04ce50b0cf7fddaaac3e1940e21234ddfc6f05d352891989f8067310f4ec6a69

Analysis

max time kernel
90s
max time network
88s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-10-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AndroidSideloader.exe
Size

4.2MB
MD5

7e2b918a866b24b1faf8cf3ad9292a6e
SHA1

798c5d509dfad39ee7384ed604e34a01ba8bd5cb
SHA256

04ce50b0cf7fddaaac3e1940e21234ddfc6f05d352891989f8067310f4ec6a69
SHA512

2cce264bc27f438cb3f1e0fd245158da620934eff58bf83ec5fd66460b9bfdeb0af7d9dfee09b6e9062d2d99cc8fa76219f3073afa44910ff07fb5351631314f
SSDEEP

24576:kR2wjV//vxExkun/JcDJ7bdukqjVnlqud+/2P+Ap+KVwN52/h:w2w5//vxExjn/QJ7bYkqXfd+/9A9

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
1348	7z.exe
2312	7z.exe
2284	adb.exe
4584	adb.exe
2900	adb.exe
4704	rclone.exe
3164	rclone.exe
2356	7z.exe
3648	adb.exe
1592	adb.exe
4108	adb.exe
660	adb.exe
8	adb.exe

Loads dropped DLL 16 IoCs

pid	Process
2284	adb.exe
2284	adb.exe
4584	adb.exe
4584	adb.exe
2900	adb.exe
2900	adb.exe
3648	adb.exe
3648	adb.exe
1592	adb.exe
1592	adb.exe
4108	adb.exe
4108	adb.exe
660	adb.exe
660	adb.exe
8	adb.exe
8	adb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
4	raw.githubusercontent.com
29	raw.githubusercontent.com

