Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report FacebookSecurityUpdate.exe

Overview

General Information

Sample Name:FacebookSecurityUpdate.exe
Analysis ID:397328
MD5:ac46ae63e68b470fc8fc80f6a74e7964
SHA1:373a2d73c34c905b2a52257ed5d432f82e412fd7
SHA256:1b12a22d5d562b59030df4697c4157a23766d0b34f9bd17a0ca7374e5a53e28c
Infos:

Most interesting Screenshot:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Quasar RAT
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to disable the Task Manager (.Net Source)
Creates autorun.inf (USB autostart)
Deletes shadow drive data (may be related to ransomware)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • FacebookSecurityUpdate.exe (PID: 5640 cmdline: 'C:\Users\user\Desktop\FacebookSecurityUpdate.exe' MD5: AC46AE63E68B470FC8FC80F6A74E7964)
    • FacebookSecurityUpdate.exe (PID: 5648 cmdline: 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe' MD5: 269E261FDBD4A955CB4591A39F3E08F4)
      • schtasks.exe (PID: 2644 cmdline: 'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe' /rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • FacebookSecurityUpdate.exe (PID: 6124 cmdline: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe MD5: 269E261FDBD4A955CB4591A39F3E08F4)
        • schtasks.exe (PID: 580 cmdline: 'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe' /rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • FacebookSecurityUpdate.exe (PID: 3348 cmdline: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe MD5: 269E261FDBD4A955CB4591A39F3E08F4)
  • cleanup

Malware Configuration

Threatname: Quasar

{"Version": "1.4.0.0", "Host:Port": "84.38.133.101:14782;", "SubDirectory": "FacebookSecurityUpdate", "InstallName": "#za6H\"om,", "MutexName": "EhJ5YrFqRiwpbh4NdP", "StartupKey": "FacebookSecurityUpdate", "Tag": "SecurityHealthServices-WinRar", "LogDirectoryName": "Logs"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
  • 0x3697a:$x3: GetKeyloggerLogsResponse
  • 0x35c51:$x4: GetKeyloggerLogs
  • 0x35eea:$s1: <RunHidden>k__BackingField
  • 0x36b42:$s2: set_SystemInfos
  • 0x35f13:$s3: set_RunHidden
  • 0x35aa6:$s4: set_RemotePath
  • 0x30971:$s7: xClient.Core.ReverseProxy.Packets
C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exexRAT_1Detects Patchwork malwareFlorian Roth
  • 0x2f783:$x4: xClient.Properties.Resources.resources
  • 0x2f621:$s4: Client.exe
  • 0x35f13:$s7: set_RunHidden
C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x35ed7:$s1: DoUploadAndExecute
  • 0x360e5:$s2: DoDownloadAndExecute
  • 0x35cdb:$s3: DoShellExecute
  • 0x360aa:$s4: set_Processname
  • 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x7552:$op3: 00 04 03 69 91 1B 40
  • 0x7da2:$op3: 00 04 03 69 91 1B 40
C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeQuasar_RAT_2Detects Quasar RATFlorian Roth
  • 0x3697a:$x1: GetKeyloggerLogsResponse
  • 0x36bba:$s1: DoShellExecuteResponse
  • 0x36533:$s2: GetPasswordsResponse
  • 0x36a8d:$s3: GetStartupItemsResponse
  • 0x35eeb:$s5: RunHidden
  • 0x35f09:$s5: RunHidden
  • 0x35f17:$s5: RunHidden
  • 0x35f2b:$s5: RunHidden
C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
  • 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
  • 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
Click to see the 9 entries

