fabookie | e46cfaaee5da4b1d369db1d1dca420d39c347227d95a445910f7adc7c286b5c9

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe
Size

6.6MB
MD5

623e41eaeb69f117691080e4ac4cd1bc
SHA1

dd330ae575e184f8955324a9d7c1e572306ae175
SHA256

fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983
SHA512

25104b32809f5cbd9ff22a528f77c90540e99e9d5193eba026ea269357f2e6d5b3ae6de0bcdc9be0dee9ee3a092eb909a3f404f74d33c71d0823107f9c206f74
SSDEEP

196608:jBoKvFpMWN59w86tAWGmKCJWd4IZ82mb5p5xsxu+lpf:jBNvF6WN5i86SWGmpsnZMYu+T

Score

10^/10

fabookie glupteba stealc discovery dropper evasion loader persistence rootkit spyware stealer upx

Malware Config

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/memory/336-85-0x0000000002E30000-0x0000000002F61000-memory.dmp	family_fabookie
behavioral2/memory/336-209-0x0000000002E30000-0x0000000002F61000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

resource	yara_rule
behavioral2/memory/908-141-0x0000000002F40000-0x000000000382B000-memory.dmp	family_glupteba
behavioral2/memory/908-142-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/908-210-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/908-212-0x0000000002F40000-0x000000000382B000-memory.dmp	family_glupteba
behavioral2/memory/4516-216-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4516-313-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/608-333-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/608-419-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/608-431-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/608-436-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/608-441-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/608-446-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/608-451-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/608-456-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2180	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	nsw5872.tmp

Executes dropped EXE 10 IoCs

pid	Process
908	e0cbefcb1af40c7d4aff4aca26621a98.exe
336	rty27.exe
4836	InstallSetup8.exe
4592	BroomSetup.exe
2752	nsw5872.tmp
4516	e0cbefcb1af40c7d4aff4aca26621a98.exe
608	csrss.exe
4316	injector.exe
4684	windefender.exe
3764	windefender.exe

Loads dropped DLL 4 IoCs

pid	Process
4836	InstallSetup8.exe
4836	InstallSetup8.exe
2752	nsw5872.tmp
2752	nsw5872.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000001e5e4-423.dat	upx
behavioral2/files/0x000800000001e5e4-425.dat	upx
behavioral2/memory/4684-427-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000800000001e5e4-422.dat	upx
behavioral2/memory/3764-433-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/3764-443-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	Conhost.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	e0cbefcb1af40c7d4aff4aca26621a98.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	e0cbefcb1af40c7d4aff4aca26621a98.exe
File created	C:\Windows\rss\csrss.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5008	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3408	2752	WerFault.exe	100

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsw5872.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsw5872.tmp

