privateloader | hxxps://urluss[.]com/2vwDG8

Analysis

max time kernel
270s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2023 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://urluss.com/2vwDG8

Score

10^/10

privateloader loader spyware stealer vmprotect

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Executes dropped EXE 2 IoCs

pid	Process
3392	Install.exe
1556	Install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0006000000023238-232.dat	vmprotect
behavioral1/files/0x0006000000023238-231.dat	vmprotect
behavioral1/memory/3392-235-0x00007FF633560000-0x00007FF6343B4000-memory.dmp	vmprotect
behavioral1/memory/3392-234-0x00007FF633560000-0x00007FF6343B4000-memory.dmp	vmprotect
behavioral1/memory/3392-256-0x00007FF633560000-0x00007FF6343B4000-memory.dmp	vmprotect
behavioral1/files/0x0006000000023238-266.dat	vmprotect
behavioral1/memory/1556-268-0x00007FF633560000-0x00007FF6343B4000-memory.dmp	vmprotect
behavioral1/memory/1556-269-0x00007FF633560000-0x00007FF6343B4000-memory.dmp	vmprotect
behavioral1/memory/1556-289-0x00007FF633560000-0x00007FF6343B4000-memory.dmp	vmprotect

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
104	api.myip.com
105	ipinfo.io
106	ipinfo.io
129	api.myip.com
130	api.myip.com
131	ipinfo.io
132	ipinfo.io
103	api.myip.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Install.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133377853178391242"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3904	chrome.exe
3904	chrome.exe
1124	chrome.exe
1124	chrome.exe
3392	Install.exe
3392	Install.exe
3392	Install.exe
3392	Install.exe
1556	Install.exe
1556	Install.exe
1556	Install.exe
1556	Install.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe
Token: SeShutdownPrivilege	3904	chrome.exe
Token: SeCreatePagefilePrivilege	3904	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
4092	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe
3904	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3392	Install.exe
1556	Install.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 232	3904	chrome.exe	82
PID 3904 wrote to memory of 232	3904	chrome.exe	82
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4620	3904	chrome.exe	84
PID 3904 wrote to memory of 4472	3904	chrome.exe	86
PID 3904 wrote to memory of 4472	3904	chrome.exe	86
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85
PID 3904 wrote to memory of 1348	3904	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://urluss.com/2vwDG8
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d6899758,0x7ff8d6899768,0x7ff8d6899778
  2⤵
  PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:2
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4472 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4660 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4852 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4612 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3824 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5080 --field-trial-handle=1708,i,13494953359564412941,17432398031621392191,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1124

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3692

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup_pass1234\" -spe -an -ai#7zMap19451:88:7zEvent24013
1⤵
- Suspicious use of FindShellTrayWindow
PID:4092

C:\Users\Admin\Downloads\Setup_pass1234\Install.exe
"C:\Users\Admin\Downloads\Setup_pass1234\Install.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:8

C:\Users\Admin\Downloads\Setup_pass1234\Install.exe
"C:\Users\Admin\Downloads\Setup_pass1234\Install.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A65DBECD82A40019E873CE4ED0A79570

Filesize
1KB

MD5
f2f17b6068e660ed209495ed87b0be15

SHA1
f47eb13ffe813cc439ae4aba78095988e814dc24

SHA256
59747b798be009a3820b8c2b099eb25ee240a3876cd7b8452bf4b868c690b7cb

SHA512
6873e99433836f450d30bcd9209958252a9bbc8f26f476acaca14b984b1be5eaaa6f0639193cf50c502c83855bbe95cb90bcad7f0b21670c7de192c30dd981dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
1KB

MD5
67b9e62a9ee1eece1caa04b5945224ea

SHA1
dc51c53e7afb5170d9b06e242ce32bf1dcfd6085

SHA256
f4f150fbe80d46e3b4925cffd18a915e4287836f1a282d33498c59ad1b042e6c

SHA512
91d4b00e6e243f5801ad73e0e294e475dd37e946208bb2e939513ff28777af52f7c46675c347aeb54521b9b67ef7fae8ea57907a886f58a74faea28391468a65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A65DBECD82A40019E873CE4ED0A79570