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x35cd7:$s1: DoUploadAndExecute
  • 0x35ee5:$s2: DoDownloadAndExecute
  • 0x35adb:$s3: DoShellExecute
  • 0x35eaa:$s4: set_Processname
  • 0x69c8:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x68ec:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x7352:$op3: 00 04 03 69 91 1B 40
  • 0x7ba2:$op3: 00 04 03 69 91 1B 40
00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x35cd7:$s1: DoUploadAndExecute
    • 0x35ee5:$s2: DoDownloadAndExecute
    • 0x35adb:$s3: DoShellExecute
    • 0x35eaa:$s4: set_Processname
    • 0x69c8:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x68ec:$op2: 00 17 03 1F 20 17 19 15 28
    • 0x7352:$op3: 00 04 03 69 91 1B 40
    • 0x7ba2:$op3: 00 04 03 69 91 1B 40
    00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x3624f:$s1: DoUploadAndExecute
      • 0x8f097:$s1: DoUploadAndExecute
      • 0xe7ecf:$s1: DoUploadAndExecute
      • 0x3645d:$s2: DoDownloadAndExecute
      • 0x8f2a5:$s2: DoDownloadAndExecute
      • 0xe80dd:$s2: DoDownloadAndExecute
      • 0x36053:$s3: DoShellExecute
      • 0x8ee9b:$s3: DoShellExecute
      • 0xe7cd3:$s3: DoShellExecute
      • 0x36422:$s4: set_Processname
      • 0x8f26a:$s4: set_Processname
      • 0xe80a2:$s4: set_Processname
      • 0x6f40:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x5fd88:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0xb8bc0:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x6e64:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x5fcac:$op2: 00 17 03 1F 20 17 19 15 28
      • 0xb8ae4:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x78ca:$op3: 00 04 03 69 91 1B 40
      • 0x811a:$op3: 00 04 03 69 91 1B 40
      • 0x60712:$op3: 00 04 03 69 91 1B 40
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.0.FacebookSecurityUpdate.exe.180000.0.unpackVermin_Keylogger_Jan18_1Detects Vermin KeyloggerFlorian Roth
      • 0x3697a:$x3: GetKeyloggerLogsResponse
      • 0x35c51:$x4: GetKeyloggerLogs
      • 0x35eea:$s1: <RunHidden>k__BackingField
      • 0x36b42:$s2: set_SystemInfos
      • 0x35f13:$s3: set_RunHidden
      • 0x35aa6:$s4: set_RemotePath
      • 0x30971:$s7: xClient.Core.ReverseProxy.Packets
      6.0.FacebookSecurityUpdate.exe.180000.0.unpackxRAT_1Detects Patchwork malwareFlorian Roth
      • 0x2f783:$x4: xClient.Properties.Resources.resources
      • 0x2f621:$s4: Client.exe
      • 0x35f13:$s7: set_RunHidden
      6.0.FacebookSecurityUpdate.exe.180000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
      • 0x35ed7:$s1: DoUploadAndExecute
      • 0x360e5:$s2: DoDownloadAndExecute
      • 0x35cdb:$s3: DoShellExecute
      • 0x360aa:$s4: set_Processname
      • 0x6bc8:$op1: 04 1E FE 02 04 16 FE 01 60
      • 0x6aec:$op2: 00 17 03 1F 20 17 19 15 28
      • 0x7552:$op3: 00 04 03 69 91 1B 40
      • 0x7da2:$op3: 00 04 03 69 91 1B 40
      6.0.FacebookSecurityUpdate.exe.180000.0.unpackQuasar_RAT_2Detects Quasar RATFlorian Roth
      • 0x3697a:$x1: GetKeyloggerLogsResponse
      • 0x36bba:$s1: DoShellExecuteResponse
      • 0x36533:$s2: GetPasswordsResponse
      • 0x36a8d:$s3: GetStartupItemsResponse
      • 0x35eeb:$s5: RunHidden
      • 0x35f09:$s5: RunHidden
      • 0x35f17:$s5: RunHidden
      • 0x35f2b:$s5: RunHidden
      6.0.FacebookSecurityUpdate.exe.180000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x4011d:$xc1: 41 00 64 00 6D 00 69 00 6E 00 00 11 73 00 63 00 68 00 74 00 61 00 73 00 6B 00 73 00 00 1B 2F 00 ...
      • 0x402ed:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C ...
      Click to see the 76 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: FacebookSecurityUpdate.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1135947
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1135947
      Found malware configurationShow sources
      Source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmpMalware Configuration Extractor: Quasar {"Version": "1.4.0.0", "Host:Port": "84.38.133.101:14782;", "SubDirectory": "FacebookSecurityUpdate", "InstallName": "#za6H\"om,", "MutexName": "EhJ5YrFqRiwpbh4NdP", "StartupKey": "FacebookSecurityUpdate", "Tag": "SecurityHealthServices-WinRar", "LogDirectoryName": "Logs"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: FacebookSecurityUpdate.exeVirustotal: Detection: 57%Perma Link
      Source: FacebookSecurityUpdate.exeReversingLabs: Detection: 50%
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000000.193556825.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.211316911.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.202485476.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 6124, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 3348, type: MEMORY
      Source: Yara matchFile source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeJoe Sandbox ML: detected
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: FacebookSecurityUpdate.exeJoe Sandbox ML: detected