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3352	schtasks.exe
260	schtasks.exe
4324	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2576	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	windefender.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2752	nsw5872.tmp
2752	nsw5872.tmp
4320	Conhost.exe
4320	Conhost.exe
4320	Conhost.exe
908	e0cbefcb1af40c7d4aff4aca26621a98.exe
908	e0cbefcb1af40c7d4aff4aca26621a98.exe
392	powershell.exe
392	powershell.exe
392	powershell.exe
4516	e0cbefcb1af40c7d4aff4aca26621a98.exe
4516	e0cbefcb1af40c7d4aff4aca26621a98.exe
4516	e0cbefcb1af40c7d4aff4aca26621a98.exe
4516	e0cbefcb1af40c7d4aff4aca26621a98.exe
4516	e0cbefcb1af40c7d4aff4aca26621a98.exe
4516	e0cbefcb1af40c7d4aff4aca26621a98.exe
4516	e0cbefcb1af40c7d4aff4aca26621a98.exe
4516	e0cbefcb1af40c7d4aff4aca26621a98.exe
4516	e0cbefcb1af40c7d4aff4aca26621a98.exe
4516	e0cbefcb1af40c7d4aff4aca26621a98.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
4464	powershell.exe
4464	powershell.exe
4464	powershell.exe
2988	Conhost.exe
2988	Conhost.exe
2988	Conhost.exe
1112	powershell.exe
1112	powershell.exe
1112	powershell.exe
3908	powershell.exe
3908	powershell.exe
3908	powershell.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
608	csrss.exe
608	csrss.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
608	csrss.exe
608	csrss.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
608	csrss.exe
608	csrss.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe
4316	injector.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe
Token: SeDebugPrivilege	4320	Conhost.exe
Token: SeDebugPrivilege	908	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeImpersonatePrivilege	908	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	2988	Conhost.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeSystemEnvironmentPrivilege	608	csrss.exe
Token: SeSecurityPrivilege	5008	sc.exe
Token: SeSecurityPrivilege	5008	sc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4592	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 908	2776	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	91
PID 2776 wrote to memory of 908	2776	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	91
PID 2776 wrote to memory of 908	2776	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	91
PID 2776 wrote to memory of 336	2776	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	93
PID 2776 wrote to memory of 336	2776	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	93
PID 2776 wrote to memory of 4836	2776	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	94
PID 2776 wrote to memory of 4836	2776	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	94
PID 2776 wrote to memory of 4836	2776	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	94
PID 4836 wrote to memory of 4592	4836	InstallSetup8.exe	95
PID 4836 wrote to memory of 4592	4836	InstallSetup8.exe	95
PID 4836 wrote to memory of 4592	4836	InstallSetup8.exe	95
PID 4836 wrote to memory of 2752	4836	InstallSetup8.exe	100
PID 4836 wrote to memory of 2752	4836	InstallSetup8.exe	100
PID 4836 wrote to memory of 2752	4836	InstallSetup8.exe	100
PID 4592 wrote to memory of 260	4592	BroomSetup.exe	143
PID 4592 wrote to memory of 260	4592	BroomSetup.exe	143
PID 4592 wrote to memory of 260	4592	BroomSetup.exe	143
PID 260 wrote to memory of 2712	260	schtasks.exe	103
PID 260 wrote to memory of 2712	260	schtasks.exe	103
PID 260 wrote to memory of 2712	260	schtasks.exe	103
PID 260 wrote to memory of 3352	260	schtasks.exe	104
PID 260 wrote to memory of 3352	260	schtasks.exe	104
PID 260 wrote to memory of 3352	260	schtasks.exe	104
PID 908 wrote to memory of 4320	908	e0cbefcb1af40c7d4aff4aca26621a98.exe	140
PID 908 wrote to memory of 4320	908	e0cbefcb1af40c7d4aff4aca26621a98.exe	140
PID 908 wrote to memory of 4320	908	e0cbefcb1af40c7d4aff4aca26621a98.exe	140
PID 2752 wrote to memory of 4892	2752	nsw5872.tmp	116
PID 2752 wrote to memory of 4892	2752	nsw5872.tmp	116
PID 2752 wrote to memory of 4892	2752	nsw5872.tmp	116
PID 4892 wrote to memory of 2576	4892	cmd.exe	118
PID 4892 wrote to memory of 2576	4892	cmd.exe	118
PID 4892 wrote to memory of 2576	4892	cmd.exe	118
PID 4516 wrote to memory of 392	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	122
PID 4516 wrote to memory of 392	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	122
PID 4516 wrote to memory of 392	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	122
PID 4516 wrote to memory of 4080	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	126
PID 4516 wrote to memory of 4080	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	126
PID 4080 wrote to memory of 2180	4080	cmd.exe	125
PID 4080 wrote to memory of 2180	4080	cmd.exe	125
PID 4516 wrote to memory of 1940	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	128
PID 4516 wrote to memory of 1940	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	128
PID 4516 wrote to memory of 1940	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	128
PID 4516 wrote to memory of 4464	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	131
PID 4516 wrote to memory of 4464	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	131
PID 4516 wrote to memory of 4464	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	131
PID 4516 wrote to memory of 608	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	134
PID 4516 wrote to memory of 608	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	134
PID 4516 wrote to memory of 608	4516	e0cbefcb1af40c7d4aff4aca26621a98.exe	134
PID 608 wrote to memory of 2988	608	csrss.exe	149
PID 608 wrote to memory of 2988	608	csrss.exe	149
PID 608 wrote to memory of 2988	608	csrss.exe	149
PID 608 wrote to memory of 1112	608	csrss.exe	139
PID 608 wrote to memory of 1112	608	csrss.exe	139
PID 608 wrote to memory of 1112	608	csrss.exe	139
PID 608 wrote to memory of 3908	608	csrss.exe	145
PID 608 wrote to memory of 3908	608	csrss.exe	145
PID 608 wrote to memory of 3908	608	csrss.exe	145
PID 608 wrote to memory of 4316	608	csrss.exe	147
PID 608 wrote to memory of 4316	608	csrss.exe	147
PID 4684 wrote to memory of 4232	4684	windefender.exe	153
PID 4684 wrote to memory of 4232	4684	windefender.exe	153
PID 4684 wrote to memory of 4232	4684	windefender.exe	153
PID 4232 wrote to memory of 5008	4232	cmd.exe	152
PID 4232 wrote to memory of 5008	4232	cmd.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe
"C:\Users\Admin\AppData\Local\Temp\fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
  "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:4320
- - C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4080
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1940
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4464
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Manipulates WinMonFS driver.
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:608
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2988
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:4432
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        Suspicious use of WriteProcessMemory
        