Filesize
536B

MD5
67984d48c5c26e65b7130884624d6890

SHA1
ecf04647369a1f710856a1c41315c5e4ad721226

SHA256
2e8985f14ab5f18eb1acb6498a02030f7192d5d9c00511439f76a1b944b49c5a

SHA512
4fb03555df6e4b3a9a99b6822078d20bacd3a365987c6b472ef2a65125b97b95ec03a9d93d01e3f6233c1018a4ca153b24b8e9623089992b9d068719e3f06c7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
492B

MD5
22124f2509c2dc5fb6e8b026505fa892

SHA1
8173e2766431e89161e07616f06d16c1e6dbcbcc

SHA256
0ba4e1fd81bf9cc9d77e7826ca24ccc40628926c6db3a209bc9dfa4aadcfa083

SHA512
ab92c81fa092d0ad67deaf5c3f61e893cebb16ef083b7a93780a96c5ced720ec383ae9b29d87cabc62a190be10e4051c30484c8a02a2493af61bb83f49cd1084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4f3560b3-a484-4f26-86b6-5b0805b16ac1.tmp

Filesize
114KB

MD5
a4b9f629ef7bc5f3b4c7b284da96c2e8

SHA1
71b42cdda921905a164990ebe92655a60f0216a3

SHA256
72b8c0ddf3801bcb3ee80a67e49ec502d46fd967feaead3906beb7c9b3688054

SHA512
91b0c9e59f8b4bb3e88468a7ee718622b733e1364e3f9bbc0b87c48ff29a671b4e1526d269265c6c69f43153182ff3603538511e4310ae6d223050fb3c6fc8a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
bf55b20b2ecad900e0b1b8e133f94eb0

SHA1
d9def149c6b9d8f3771f4dd2d5eb03d2186c46d3

SHA256
3a0ac910e881aa4e1bdfa1f775f03791c98b1331644e2a3041f40cda43807269

SHA512
3306f94a67ebe19ea91952ac9a4a62bf9edcb5757ed8c02cf69f3ffc8e224b101870e5b3922f0047a8664d60eace938537ed49b522e0f1e520ba1f477920b4a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3624df065cd9ad8292f44ac34eeb2ab0

SHA1
c9e5ceaea02c700b65ef137be755acae9ee715b2

SHA256
0f559204c8a0868cc45f36a5feb74fa71a478e3bf9e410aa813c04c51fd66d5a

SHA512
8430abb03b171ce87a5943a6443257dfede01e13f859e723ac215b49de6e3d8c6da05785908b5a588caf14d58237424fe1143faba08f6420a1a37224b03a5e0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
404584cd9f8fa9b0e6fd3be44cba27d8

SHA1
78516f79f4645c68f61c312bb02fd5959266dab3

SHA256
3e46f947d34ac0dae98d8bc272199e2e7bc26380c3d7167c2a16a36ed33270c1

SHA512
ab8b2d0bb8d4f680275c456bd999d97b521c8a33236eb4069ecbcdd944321eeeda7e4123c6e84c3d74d9288d8b63178c214787e9e11f8c01a31cd40f906cc192

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
938c9b5553dcdbb13117048500212fea

SHA1
70f81c25bfb1d8088cb80da077669a5a3fee2d57

SHA256
df41bc1082c697fe5142d5bcd9ae58d3380e2ad6821c6da187141be5a962b085

SHA512
526a4322c99ed7dd8db2ab151175629773660fde10bef11064730c85c44e26cfcdbfa2617a209e840d3451757f98a793d458e7cfd729137bb5a03e4d10c9e62e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4b19a6aa568bfd9e2cf6e36408f14541

SHA1
71b6016ae4abb31eddddf0a580655a7fbc88d23d

SHA256
1edb8662ed6025c39739d1f538b4c8a8fe9566d50ccf45fdeace76513663e950

SHA512
dd41ada937cf1635b1c683bc33ff953e02510e1d668ce39642b9f7b44450700b2a803e13bbcb8d2f8928fb9dc9d47d52455c089a668a5f5eeddf78c2570292f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b2d9a60f1a23170010302041aa06ca0b

SHA1
aad1f44b2deec9de674836d4cfe0e5598f88827e

SHA256
f1957b3c76cf1702f636ac10836eb0fa2ae08a75900d17f79cebcb5b5e12213a

SHA512
9a793dc3a0e508a27d8f538895bf20e05860c8132d168e6be2e4acf24fd9363cf946c9187211c4754d631d323cac9a584cae27adb45fab468408c08c9a3f8796

