING.EXE
ping -n 5 127.0.0.1
Network
Files
memory/3156-0-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1176-1-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1176-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3716-8-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView_11102024_GMTYKXRU_Admin.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/3156-11-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3716-2-0x0000000000400000-0x0000000000419000-memory.dmp
memory/384-12-0x0000000000400000-0x0000000000426000-memory.dmp
memory/384-13-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2796-14-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2796-15-0x0000000000400000-0x000000000041C000-memory.dmp
memory/3804-17-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3804-19-0x0000000000400000-0x000000000044F000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241023-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mspass.exe"
Network
Files
memory/4836-0-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4836-1-0x0000000000400000-0x0000000000426000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\SkypeLogView.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3204-0-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3204-1-0x0000000000400000-0x0000000000452000-memory.dmp
memory/3204-2-0x0000000000400000-0x0000000000452000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241007-en
Max time kernel
140s
Max time network
94s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\RouterPassView.exe"
Network
Files
memory/4628-0-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4628-1-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\mailpv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241007-en
Max time kernel
91s
Max time network
94s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\ChromePass.exe"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\OperaPassView.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/4368-0-0x0000000000400000-0x0000000000419000-memory.dmp
memory/4368-1-0x0000000000400000-0x0000000000419000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241007-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\WebBrowserPassView.exe"
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 04:01
Platform
win11-20241007-en
Max time kernel
140s
Max time network
95s
Command Line
Signatures
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\iepv.exe"
Network
Files
memory/2440-0-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2440-1-0x0000000000400000-0x000000000041C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 03:58
Reported
2024-11-10 03:59
Platform
win11-20241007-en
Max time kernel
15s
Command Line
Signatures
Reads user/profile data of web browsers
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe
"C:\Users\Admin\AppData\Local\Temp\New folder (4)\free robbux\BrowsingHistoryView.exe"