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AndroidSideloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\CA\Certificates\CA7788C32DA1E4B7863A4FB57D00B55DDACBC7F9\Blob = 030000000100000014000000ca7788c32da1e4b7863a4fb57d00b55ddacbc7f91400000001000000140000003ae10986d4cf19c29676744976dce035c663639a04000000010000001000000042f8529fe545103fdd848980a8647f290f0000000100000030000000ed080184c5a30d366162d70be6fbb98ed70ace8650c3b7bccc7687cddaffb50f7d12eea1a961cc6f7fd0da9b3422f9fa19000000010000001000000076935b5c5a037216daaf8aac76df42c15c0000000100000004000000800100001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000d7030000308203d3308202bba003020102021056671d04ea4f994c6f10814759d27594300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374204543432043657274696669636174696f6e20417574686f726974793076301006072a8648ce3d020106052b81040022036200041aac545aa9f96823e77ad5246f53c65ad84babc6d5b6d1e67371aedd9cd60c61fddba08903b80514ec57ceee5d3fe221b3cef7d48a79e0a3837e2d97d061c4f199dc259163ab7f30a3b470e2c7a1339cf3bf2e5c53b15fb37d327f8a34e37979a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604143ae10986d4cf19c29676744976dce035c663639a300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010019eceb9d892c200b04801d18de429972991632bd0e9c755b2c15e229406deeff72dbdbab901f8c95f28a3d087242895007e239156c0187d9161af5c0752bc5e6561107dfd898bc7c9f1939df8bca006473bc46109b93238dbe16c32e08829c863374763b284c8d034285b3e2b22342d51f7a756a1ad17caa6721c4333a396d53c9a2ed6222a8bbe2556c996c436b9197d10c0b93021dd2bc697749e61b4df7bf147803b0a6ba0bb4e1857f2fdc423bad740148ded66ce11998095e0ab36747fe1ce0d5c128ef4a8b44312604378d8974362eefa5220f83744992c7f710c20c29fbb7bdba7fe35fd59ff2a9f474d5b8e1b3b081e4e1a563a3ccea0478906ebff7	AndroidSideloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	AndroidSideloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AndroidSideloader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AndroidSideloader.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\CA\Certificates\7F95276D4951499FD756DF344AA24FB38CEAF678	AndroidSideloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\CA\Certificates\7F95276D4951499FD756DF344AA24FB38CEAF678\Blob = 0300000001000000140000007f95276d4951499fd756df344aa24fb38ceaf6781400000001000000140000000f6be64bce3947aef67e901e79f0309192c85fa3040000000100000010000000ee39380f325cf0c51f4c6f7be0a4c8990f000000010000003000000011634607adf75b5e2bb0c3f38525f19b8cb00415cf48940a83e1da5b90dbf3d251de3a2659675838654f1705ba8fe7411900000001000000100000007818fd06fa225d60f1172f1ef2efcebf5c00000001000000040000008001000018000000010000001000000076935b5c5a037216daaf8aac76df42c1200000000100000089030000308203853082030ca003020102021023b76de3c1bb2b1a51961e08eab764e8300a06082a8648ce3d040303308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374204543432043657274696669636174696f6e20417574686f72697479301e170d3230303133303030303030305a170d3330303132393233353935395a304b310b30090603550406130241543110300e060355040a13075a65726f53534c312a3028060355040313215a65726f53534c2045434320446f6d61696e2053656375726520536974652043413076301006072a8648ce3d020106052b8104002203620004364161172b5325edaaca94e4d6da4857ef50ba846482d7bb051bd61f0624f6a5339d8ce7f10b5568638230105f8d65ecaaa8af97cab586ce30018974dee34e5e016eee267bcc53fa23a4f7441d3e4d1e5f66a6ad85f6f2e3bc8e099880248e20a382017530820171301f0603551d230418301680143ae10986d4cf19c29676744976dce035c663639a301d0603551d0e041604140f6be64bce3947aef67e901e79f0309192c85fa3300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102024e3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737445434343657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374454343416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300a06082a8648ce3d040303036700306402302470540f01c940ddc854d96d54cac808ca984374d83ff4d7a95f6df261b9700a261b6330a88b319cbf77ec67b07fa588023025adaba4b0ee8d52e0dd0d7c9ddf7d1daee25c649c74f87e63e5c14e601686b0a75e196eec08c691d8fb0314a1a595ab	AndroidSideloader.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\SystemCertificates\CA\Certificates\CA7788C32DA1E4B7863A4FB57D00B55DDACBC7F9	AndroidSideloader.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4704	rclone.exe
4704	rclone.exe
4704	rclone.exe
4704	rclone.exe
3164	rclone.exe
3164	rclone.exe
3164	rclone.exe
3164	rclone.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
932	AndroidSideloader.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	932	AndroidSideloader.exe
Token: SeRestorePrivilege	1348	7z.exe
Token: 35	1348	7z.exe
Token: SeSecurityPrivilege	1348	7z.exe
Token: SeSecurityPrivilege	1348	7z.exe
Token: SeRestorePrivilege	2312	7z.exe
Token: 35	2312	7z.exe
Token: SeSecurityPrivilege	2312	7z.exe
Token: SeSecurityPrivilege	2312	7z.exe
Token: SeDebugPrivilege	4704	rclone.exe
Token: SeDebugPrivilege	3164	rclone.exe
Token: SeRestorePrivilege	2356	7z.exe
Token: 35	2356	7z.exe
Token: SeSecurityPrivilege	2356	7z.exe
Token: SeSecurityPrivilege	2356	7z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
932	AndroidSideloader.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 1348	932	AndroidSideloader.exe	74
PID 932 wrote to memory of 1348	932	AndroidSideloader.exe	74
PID 932 wrote to memory of 2312	932	AndroidSideloader.exe	76
PID 932 wrote to memory of 2312	932	AndroidSideloader.exe	76
PID 932 wrote to memory of 2284	932	AndroidSideloader.exe	78
PID 932 wrote to memory of 2284	932	AndroidSideloader.exe	78
PID 932 wrote to memory of 2284	932	AndroidSideloader.exe	78
PID 932 wrote to memory of 4584	932	AndroidSideloader.exe	80
PID 932 wrote to memory of 4584	932	AndroidSideloader.exe	80
PID 932 wrote to memory of 4584	932	AndroidSideloader.exe	80
PID 4584 wrote to memory of 2900	4584	adb.exe	82
PID 4584 wrote to memory of 2900	4584	adb.exe	82
PID 4584 wrote to memory of 2900	4584	adb.exe	82
PID 932 wrote to memory of 4704	932	AndroidSideloader.exe	85
PID 932 wrote to memory of 4704	932	AndroidSideloader.exe	85
PID 932 wrote to memory of 3164	932	AndroidSideloader.exe	87
PID 932 wrote to memory of 3164	932	AndroidSideloader.exe	87
PID 932 wrote to memory of 2356	932	AndroidSideloader.exe	89
PID 932 wrote to memory of 2356	932	AndroidSideloader.exe	89
PID 932 wrote to memory of 3648	932	AndroidSideloader.exe	91
PID 932 wrote to memory of 3648	932	AndroidSideloader.exe	91
PID 932 wrote to memory of 3648	932	AndroidSideloader.exe	91
PID 932 wrote to memory of 1592	932	AndroidSideloader.exe	93
PID 932 wrote to memory of 1592	932	AndroidSideloader.exe	93
PID 932 wrote to memory of 1592	932	AndroidSideloader.exe	93
PID 932 wrote to memory of 4108	932	AndroidSideloader.exe	95
PID 932 wrote to memory of 4108	932	AndroidSideloader.exe	95
PID 932 wrote to memory of 4108	932	AndroidSideloader.exe	95
PID 932 wrote to memory of 660	932	AndroidSideloader.exe	97
PID 932 wrote to memory of 660	932	AndroidSideloader.exe	97
PID 932 wrote to memory of 660	932	AndroidSideloader.exe	97
PID 932 wrote to memory of 8	932	AndroidSideloader.exe	99
PID 932 wrote to memory of 8	932	AndroidSideloader.exe	99
PID 932 wrote to memory of 8	932	AndroidSideloader.exe	99