      Compliance:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeUnpacked PE file: 0.2.FacebookSecurityUpdate.exe.b00000.0.unpack
      Source: FacebookSecurityUpdate.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: FacebookSecurityUpdate.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Spreading:

      barindex
      Creates autorun.inf (USB autostart)Show sources
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeFile created: C:\autorun.infJump to behavior
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmpBinary or memory string: autorun.inf.exe
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmpBinary or memory string: [AutoRun]
      Source: FacebookSecurityUpdate.exeBinary or memory string: [AutoRun]
      Source: FacebookSecurityUpdate.exeBinary or memory string: autorun.inf
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmpBinary or memory string: autorun.inf.exe
      Source: FacebookSecurityUpdate.exeBinary or memory string: [AutoRun]
      Source: FacebookSecurityUpdate.exeBinary or memory string: autorun.inf
      Source: FacebookSecurityUpdate.exe, 00000005.00000002.459478315.0000000002B7A000.00000004.00000001.sdmpBinary or memory string: l[AutoRun]
      Source: FacebookSecurityUpdate.exe, 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmpBinary or memory string: autorun.inf.exe
      Source: FacebookSecurityUpdate.exeBinary or memory string: autorun.inf
      Source: FacebookSecurityUpdate.exeBinary or memory string: [AutoRun]
      Source: FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmpBinary or memory string: autorun.inf.exe
      Source: autorun.inf.5.drBinary or memory string: [AutoRun]
      Source: FacebookSecurityUpdate.exe.0.drBinary or memory string: autorun.inf.exe
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: 84.38.133.101
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 84.38.133.101 ports 14782,1,2,4,7,8
      May check the online IP address of the machineShow sources
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeDNS query: name: ip-api.com
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeDNS query: name: ip-api.com
      Source: global trafficTCP traffic: 192.168.2.3:49709 -> 84.38.133.101:14782
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: Joe Sandbox ViewASN Name: DATACLUB-NL DATACLUB-NL
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: unknownTCP traffic detected without corresponding DNS query: 84.38.133.101
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0Host: ip-api.comConnection: Keep-Alive
      Source: unknownDNS traffic detected: queries for: ip-api.com
      Source: FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, FacebookSecurityUpdate.exe.0.drString found in binary or memory: http://api.ipify.org/
      Source: FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, FacebookSecurityUpdate.exe.0.drString found in binary or memory: http://freegeoip.net/xml/
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203567334.000000000322E000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459447063.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com
      Source: FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, FacebookSecurityUpdate.exe.0.drString found in binary or memory: http://ip-api.com/json/
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203567334.000000000322E000.00000004.00000001.sdmpString found in binary or memory: http://ip-api.com4
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203600363.000000000327D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203600363.000000000327D000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459478315.0000000002B7A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203600363.000000000327D000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459478315.0000000002B7A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/xClient.Core.Data
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.203567334.000000000322E000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459447063.0000000002B41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Installs a global keyboard hookShow sources
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWindows user hook set: 0 keyboard low level C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeJump to behavior

      E-Banking Fraud:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000000.193556825.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.211316911.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.202485476.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 6124, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 3348, type: MEMORY
      Source: Yara matchFile source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPE

      Spam, unwanted Advertisements and Ransom Demands:

      barindex
      Deletes shadow drive data (may be related to ransomware)Show sources
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmpBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exeBinary or memory string: /C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmpBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exeBinary or memory string: /C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exe, 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmpBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exeBinary or memory string: /C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmpBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet
      Source: FacebookSecurityUpdate.exe.0.drBinary or memory string: cmd.exeU/C vssadmin.exe Delete Shadows /All /Quiet

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000002.00000000.193556825.0000000000D92000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000006.00000002.211316911.0000000000182000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 00000005.00000000.202485476.0000000000602000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Patchwork malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
      .NET source code contains very large array initializationsShow sources
      Source: FacebookSecurityUpdate.exe, Program.csLarge array initialization: .cctor: array initializer size 364064
      Source: 0.0.FacebookSecurityUpdate.exe.b00000.0.unpack, Program.csLarge array initialization: .cctor: array initializer size 364064
      Source: 0.2.FacebookSecurityUpdate.exe.b00000.0.unpack, Program.csLarge array initialization: .cctor: array initializer size 364064
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeFile created: C:\Windows\SysWOW64\FacebookSecurityUpdateJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeCode function: 0_2_00007FFAEEB00BAA0_2_00007FFAEEB00BAA
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeCode function: 0_2_00007FFAEEB00B0F0_2_00007FFAEEB00B0F
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 2_2_0185F1202_2_0185F120
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 2_2_0185F9F02_2_0185F9F0
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 2_2_0185EDD82_2_0185EDD8
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 2_2_031F10F82_2_031F10F8
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 2_2_031F941A2_2_031F941A
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 2_2_031F94282_2_031F9428
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 2_2_031F2AD82_2_031F2AD8
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 2_2_00D922682_2_00D92268
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 2_2_00D922A32_2_00D922A3
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_028FF1205_2_028FF120
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_028FF9F05_2_028FF9F0
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_028FEDD85_2_028FEDD8
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_050210F85_2_050210F8
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_064C74B85_2_064C74B8
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_064C9BC05_2_064C9BC0
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_066E40D35_2_066E40D3
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_066E00405_2_066E0040
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_066E19385_2_066E1938
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_006022A35_2_006022A3
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_006022685_2_00602268
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 6_2_0244F1206_2_0244F120
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 6_2_0244F9F06_2_0244F9F0
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 6_2_0244EDD86_2_0244EDD8
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 6_2_001822686_2_00182268
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 6_2_001822A36_2_001822A3