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
538c27e6378de00b290f1f0cf9c465f4

SHA1
141feac1e3241e68a58458f2dc0d1611cc9440dc

SHA256
5f7b2cfcb0591dd6a69057e550ac554f6385d6d3eecd1d153ce955171703a36a

SHA512
6d403203f0dc4c72e170bc439076c0cc93cd240b0e11895dc063e37b773682c056475d55acedfb3cb2be59ce346de77690e430ecd7b37ee4efd18ce19802d5f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
15e841480e3f49b12b384be9b38c4fdd

SHA1
e6eda05ef28e672ddc4d93ea30625106e5fa00c5

SHA256
3708b5b3c2c0178465ffaa180fb1dca182b8959230d91a11398e915a841377a9

SHA512
90b85fc06a5d4e8b9f1988798f55f40177ab842e4308c0c43958fe0b125bed9be6019e72e2ddc8c0da02949816c4aada605b321e2d217f9db4bd26a3025125d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
801e99dcfa20dbb45d7d1b410452f5c2

SHA1
a0d63c2f1f0b95e88fd45c7f5186921f3e552019

SHA256
83ad064f785b2f74cf01dce248875a857e459b9008c47e1988027c62e48b7f08

SHA512
8242594626a4481c0a817b3eec2d67c431e41010b8afd92afc880017a03a358f79167cde2ebdf8d42d710ec186235c976ea39650c5643dcc398d7cc754f46e7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
54820781d310df8d856e4fc2b1f1a4b2

SHA1
457f0cb8be5147b60d7ab93bb01daab64f2b6a30

SHA256
92b150c7a49f3c514f6bfb8b4a3d59acf512c976f90bb6bc405b5f90b334e592

SHA512
dcf0539cc32294bbecb61445fbb63b53682149da4d713d17f6c41a7f3ff9003253c9c548585bda9e781053ec76bdffcc7fbf87590b16727054865c7e4f1997f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6fba7150c2ceeff7332a13c78f7fc31f

SHA1
cb67581cc1b13f4f0db5a6b45e165ce6304975e5

SHA256
cd1ce7025e2f6237cc246580b324e6cdcadcb6a4fe2e0d49dc39d29608c44270

SHA512
73e8efe39abf0cbf5d325cf82078d7171091653ce28a76b4c9bea22ee2c2ede112dc0044f059f70217d9ae29353e78d0d790e1ab815a520b5149b7b27b07a636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
8c62a6b460b5d6286d917bc8e1fb2f83

SHA1
bf4ef2e37c17a7e1c4ab26577fb4b806274396fb

SHA256
aac16483bb718b80a0e6d8d5cbd77b43b5132a05cc4f65d72c4b6ed801430c0c

SHA512
4a497e4d94cd7d8e84b48e64151ea1c56ee40da5af13b20aae3af4bf3045a45b1050f3929da44621d417acea08b0ddcf6a57a666115c536e376666601300edd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
36345a6fd2b0a9c5a210c441a717ceb1

SHA1
1224a818991cc3cc4096148ba859ee2668c921b9

SHA256
8d9d6f7fb2bcde6c7c5b0fa4dbf68fac4738c71120de65e91765bc19a1d08a15

SHA512
19234ef05164ecba99204eff14e452ae0ea4b38854130a72dc4742a6e8f68db2389081d57fb6719ab56cfb4c8ddd36a43a73a41a5c0b0f7312abf9dab1006b73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58b541.TMP

Filesize
104KB

MD5
aaec796a3d0e960418eb3c509684e6c4

SHA1
2cdf4d9a979121956ef4cf76ddd4f973defc7ba1

SHA256
37849696a22353f7df4b6dcca8b6126c0bd2f5c31acc8f9e28f96b9e38b8fa64

SHA512
7c7ea3e0c3e2d6e706d0c0cf5b06976187f90e014ccf90d280d00193c065dca533d004398aab8e78e10b3e4580433515ddb756409a9d6825d1738ae15a9fa655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Setup_pass1234.7z