C:\Users\Admin\AppData\Local\Temp\AndroidSideloader.exe
"C:\Users\Admin\AppData\Local\Temp\AndroidSideloader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:932
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  "7z.exe" x "C:\Users\Admin\AppData\Local\Temp\dependencies.7z" -y -o"C:\RSL\platform-tools" -bsp1
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  "7z.exe" x "C:\Users\Admin\AppData\Local\Temp\rclone.zip" -y -o"C:\Users\Admin\AppData\Local\Temp" -bsp1
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" kill-server
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2284
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" start-server
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\RSL\platform-tools\adb.exe
    adb -L tcp:5037 fork-server server --reply-fd 556
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2900
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" listremotes --config vrp.download.config --inplace
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe
  "C:\Users\Admin\AppData\Local\Temp\rclone\rclone.exe" sync ":http:/meta.7z" "C:\Users\Admin\AppData\Local\Temp" --inplace --http-url https://theapp.vrrookie.xyz/ --tpslimit 1.0 --tpslimit-burst 3
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Users\Admin\AppData\Local\Temp\7z.exe
  "7z.exe" x "C:\Users\Admin\AppData\Local\Temp\meta.7z" -y -o"C:\Users\Admin\AppData\Local\Temp\meta" -p"gL59VfgPxoHR" -bsp1
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" devices
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3648
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" shell df
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1592
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" shell dumpsys battery
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4108
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" shell pm list packages -3
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:660
- C:\RSL\platform-tools\adb.exe
  "C:\RSL\platform-tools\adb.exe" shell df
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:8

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RSL\platform-tools\adb.exe

Filesize
5.6MB

MD5
64daf7cca61d468d26a407d79a7c26a9

SHA1
51b451089e73c9a03e2f24ab2fc81896d48c6126

SHA256
997324a38d89e3b282306bf25ccaa167c49a35850ac0ab4a169e7a15afa82fc8

SHA512
5a7bd06326e8ee868a2e6c724bc74bd290acaa00f3442807d3f69489a374a13a3cb41fbaf929c79525bdac319bd9a64ecfaf3cbdb6585ae332a485e911d8370d