        PID:260
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4316
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4324
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4232
- C:\Users\Admin\AppData\Local\Temp\rty27.exe
  "C:\Users\Admin\AppData\Local\Temp\rty27.exe"
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:260
- - C:\Users\Admin\AppData\Local\Temp\nsw5872.tmp
    C:\Users\Admin\AppData\Local\Temp\nsw5872.tmp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsw5872.tmp" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 2384
      4⤵
      Program crash
      PID:3408

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:2712

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
1⤵
- Creates scheduled task(s)
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2752 -ip 2752
1⤵
PID:1844

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3764

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
573KB

MD5
d74997e0ec35dc9ed9979e873e037b74

SHA1
07bf25f6ac72b787428c34b8bdd907577c753a62

SHA256
6b267e496cf5dc7038aad1b98abb590ab10616159528903153ff839c0dbafb9c

SHA512
116da2f301f4cb3f1e42f12e9067a65bb8df513d31c9df09cf25e915c8f0318b0d756f1aeb9b7b97ae4526eb6a63950ba959cc4aecd6c74de4c0efc1ae18bf57

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
615KB

MD5
3edb907c167be9488470099e56eac280

SHA1
1a838580eb8805b24279a3dc3de7501677720697

SHA256
9bb1cbbb9bcaaa19ac5e5260ab476183a3f80efa395990cadde48b56567a727d

SHA512
3b11a8a8635d7e4a4bec240bdcde31bd8f466992ff2d4c14b0a3ee847a1e35f6ef65d5b4ad5e2d4c49192758918beb6e7aa19d11da6434e6b9a1fc07435f5f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
987KB

MD5
026b7da54e3eef5633747d5f33ddb2bc

SHA1
1ae52067936ff599096cd3b996c9c69fe165df41

SHA256
132055b1645014b4e226dd81c1526e107a80a11c8702d40a38e1d72d057b6e1c

SHA512
ddc7d36dfad2cff6685e43ef823f09810170f20d657dc39d8e14cab6081eefdbd9b11e844aa89ab525846e69189ff7c932478b2b5c4c026b728c01e88b400e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
405KB

MD5
c7ac926059fd5d592003d3ff088f1ea1

SHA1
93f099ce80cb5a78c827ef355addaaf077c3321e

SHA256
7bbbe5e1a6a078f0d52eff4251c3fca5ca6bea622e64c46a1be496a741364f01

SHA512
0e1955473474ac40a4cd5fb3d4e3bc0a91cf2cea57f81fc7178032c1843a39844450cb46931abcc82fd1874dc8ee09481d5369942d65cf66799c88b401f6787a

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
289KB

MD5
9b5f5d874301edfd430fd021008efa5e

SHA1
787ebe70004dee8aea2496b2cdc6ce059c40a525

SHA256
eac6de757eb2667252d7b8a1542e13b3f9704ef5fb0e21ad009d1ee384e6008e

SHA512
8147d56d265624adc2d1d803f396d083c07d8da46344844905e7f99b10a48b9d23296b8dc6ef1c9589efe8cbfc1aba3ba59c890f719d47eb46def0c830de2b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
677KB