      Source: FacebookSecurityUpdate.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: FacebookSecurityUpdate.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: FacebookSecurityUpdate.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: FacebookSecurityUpdate.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: FacebookSecurityUpdate.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: FacebookSecurityUpdate.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: FacebookSecurityUpdate.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.194045780.0000000000B5E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFacebookSecurityUpdate2.exeT vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.195187389.000000001B6A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.195187389.000000001B6A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.194371381.0000000002BD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.194212229.0000000001119000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exeBinary or memory string: OriginalFilename vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.205296724.0000000006440000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exeBinary or memory string: OriginalFilename vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exe, 00000005.00000002.464144275.0000000006409000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exe, 00000005.00000002.463352578.0000000005DC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exe, 00000005.00000002.458050689.0000000000D00000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exeBinary or memory string: OriginalFilename vs FacebookSecurityUpdate.exe
      Source: FacebookSecurityUpdate.exeBinary or memory string: OriginalFilenameFacebookSecurityUpdate2.exeT vs FacebookSecurityUpdate.exe
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeSection loaded: sfc.dllJump to behavior
      Source: FacebookSecurityUpdate.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000000.193556825.0000000000D92000.00000002.00020000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.211316911.0000000000182000.00000002.00020000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000000.202485476.0000000000602000.00000002.00020000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
      Source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
      Source: FacebookSecurityUpdate.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: FacebookSecurityUpdate.exe, Program.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.0.FacebookSecurityUpdate.exe.b00000.0.unpack, Program.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.2.FacebookSecurityUpdate.exe.b00000.0.unpack, Program.csCryptographic APIs: 'CreateDecryptor'
      Source: FacebookSecurityUpdate.exe.0.dr, xClient/Config/Settings.csBase64 encoded string: 'mMe3gJMC9DeJStdB5GTtVD+HckaQ+tOPO2S9EVX2/baacj/7hz6ceVVtXiI7WldYSBQ63NXqDVlvJdzA2PRsyloD5oksmlpsB+DOuRjzLWc=', 'iPRWEhPQcACaPag89myPoG2tznzvkJmMTQ8LFkZBSJFfo/OFNhnKRCGlb1iJUjU4yQG65FDC/73gSiVfipWLZjcT+u3BjEW2WZOAgmttXjw=', 'jaHZCsAteKvkzVY7K1AgQfhdvUGid8MRsahPH7RM/LyXkcX1ECTR+qGiYgQGIqty8/5t41NeTPOlEIdgnpP3HttZ6iESH/WSB/JxiHFWeXA=', 'v9h85HQ5n0YnSdW7borrINWnAyMICVXE6ZbmdlKlvbzB1pMnb+yvwe4thS6si/gJ04Pa7jigDEBPTQpRaGihaGHDSFaf7Qk8Esm4F/qpd0U=', 'wBXI35RtrHCr2xPf6V18IkO8DRvcj4MOy3fC1okVmNNBWdrqtLScKs1GRJ3UgnckTY2oAADkYsRI8DpJpGRhawA9iswSzK6Ve3/N+KlMYgk=', 'K+Ix5awQ33iiAjrLXHPucr0EjV2hzgD5rxwuB7ruLPcoDGlBSv3p3KBev8WiOim+9d6z0LZkwG+/Fw9waXeXqg==', 'mwtcOVCeoic1avOHC89vGNgwk+dBHbBe5paYMOaVzScO1j+cX46eIWP3qsQlybylRbAVgdpQxiyZv1jAKSFovA=='
      Source: FacebookSecurityUpdate.exe.2.dr, xClient/Config/Settings.csBase64 encoded string: 'mMe3gJMC9DeJStdB5GTtVD+HckaQ+tOPO2S9EVX2/baacj/7hz6ceVVtXiI7WldYSBQ63NXqDVlvJdzA2PRsyloD5oksmlpsB+DOuRjzLWc=', 'iPRWEhPQcACaPag89myPoG2tznzvkJmMTQ8LFkZBSJFfo/OFNhnKRCGlb1iJUjU4yQG65FDC/73gSiVfipWLZjcT+u3BjEW2WZOAgmttXjw=', 'jaHZCsAteKvkzVY7K1AgQfhdvUGid8MRsahPH7RM/LyXkcX1ECTR+qGiYgQGIqty8/5t41NeTPOlEIdgnpP3HttZ6iESH/WSB/JxiHFWeXA=', 'v9h85HQ5n0YnSdW7borrINWnAyMICVXE6ZbmdlKlvbzB1pMnb+yvwe4thS6si/gJ04Pa7jigDEBPTQpRaGihaGHDSFaf7Qk8Esm4F/qpd0U=', 'wBXI35RtrHCr2xPf6V18IkO8DRvcj4MOy3fC1okVmNNBWdrqtLScKs1GRJ3UgnckTY2oAADkYsRI8DpJpGRhawA9iswSzK6Ve3/N+KlMYgk=', 'K+Ix5awQ33iiAjrLXHPucr0EjV2hzgD5rxwuB7ruLPcoDGlBSv3p3KBev8WiOim+9d6z0LZkwG+/Fw9waXeXqg==', 'mwtcOVCeoic1avOHC89vGNgwk+dBHbBe5paYMOaVzScO1j+cX46eIWP3qsQlybylRbAVgdpQxiyZv1jAKSFovA=='