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\4deuqpbp.newcfg

Filesize
2KB

MD5
0ae53eee1959ae9f992301bf4060676d

SHA1
fde61956dda12025564b3690b5cb5c993d0e8f97

SHA256
8a827b7210db3371364ba1316a0f3ba28b645ee77a321f0aefc0e0a20376d11b

SHA512
6dfb219c24f5f8dd2de84bde67e3b7d5d5d722cf340d48c88a9d4a7b18ca563b4a7c870af28a9a30ed6c7c24e990fca3dffda74935727ef15d2b23a2474db706

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\eoluwphe.newcfg

Filesize
3KB

MD5
69313a1b5413264c2e76038956c78806

SHA1
2c201d44f771beaf3ae5316d555792a693be0b57

SHA256
3649b96d3a5d2bc11b7f4a23826ec360981c98f6a9fd65a0e3cb900763c26828

SHA512
5eae059c480b470818bbc6be32334d8ca2ed4c687a237b678291dfe7e8d61a176aa0d404ff6514125823fe1059238e1b182e49e812ab1309979114b9b54b9ee2

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\g2w5ilwu.newcfg

Filesize
3KB

MD5
68f26104dad4103d0dcc9880807bc67a

SHA1
3dc76477490f8480f8565c9ec2ab97e330ba1866

SHA256
d3eb3e344c47846be7bb7cac633b905ff45e891f30e38186faff329766557814

SHA512
414de8d0aefa4bba4e3917c4d4085f91186e7f4a61ea43710808f1112223a7cf7d21dcaea4d80b5e1b817f8743d699209ec3a416eaa24dc5d5f383965dbd803b

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\m2slotpi.newcfg

Filesize
3KB

MD5
0fa4019fbbe1e2939d88b42677a5d21d

SHA1
0298001e979d7b29d09b4831f4bdb44b04c15b7a

SHA256
0206aded4edcf954cb72e8b4bdfbbd00bed542022b669b9587b9eafcdcafc3ea

SHA512
b2bc9ec9b7c4e73dcbe92a49695ed33672596271e5d62205f9c76cec213abb5fa2ad78c2468425d47eef07ad2d7b1b538aa95863ea4fc8a1d87707f9b1fa5cba

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

Filesize
838B

MD5
6dc22626c68e39d1f7a92bc247d064fa

SHA1
06d72094b8ccfb2cd09e3b04fa79cd2f4efbb40c

SHA256
5b1cfb327e8e4f605cdb650526ab442cc846ce97cfdc51d1da23dfecb3abdf60

SHA512
09858fce9752da51c915859873510c5f115b8d2b2ffa9b3bfe8bee20b804de1fe3ef8bbe5448b2374d6089af29e9d7914e0098df675e5eef240d4f1649a0db72

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

Filesize
2KB

MD5
a07293f8f76210b200df0da93a774ab2

SHA1
733674c43997cb1c6db5b570be1ab7f0d171a69b

SHA256
ac8705037a2363a9af7d448c82483fc9ba4b0b2b4c88b2c14706b775cf5a9ba3

SHA512
aa89237385bd4a9c7e264832c3ad6fd8c03f091f421d5af566647a299db83e7bff356196c73206be7635e740550acd1d0d9a975bf5149baef2d3e46a77b5b373

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

Filesize
2KB

MD5
a3dbc920a70cf6291d28d90e47ca4821

SHA1
b43a5508af1890a220cd395ccbc33ea4689f5797

SHA256
d86c871a5fb0cc6978996063f9215d2fed7515b1fc01678e6d54154af3cf6649

SHA512
8af5e3e2e6f757206ad8d48389ae334ba9678225a01ea88026a75741d562a8ab97af432665025a77f5dc92d49231ef04b52258178ba279452f18a2401509dc1a

Download Submit
C:\Users\Admin\AppData\Local\Rookie.AndroidSideloader\AndroidSideloader.exe_Url_3wcjmuu02ugveehxxd13xxpo50icwnnk\2.0.0.0\user.config