MD5
1a8d7b35464c8244de6b1d722ad6b52c

SHA1
8d1d34a810e01fc48c9ef41735b43e1d64e10ad5

SHA256
e78c1b1fc5187d949e53fb96c395c09bcfe9dc1f3dafd8520611f6c46979e24a

SHA512
94f7a08728363941b13cd445e78285a71aab51809914aff108ae74449a590a8e066f91329eb1643315fec19b05f5df3f4690e25a247c88aea243e8f5b29192ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_okey2brz.uex.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
141KB

MD5
8b1d3864094dc898eef3d5b48624e3b8

SHA1
562a51f35367e737ddaede96dc4d4222f1464961

SHA256
5f800ce618051e5ce8ec9ce4d0ebe541e5de6711cb204d995d4872c5434f4c55

SHA512
ec423fc79f4370b9c64fcc1c061cfd5b223c14a2aed2de0692869dc86e0f3dcebe25c49d7a6f8abcb963e73581745532f13e8d3bd196b51229d5e00212c9e318

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
238KB

MD5
008bb1d7650a9a500e6a1bba45056628

SHA1
2d7a704046780a7d86413b7a824995874f080df2

SHA256
37f9c86a042a85115ef8f51a59059ad9f134f202548fc62a1036f7f145a849ca

SHA512
83ebad8837309f2afa2e2f95b3eaac5fb9d2a342269aeb82a11230fbbe3c00f099599a330782511eb908a78981cc442191b1a78636668372ffb3513f9a92188f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
588KB

MD5
66e28cd1dd35ee02d007f0bd94498a48

SHA1
f4564fca0df80662ff02f0d96542b295e0234572

SHA256
40559b89691e621ef0d0ace0c3474c22e25bb2d5f11fdcea9ddc97c4bb5858aa

SHA512
6d12ae56262b7aac732a678c12f219a1c6aa1782e26ce1fd90eadc7fbf37db19ade43b5fa6f59652e4f6610f6414d28b86b2b15078ebaabb8063b1462f21abd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
178KB

MD5
22c39a2c756fa539d572d49078fc6461

SHA1
7bea35ce8a4474131921f5f3c962cd1b232cf025

SHA256
1c0cdda5dfa5cd3c150e00d2e5667ded7cd717945aebc6b6b102618eba92faa5

SHA512
e2793a200a0f7dcf55b27c03b209ca2a0fac028de23c24c85e3cc548a8d4580f2de8da687912595c1e2bff6f7e706d48c952d85f1efc0b3e482b3f295a877634

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
375KB

MD5
2ff2aad80d53571cb875821819f93026

SHA1
70a4f5684d29e7887e14c9fbe053e3571f6bb11f

SHA256
a9816bea69f843e3afbd6d8b1888bdba41383e9812b1299a3ec43cbac7ca5273

SHA512
ca0aacadd9c91b95f06b88b96adc89eeb651ef82893fcaf1a9b470aa92990cfa8f4db85294b8ac38dab8838ffe4576f1905a024b7d107c3ece61a9187e272580

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
700KB

MD5
2dd51e49ba015d1aab20cdd06e0b541c

SHA1
2a933cd4f2fe9c64c626dfc89106f8c2d191db56

SHA256
9630333c7ddfb7224e45ecaeae8dded0989f731bca7f22de74f543cdcd6ec92e

SHA512
1154f31c35deaf88f2cb95d46dd4330d6ee391b9d84dba9e50234dc24fad03c74af514dd4bb81c6ea2f79655e827651b2aedf10ca418aa5999ef22a1c152548e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq5593.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5872.tmp

Filesize
207KB

MD5
b6975d1aaa6497e17acf7b0d1d8c9acf

SHA1
2591b55060f4a9b514f4d44510864d67bc7598ba

SHA256
6026009c348d53d25b31126fc8d59154d7f916e73b2ad3cac33f39f137951890

SHA512
d5e1a6f6fc7fa7bab07a1fbd02b232e502b39c5b283b4132325dc5760dfa3bac6f00f62bc9b38f126f62322476924e60985b1e0ee71bab06550a005af8040c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty27.exe