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, xClient/Config/Settings.csBase64 encoded string: 'mMe3gJMC9DeJStdB5GTtVD+HckaQ+tOPO2S9EVX2/baacj/7hz6ceVVtXiI7WldYSBQ63NXqDVlvJdzA2PRsyloD5oksmlpsB+DOuRjzLWc=', 'iPRWEhPQcACaPag89myPoG2tznzvkJmMTQ8LFkZBSJFfo/OFNhnKRCGlb1iJUjU4yQG65FDC/73gSiVfipWLZjcT+u3BjEW2WZOAgmttXjw=', 'jaHZCsAteKvkzVY7K1AgQfhdvUGid8MRsahPH7RM/LyXkcX1ECTR+qGiYgQGIqty8/5t41NeTPOlEIdgnpP3HttZ6iESH/WSB/JxiHFWeXA=', 'v9h85HQ5n0YnSdW7borrINWnAyMICVXE6ZbmdlKlvbzB1pMnb+yvwe4thS6si/gJ04Pa7jigDEBPTQpRaGihaGHDSFaf7Qk8Esm4F/qpd0U=', 'wBXI35RtrHCr2xPf6V18IkO8DRvcj4MOy3fC1okVmNNBWdrqtLScKs1GRJ3UgnckTY2oAADkYsRI8DpJpGRhawA9iswSzK6Ve3/N+KlMYgk=', 'K+Ix5awQ33iiAjrLXHPucr0EjV2hzgD5rxwuB7ruLPcoDGlBSv3p3KBev8WiOim+9d6z0LZkwG+/Fw9waXeXqg==', 'mwtcOVCeoic1avOHC89vGNgwk+dBHbBe5paYMOaVzScO1j+cX46eIWP3qsQlybylRbAVgdpQxiyZv1jAKSFovA=='
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Config/Settings.csBase64 encoded string: 'mMe3gJMC9DeJStdB5GTtVD+HckaQ+tOPO2S9EVX2/baacj/7hz6ceVVtXiI7WldYSBQ63NXqDVlvJdzA2PRsyloD5oksmlpsB+DOuRjzLWc=', 'iPRWEhPQcACaPag89myPoG2tznzvkJmMTQ8LFkZBSJFfo/OFNhnKRCGlb1iJUjU4yQG65FDC/73gSiVfipWLZjcT+u3BjEW2WZOAgmttXjw=', 'jaHZCsAteKvkzVY7K1AgQfhdvUGid8MRsahPH7RM/LyXkcX1ECTR+qGiYgQGIqty8/5t41NeTPOlEIdgnpP3HttZ6iESH/WSB/JxiHFWeXA=', 'v9h85HQ5n0YnSdW7borrINWnAyMICVXE6ZbmdlKlvbzB1pMnb+yvwe4thS6si/gJ04Pa7jigDEBPTQpRaGihaGHDSFaf7Qk8Esm4F/qpd0U=', 'wBXI35RtrHCr2xPf6V18IkO8DRvcj4MOy3fC1okVmNNBWdrqtLScKs1GRJ3UgnckTY2oAADkYsRI8DpJpGRhawA9iswSzK6Ve3/N+KlMYgk=', 'K+Ix5awQ33iiAjrLXHPucr0EjV2hzgD5rxwuB7ruLPcoDGlBSv3p3KBev8WiOim+9d6z0LZkwG+/Fw9waXeXqg==', 'mwtcOVCeoic1avOHC89vGNgwk+dBHbBe5paYMOaVzScO1j+cX46eIWP3qsQlybylRbAVgdpQxiyZv1jAKSFovA=='
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Config/Settings.csBase64 encoded string: 'mMe3gJMC9DeJStdB5GTtVD+HckaQ+tOPO2S9EVX2/baacj/7hz6ceVVtXiI7WldYSBQ63NXqDVlvJdzA2PRsyloD5oksmlpsB+DOuRjzLWc=', 'iPRWEhPQcACaPag89myPoG2tznzvkJmMTQ8LFkZBSJFfo/OFNhnKRCGlb1iJUjU4yQG65FDC/73gSiVfipWLZjcT+u3BjEW2WZOAgmttXjw=', 'jaHZCsAteKvkzVY7K1AgQfhdvUGid8MRsahPH7RM/LyXkcX1ECTR+qGiYgQGIqty8/5t41NeTPOlEIdgnpP3HttZ6iESH/WSB/JxiHFWeXA=', 'v9h85HQ5n0YnSdW7borrINWnAyMICVXE6ZbmdlKlvbzB1pMnb+yvwe4thS6si/gJ04Pa7jigDEBPTQpRaGihaGHDSFaf7Qk8Esm4F/qpd0U=', 'wBXI35RtrHCr2xPf6V18IkO8DRvcj4MOy3fC1okVmNNBWdrqtLScKs1GRJ3UgnckTY2oAADkYsRI8DpJpGRhawA9iswSzK6Ve3/N+KlMYgk=', 'K+Ix5awQ33iiAjrLXHPucr0EjV2hzgD5rxwuB7ruLPcoDGlBSv3p3KBev8WiOim+9d6z0LZkwG+/Fw9waXeXqg==', 'mwtcOVCeoic1avOHC89vGNgwk+dBHbBe5paYMOaVzScO1j+cX46eIWP3qsQlybylRbAVgdpQxiyZv1jAKSFovA=='
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, xClient/Core/Helper/WindowsAccountHelper.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, xClient/Core/Helper/WindowsAccountHelper.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: FacebookSecurityUpdate.exe.0.dr, xClient/Core/Helper/WindowsAccountHelper.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: FacebookSecurityUpdate.exe.0.dr, xClient/Core/Helper/WindowsAccountHelper.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Core/Helper/WindowsAccountHelper.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Core/Helper/WindowsAccountHelper.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: FacebookSecurityUpdate.exe.2.dr, xClient/Core/Helper/WindowsAccountHelper.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: FacebookSecurityUpdate.exe.2.dr, xClient/Core/Helper/WindowsAccountHelper.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Core/Helper/WindowsAccountHelper.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Core/Helper/WindowsAccountHelper.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.rans.spre.troj.spyw.evad.winEXE@12/6@2/3
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FacebookSecurityUpdate.exe.logJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeMutant created: \Sessions\1\BaseNamedObjects\EhJ5YrFqRiwpbh4NdP