Filesize
2KB

MD5
e3e2a2f64a252733549b59b78bbdb095

SHA1
ea87c3f483d3af7ac6e646db7cc3dcabb4af642b

SHA256
ceb45d346708ac825ec610fade538ce7116d5556d8c8099d01593c337ba72bda

SHA512
558efad5c0c766789503f03ef515fc95c90f09a0ff45094f6358754a116bc22a5d1bfe90cbc707513f8f0b77a4557134c45be2320ae6e11c5d917b6c8f28bd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
1.2MB

MD5
1a7eaa1dab7867e15d7800ae0b5af5e3

SHA1
9e6d344bd8724aa1862f4254d8c42b7cc929a797

SHA256
356bea8b6e9eb84dfa0dd8674e7c03428c641a47789df605c5bea0730de4aed2

SHA512
a12373ec7ec4bac3421363f70cc593f4334b4bb5a5c917e050a45090220fab002c36ba8b03be81159fd70955b4680146c9469e44ddf75a901465d6b1231ee6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dependencies.7z

Filesize
5.5MB

MD5
54850eca0050c5468f712187828655ce

SHA1
30607a286efe050f9387f3127888b4073595d1a1

SHA256
06e1523a9cc9be6bd9d7a33c2720519d1a071747222f044bdf0c4d590a508575

SHA512
40d575da0d48f6b0ab7dbeabf68a4b40551157671e34f5669fe2627fe51d8f623e00adcff24df6abf9ea765dd02ffdcca2783b73f617ee0fb1fca1a88f0d4675

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta.7z

Filesize
30.3MB

MD5
214775076dc89024358108310fb19929

SHA1
75a2a912b32bd35e3df226bbc5de12fb6137f18c

SHA256
20f4a02a03df587f97ed0c6dc160f4243391b8497d6145bd2009bd2a21b6fdd2

SHA512
591fbb1a377265f0d970f9ebf07312aa0a93a324a9805423352c2c0776fbbe30066feb98b6618d6f235a46eff3f9297440373e8dfa06b00da3adcfae316dbfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta\.meta\notes\Cubism v291+1.7.4 -VRP.txt

Filesize
83B

MD5
a013a807855d864175a73f8db56eaf05

SHA1
ccd8405bcfb4d5b83d3aa6b51c56f3707b534e97

SHA256
77a3b8cdee01f86f3a7043296253215c4e05fd1b27a836d17c03fee0b3ec2c80

SHA512
7eed4b8422b5e63e8bab01365b42cacb8f1c16a70000de22e4e2879ca13d044e1c7a04974c4bb9ebdd7b7ba1eb5f4fb061260662e9216190b7677a843d0360a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta\.meta\notes\ForeVR Pool v926+2.0.926 -NIF.txt

Filesize
12B

MD5
5db92c491778fc426d102a6cdccde39d

SHA1
725c01af9d4fe1f53a8f22da3185c6fb0fbfa417

SHA256
124a4f8420dae0a5ebf04ce715399de35dbc8817143225113e4f6f05f6c6f524

SHA512
ecd97119339b44c8e7eebcbf4604ef40edca13edc5ade502def9b840e477943c401acb2ed420f13c4e9091d00e88639b327924dde2ee60c9abb3c68b09e06214

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta\.meta\notes\Mad Max VR v2+2 -ByteUs.txt

Filesize
24B

MD5
95ecadb6472bf8d2b5e29c19ff7b6aec

SHA1
d418d8d05f1cac3547d233744d765c2100c53f26

SHA256
922180290a957b2db5cbd885f952df998245de0cbc9c0795a58c93c86f20c530

SHA512
c8c31b23989f5392a25d32b2fd1c14c8ad3cdb58117c509ec33ff7a70b3551a5914c0882c593b27ef36e6e96ce86b490d96d9bf5261b9094799ebd874864e3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta\.meta\notes\Painting VR (MR-Fix) v183+0.10.14 -VRP.txt