Filesize
357KB

MD5
b4c5f1591d6a93a7ebbf51f37e65ee10

SHA1
c25932a93b1d621b198bcbc3beba414409f97c59

SHA256
7bebbd89b538434aa58340075fdff601e7b84d87cf23349aecd1002520058850

SHA512
f989b1be879d8d5ff2acd0c6fda7dba562078ef675602e022d8bf7bab8c03afe3623bce484bf292117a1d149cb49fc788f6344a41defe3fd17be5cc4eaab5276

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty27.exe

Filesize
369KB

MD5
04d09043575b509ad237fbaaf5e36efd

SHA1
10298ff4d0908ec34a449f8967cc12eabc4e56da

SHA256
5984de213458470ca4bd9c07f0bbe713deb6fc692cfd5604f590c2461c13f685

SHA512
5d1bcca83fe338c44705c0f7c7c75add7e14ef3b75b1beb98573c88127fa445b46c2bb44ad61cee8aacb2930701b1b4657746d58862eb17869f3f92ff26f3523

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty27.exe

Filesize
249KB

MD5
7fbb11bc73152e8b70a243edbd80f493

SHA1
9b2fba20a1d5d5dae29a422b84dbd1c62003a8df

SHA256
ac517243f8bf4ca453c1d64af0a738fc347bfd48d01c3f5a3a8603330d96eb48

SHA512
e79ca56521d144422ad864b3069e50f617e952b39dc54b764fd4f03a707f79cbdea3088d059f1d1f13de611318b5f907787bdf1582808bf64b47555bb9a6a43b

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
ce8b83bffa4b1899af16712cae851d8d

SHA1
63a594ad103810c0d163a5b34ee2c5cca4bf8e61

SHA256
b6f69872ce28fade69c523b8e7665a226cfd838efc206a12de30ca59ffff557f

SHA512
3487f62e3c6f9b7b6986de5e0d3630411768436b4f2171e4853502fc735da25e5afd6c56209efddeb975c43666ec1a2f55f4c8011f23be9c4ff50be47c759ba9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e78829b5e9db19b49afb0888ed1b387d

SHA1
a484281f2bb3c3579dccf29f3b92b494b63fea68

SHA256
d7de32b7a401bddda482754f267f22669a32017cb452b00f7266453df249c161

SHA512
6b9a320830c35022989cee23db9d7c35ca6384c27db948178bb7f9bdc81f1258f8134acd51a33f4e26ebba62bde06d3e6dc59aebc4a14df62932dbf870470b56

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
da287012d9543a6ed626354806ec4297

SHA1
4d27f10ff8249f64c64a04eb1e4a7db859fda774

SHA256
451a6eaf65347218af52ae737e2c6cafcebada471f8f9f28bbe337a49c92c416

SHA512
a1e3115f5c1dcb3543a300bfca556979904abf5c6483ec91ba343501bb71079f85bb74dab01c62b6e5399d55d483834e54542b1bbf444e8056240d61ab25743f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
bec280428c82bc37ff0fe26a032eccfe

SHA1
5eef7cf3e313bedc675026db9aa33c4eb01152f7

SHA256
fb0b84ecdbb6e14cffdd5e98237c398128fa9436868e1d0c1f69fb7412c8e14e

SHA512
6692f5ca2b6992a68f9d95ae33b713c8ace392ec5a1042baf2d7ea286e0104ffb26a6ce3a3a0222a8f97acbc6993bcac8689c04ba203288ac55a09b0018479eb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6be672dc9540afa721114f37bd72d9b4

SHA1
fed9750c8eca5ffbfce8c1f122469ba10e931568

SHA256
3e3ffd512c5bc222c06f7a446c00227496a8a07b899dabb5f0e9962ee47ff54c

SHA512
ab6bddc9f9890a90ebae33525eddedb29af818c807e10fedb3c87cc6cc8b85591c1a7b9f3184b90fbd1a027ecd1e0cb975eb15d39004a41107a396b80ed75e02