Filesize
6.7MB

MD5
c9328594be0ae6b19feca6629ab32af9

SHA1
0709f60c100a7bb9f85a9b63d711a2bcef45efaf

SHA256
e75d7683a9570bf5bb8bb0d42690a216f9c56bedc6a8c24857631ca2123312eb

SHA512
622592b06ea4217f2d89baf3238130af97a1f28ee2fdefee960b7f979d3e08228d7c888e3a6be57f5dd7eec25a80cdb437114989547e9128c3c4668328207bd6

Download Submit
C:\Users\Admin\Downloads\Setup_pass1234.7z.crdownload

Filesize
6.7MB

MD5
c9328594be0ae6b19feca6629ab32af9

SHA1
0709f60c100a7bb9f85a9b63d711a2bcef45efaf

SHA256
e75d7683a9570bf5bb8bb0d42690a216f9c56bedc6a8c24857631ca2123312eb

SHA512
622592b06ea4217f2d89baf3238130af97a1f28ee2fdefee960b7f979d3e08228d7c888e3a6be57f5dd7eec25a80cdb437114989547e9128c3c4668328207bd6

Download Submit
C:\Users\Admin\Downloads\Setup_pass1234\Install.exe

Filesize
693.8MB

MD5
4b330268e47192540de0405f1fdd731e

SHA1
aff6597a598c477134177928b667460501419e48

SHA256
357b4d2394dfe1dc376f73901cbd1bb1224f665a7b4c46e7a40c57bb53e03c37

SHA512
524258a115e31d7f0858d1639486228ceb09c35247cd5cea973d0e7ff4e9580de108fa312330b51218a16c007f754e4771d532682339938b8564ae44073a3937

Download Submit
C:\Users\Admin\Downloads\Setup_pass1234\Install.exe

Filesize
602.3MB

MD5
ffe3f9fbfd32b1866339cc195227bdc9

SHA1
b79d240021634cf6065d0b3b8286e4bc2bbc6465

SHA256
b5f1477b32374cdc76194afa987eb15c02206ea3d73b453e653974c590214490

SHA512
c7372ec10d0139f9f9b7cc9eb93081c1108d0a71f57a16d0168f997035c093495d0f9f2dc5acba6f3a9fd67b52dca453a9edb52bd6ff211e20cb0032182009c7

Download Submit
C:\Users\Admin\Downloads\Setup_pass1234\Install.exe

Filesize
462.4MB

MD5
20e988fc9fe243c7945029b53b7bac2c

SHA1
69fcba12808fe85d50f5278632fefbb4f0eee97c

SHA256
9cb616bd05c3b5a0842bf1ffca5594183879e691f93de4e1f4810ec363456b58

SHA512
6b5e5ed6d4cf819aa56ae63eefc87b6a3953086c6d10532094accaef084a389503820b276db713303afa35fa3ed554cca02f5e8feea09a87ed95c328b210023a

Download Submit
C:\Users\Admin\Pictures\Minor Policy\ro2BTGDknnC13xC_kC2oO2hf.exe

Filesize
190KB

MD5
495d874d9ea31b02a3b915447a26ca05

SHA1
f2b6a16d7e425a3c42f72a72d617e9139cc53c32

SHA256
b5a86e4d8c0ca6c6b440550305719f4f74461b43026535b8a061195017ccf785

SHA512
d703af21fb34c046d3b3d77d7447f4b3826a52a32063a09a4f3d46ca7755eb59a75bbb80a1026dcd64fdd78c9081859a2cf670952c50d9eaa1015462e105a23a

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/1556-269-0x00007FF633560000-0x00007FF6343B4000-memory.dmp

Filesize
14.3MB

Download
memory/1556-268-0x00007FF633560000-0x00007FF6343B4000-memory.dmp

Filesize
14.3MB

Download
memory/1556-289-0x00007FF633560000-0x00007FF6343B4000-memory.dmp

Filesize
14.3MB

Download
memory/3392-256-0x00007FF633560000-0x00007FF6343B4000-memory.dmp

Filesize
14.3MB

Download
memory/3392-234-0x00007FF633560000-0x00007FF6343B4000-memory.dmp

Filesize
14.3MB

Download
memory/3392-235-0x00007FF633560000-0x00007FF6343B4000-memory.dmp

Filesize
14.3MB

Download
memory/3392-233-0x00007FF8E4AF0000-0x00007FF8E4AF2000-memory.dmp

Filesize
8KB

Download