Filesize
6B

MD5
48f3a52c285863b6765eae664d7948f3

SHA1
da22b99449d598ff8ed35347eaee5a13c8293ccb

SHA256
4c1c59d2a718a3e813a836c143f33ff0e7bb4f680151a3457be1b76cca2823b1

SHA512
ca9bc624a9274a6ab33a4731839da9fddfad0910bdc4a99f9c7675dd41209542c914fdd95a41c891d6b523557aed486292cf3c9504c41375a67cb4acc6ad80fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta\.meta\notes\rrrjpn- Missionary with Chloe (ADULT) v1+1.1 -VRP.txt

Filesize
55B

MD5
2a824f2738754fdd595511d05224f4ce

SHA1
594e55bf425e87eb9d4c1ee8c1920d3d6113d4bb

SHA256
6695292057bb3e460463af16ce48a0af78cf54f9d23d61a6d6fba2b46ed71645

SHA512
e84ec75d44357c9ef07f2182195eafeadbe7d5e99236bedf4152172ef5749e14d3d21b9eecfed3b1edbfcf975ebba2bdbed15c1a89b3af00bff77467d2ea70d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\meta\VRP-GameList.txt

Filesize
192KB

MD5
3b717c7712e8f03eafc39b0a8fab6211

SHA1
51b7fd0e6a4ebee2cf3348bf60c77bc0d2174d62

SHA256
fc3ed41fa0bc061bf123bd17694e8b39fbd1aaadc1411719558d10db0d3e6009

SHA512
94e8af37457baf9ca1cfe32d37142744d6d8a2a6debe665618a88f5b1373dd8bd88314335dfd930e4cc2afc533bd7c3be74c2304d5fbd8d9b1a84176167b3bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nouns\blacklist.txt

Filesize
270KB

MD5
b214f2f0196baf9a3c7846fc151b27dd

SHA1
64fc3a8ea2fbfeff0bb9a024bc7f1053f2893044

SHA256
9dc4f17f1777adbfb20528bda920fc95f13c8cdbdaf9d3681777171915fca465

SHA512
5482688f3ff7361d206c1edaad379d24072e62cb0a6473beb95e77681d142fdb8a29ed24c14f7b522e3e06e8248d3577a163c60e4a9d0e34adb2d10c69a30a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\rclone-v1.67.0-windows-amd64\README.html

Filesize
2.7MB

MD5
500a6699c3901b0c93ff2a71ec3b4375

SHA1
32958268a418a23cb48ebbd98636d739429302c6

SHA256
701f21c773776610c012740d1e99429b16490d09c1a9fcd870203724deb538ad

SHA512
412fadb84e9787f26256715670cc501809301ce6c5dfa2d157a3887c4801f8e4f6bfacee0d886240b8e5a32036d4b23cb8522dd0e1a6f7edcccdc8e35bf5ff4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rclone-v1.67.0-windows-amd64\README.txt

Filesize
2.2MB

MD5
a2615e31d5e8a4fd1c43f95c15e416f0

SHA1
b6d2b4491f6a2f4111fe246623881ced39939edd

SHA256
943c4b42b1914bfc98b822317e068c4c4f61525bc914d160775e8e7400206ee9

SHA512
8e3a514ba05e83133c48a93af55cd26735932f569dc18beea60de7c84617df6645a428408b9d7fa22069c89036dc8dc91e9e73abaacf90617d13cf757e19e57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rclone-v1.67.0-windows-amd64\git-log.txt

Filesize
87KB

MD5
5772d853963d55d09674b71a3d9cdd9f

SHA1
f2121894e9609885573cede6495ff4e14e00a83e

SHA256
1bbd86a8ad5dde0ed29d8f13294f607c4c61d95af8ae46be683eb9c2b1a56c09

SHA512
246ff67de109f4a3a1f395f89a2e6e07395a1065b3ddbef6875de6c6bb69781331d500f701a9db1faf4fa7834eaae3d46a2a7a525b7b83092b2d1d6e1736431f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rclone-v1.67.0-windows-amd64\rclone.1