Download Submit
C:\Windows\rss\csrss.exe

Filesize
191KB

MD5
721b63974d173d6dacda6395e3d6347b

SHA1
1afdbd609912666e7daa10b5bdbc706bab2acba3

SHA256
818c87e6610e4fd0b051da03d584ad58055d1f02e5e4ca95aac7563f4075c139

SHA512
ace0e9f105ef9e49f36b7a6ea2f97b98f1bb7ecfa88da7b1ffdcb1f9ff2fb8c23194cff37d7ea4c458a0b760adc35bb2dfdf79a608b40486794da8958b23a466

Download Submit
C:\Windows\rss\csrss.exe

Filesize
224KB

MD5
6c30cd63a8a7d234b264ca30f45f3e94

SHA1
df19c69bc72a2a18ee4869f0e677d66f26966ce3

SHA256
52dd0511c0bae65144ae77ad35a80cb5a6c82efa00e5b3263d15464b85e3a14a

SHA512
b499aae6884186b4ab9a3f11d4d164b7fffd08fa1d8d0372f44ee93a5a134ce557c76bb6880c361a19ff4e239fd3f5f4e89f637f08b52ea35b688d3fe875679c

Download Submit
C:\Windows\windefender.exe

Filesize
845KB

MD5
12dac6f2356dc17f910d43b68f242771

SHA1
09b27ed5424b689e564fea618b3683706a204a05

SHA256
b16e1b5b328f0f1db55ec55d5abba65deb7b135ccf50100a8c37d25da907c231

SHA512
c8500e78afa6e3df4b3686b77ba78efc710a701e204436209e19896ab7d57dc9e0a79979a4c58d0efc2baf068a0de5644b74cd12061ea2c0d6ae900ddec6da03

Download Submit
C:\Windows\windefender.exe

Filesize
697KB

MD5
72f638725c9228ea1fc464c9c1d6a56b

SHA1
abb03d9af524b871b17fc1e8fcd36318bdebea0b

SHA256
1ebb3412c4df0234dad5344260765722008d648fdfd1e8fa89f3c592bd5eaca8

SHA512
5f5d9cd70f8960e496c7b71b1d090bff4b3fa87330f8d4c72b7e17d941b23012524febeb8dcfff0b850baa8dc159909ae92bba0fc9d13cbe547e1fb6afad5e1c

Download Submit
C:\Windows\windefender.exe

Filesize
683KB

MD5
e24d097a3983ecfab0399fe43eef5ade

SHA1
bf5287e457088c65bd7dfa3e5ec4eca9d7619122

SHA256
dcab4f6ae9db1eaaa2bb49f79c7ac3315898cd7f06c7b1cf5525b43540ad050e

SHA512
4414aafe766a476cc1196ea74fbbfdc3f1bf28922c6db5628587b8ae47ede7bafd6be38bd72179c96dcc1ccf35b39a7fb8f096e4bd712029d709984d47f9f8a0

Download Submit
memory/336-84-0x0000000002BF0000-0x0000000002CFC000-memory.dmp

Filesize
1.0MB

Download
memory/336-85-0x0000000002E30000-0x0000000002F61000-memory.dmp

Filesize
1.2MB

Download
memory/336-209-0x0000000002E30000-0x0000000002F61000-memory.dmp

Filesize
1.2MB

Download
memory/336-21-0x00007FF6BF660000-0x00007FF6BF6C4000-memory.dmp

Filesize
400KB

Download
memory/392-231-0x0000000074680000-0x00000000746CC000-memory.dmp

Filesize
304KB

Download
memory/392-246-0x0000000007CA0000-0x0000000007CB4000-memory.dmp

Filesize
80KB

Download
memory/392-242-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/392-244-0x0000000007940000-0x00000000079E3000-memory.dmp

Filesize
652KB

Download
memory/392-243-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/392-228-0x0000000006110000-0x0000000006464000-memory.dmp

Filesize
3.3MB

Download
memory/392-232-0x0000000073500000-0x0000000073854000-memory.dmp

Filesize
3.3MB

Download
memory/392-230-0x000000007F810000-0x000000007F820000-memory.dmp

Filesize
64KB

Download
memory/392-217-0x0000000072A40000-0x00000000731F0000-memory.dmp

Filesize
7.7MB

Download
memory/392-229-0x0000000006780000-0x00000000067CC000-memory.dmp

Filesize
304KB

Download
memory/392-218-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/392-245-0x0000000007C50000-0x0000000007C61000-memory.dmp