Filesize
2.5MB

MD5
1a66854721f4431f57d691845cbbb99e

SHA1
a2689e2a63d7f60f737cedfb411518d3cc7ac67f

SHA256
3e435c81cc364a3c6f1d5f9305f03dbf5152e85f445c9354cc16b30654fd444e

SHA512
171f289fbc94bab66ae3233335a022820b91fddc5fd2b1f9a9ade7e48e7474aacb3400c40424a85203d17cb3c36730fa69ae278bf65f4dbeb1834b246898a94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rclone.zip

Filesize
20.3MB

MD5
eae00849accd0d8d902eda140aee7238

SHA1
f6a3ca9091e099df1df1e56640ae93fa24c6acb7

SHA256
117b99441024607d6043e274c7fcbed64d07ad87347d17dd0a717bdc1c59716b

SHA512
80a3bde49a66c24ea97421591f3fbf0dd4b35af47c20f11ecd379a41cf5d64e7260144e6a01f74bfaf856bda38b82f9b34b98bdde28efef6bcd03a232f3547a7

Download Submit
\RSL\platform-tools\AdbWinApi.dll

Filesize
105KB

MD5
d79a7c0a425f768fc9f9bcf2aa144d8f

SHA1
3da9e4c4566bd6d4efeeaf7ceab9e9e83f2f67e5

SHA256
1ad523231de449af3ba0e8664d3af332f0c5cc4f09141691ca05e35368fa811a

SHA512
ff650b98ecc55df6c2cb1b22221b1e71d63c01324f8a8b0f05f1497f5416131f7c33ef2ea17ed323cb2bfdbe7ae1824474544434899d2cb89e9c8c00db7dbb15

Download Submit
\RSL\platform-tools\AdbWinUsbApi.dll

Filesize
71KB

MD5
e6e1716f53624aff7dbce5891334669a

SHA1
9c17f50ba4c8e5db9c1118d164995379f8d686fb

SHA256
51a61758a6f1f13dd36530199c0d65e227cd9d43765372b2942944cc3296ca2c

SHA512
c47392b6f7d701e78f78e0b0ddce5508ab8d247a4095391e77cd665e955f4938e412ffcb6076534dcad287af4f78d84668496935e71b9bb46a98401522815eb9

Download Submit
memory/932-173-0x0000000006C20000-0x0000000006C42000-memory.dmp

Filesize
136KB

Download
memory/932-33-0x00000000735E0000-0x0000000073CCE000-memory.dmp

Filesize
6.9MB

Download
memory/932-78-0x00000000735EE000-0x00000000735EF000-memory.dmp

Filesize
4KB

Download
memory/932-80-0x00000000735E0000-0x0000000073CCE000-memory.dmp

Filesize
6.9MB

Download
memory/932-81-0x00000000735E0000-0x0000000073CCE000-memory.dmp

Filesize
6.9MB

Download
memory/932-170-0x00000000069E0000-0x0000000006A92000-memory.dmp

Filesize
712KB

Download
memory/932-0-0x00000000735EE000-0x00000000735EF000-memory.dmp

Filesize
4KB

Download
memory/932-174-0x00000000084C0000-0x0000000008810000-memory.dmp

Filesize
3.3MB

Download
memory/932-34-0x00000000735E0000-0x0000000073CCE000-memory.dmp

Filesize
6.9MB

Download
memory/932-79-0x00000000735E0000-0x0000000073CCE000-memory.dmp

Filesize
6.9MB

Download
memory/932-10-0x0000000005D90000-0x0000000005E1E000-memory.dmp

Filesize
568KB

Download
memory/932-9-0x0000000005830000-0x000000000583E000-memory.dmp

Filesize
56KB

Download
memory/932-8-0x0000000005760000-0x000000000576C000-memory.dmp

Filesize
48KB

Download
memory/932-7-0x0000000005780000-0x000000000578A000-memory.dmp

Filesize
40KB

Download
memory/932-6-0x00000000735E0000-0x0000000073CCE000-memory.dmp

Filesize
6.9MB

Download
memory/932-3-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/932-2-0x0000000005890000-0x0000000005D8E000-memory.dmp

Filesize
5.0MB

Download
memory/932-1-0x00000000005E0000-0x0000000000A14000-memory.dmp

Filesize
4.2MB

Download