Filesize
68KB

Download
memory/608-431-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/608-436-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/608-456-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/608-451-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/608-446-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/608-441-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/608-333-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/608-419-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/908-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/908-214-0x0000000002B30000-0x0000000002F31000-memory.dmp

Filesize
4.0MB

Download
memory/908-141-0x0000000002F40000-0x000000000382B000-memory.dmp

Filesize
8.9MB

Download
memory/908-140-0x0000000002B30000-0x0000000002F31000-memory.dmp

Filesize
4.0MB

Download
memory/908-142-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/908-212-0x0000000002F40000-0x000000000382B000-memory.dmp

Filesize
8.9MB

Download
memory/2752-186-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2752-139-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2752-60-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2752-55-0x0000000002240000-0x000000000225C000-memory.dmp

Filesize
112KB

Download
memory/2752-56-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2752-54-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/2752-187-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2752-206-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2776-0-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2776-1-0x00000000009B0000-0x0000000001056000-memory.dmp

Filesize
6.6MB

Download
memory/2776-28-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2776-2-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/3764-433-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3764-443-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4320-192-0x0000000007270000-0x0000000007281000-memory.dmp

Filesize
68KB

Download
memory/4320-191-0x0000000007310000-0x00000000073A6000-memory.dmp

Filesize
600KB

Download
memory/4320-153-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/4320-150-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4320-149-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4320-151-0x0000000004D90000-0x00000000053B8000-memory.dmp

Filesize
6.2MB

Download
memory/4320-199-0x0000000072A40000-0x00000000731F0000-memory.dmp

Filesize
7.7MB

Download
memory/4320-194-0x00000000072C0000-0x00000000072D4000-memory.dmp

Filesize
80KB

Download
memory/4320-195-0x00000000073B0000-0x00000000073CA000-memory.dmp

Filesize
104KB

Download
memory/4320-196-0x0000000007300000-0x0000000007308000-memory.dmp

Filesize
32KB

Download
memory/4320-193-0x00000000072B0000-0x00000000072BE000-memory.dmp

Filesize
56KB

Download
memory/4320-171-0x0000000007100000-0x0000000007132000-memory.dmp

Filesize
200KB

Download
memory/4320-172-0x000000007F620000-0x000000007F630000-memory.dmp

Filesize
64KB

Download
memory/4320-174-0x00000000710A0000-0x00000000713F4000-memory.dmp

Filesize
3.3MB

Download
memory/4320-184-0x0000000007140000-0x000000000715E000-memory.dmp

Filesize
120KB

Download
memory/4320-185-0x0000000007160000-0x0000000007203000-memory.dmp

Filesize
652KB

Download
memory/4320-148-0x0000000072A40000-0x00000000731F0000-memory.dmp

Filesize
7.7MB

Download
memory/4320-147-0x0000000002580000-0x00000000025B6000-memory.dmp

Filesize
216KB

Download
memory/4320-152-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

Filesize
136KB

Download
memory/4320-163-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/4320-188-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4320-189-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4320-190-0x0000000007250000-0x000000000725A000-memory.dmp

Filesize
40KB

Download
memory/4320-165-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/4320-173-0x0000000070F40000-0x0000000070F8C000-memory.dmp

Filesize
304KB

Download
memory/4320-164-0x0000000005B70000-0x0000000005B8E000-memory.dmp

Filesize
120KB

Download
memory/4320-168-0x00000000075A0000-0x0000000007C1A000-memory.dmp

Filesize
6.5MB

Download
memory/4320-166-0x0000000006120000-0x0000000006164000-memory.dmp

Filesize
272KB

Download
memory/4320-169-0x0000000006F40000-0x0000000006F5A000-memory.dmp

Filesize
104KB

Download
memory/4320-167-0x0000000006EA0000-0x0000000006F16000-memory.dmp

Filesize
472KB

Download
memory/4516-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4516-313-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4516-215-0x0000000002980000-0x0000000002D79000-memory.dmp

Filesize
4.0MB

Download
memory/4592-170-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4592-37-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/4592-117-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4684-427-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download