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_01
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeJump to behavior
      Source: FacebookSecurityUpdate.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: FacebookSecurityUpdate.exeVirustotal: Detection: 57%
      Source: FacebookSecurityUpdate.exeReversingLabs: Detection: 50%
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeFile read: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\FacebookSecurityUpdate.exe 'C:\Users\user\Desktop\FacebookSecurityUpdate.exe'
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess created: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe'
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe' /rl HIGHEST /f
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess created: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe' /rl HIGHEST /f
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess created: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe' Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe' /rl HIGHEST /fJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess created: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe' /rl HIGHEST /fJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: FacebookSecurityUpdate.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: FacebookSecurityUpdate.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeUnpacked PE file: 0.2.FacebookSecurityUpdate.exe.b00000.0.unpack
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_0502C520 push es; ret 5_2_0502C530
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_0502C4A0 push es; ret 5_2_0502C4B0
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_0502C4A0 push es; ret 5_2_0502C510
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_0502C4BA push es; ret 5_2_0502C530
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_0502E110 push es; ret 5_2_0502E120
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_0502B50A push E8000000h; ret 5_2_0502B509
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_05027E38 pushfd ; ret 5_2_05027E61
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeCode function: 5_2_064CE081 push es; ret 5_2_064CE090
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeCode function: 6_2_0244CB9C push 0244CB54h; retf 6_2_0244CB4A
      Source: initial sampleStatic PE information: section name: .text entropy: 7.99565745527

      Persistence and Installation Behavior:

      barindex
      Drops executables to the windows directory (C:\Windows) and starts themShow sources
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeExecutable created and started: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile created: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeFile created: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeFile created: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe' /rl HIGHEST /f

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\Desktop\FacebookSecurityUpdate.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeFile opened: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeFile opened: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: FacebookSecurityUpdate.exeBinary or memory string: SBIEDLL.DLL
      Source: FacebookSecurityUpdate.exe, 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, FacebookSecurityUpdate.exe.0.drBinary or memory string: SBIEDLL.DLL[SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWindow / User API: threadDelayed 2290Jump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWindow / User API: threadDelayed 7062Jump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exe TID: 3880Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe TID: 3112Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe TID: 2796Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe TID: 3012Thread sleep time: -19369081277395017s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe TID: 5416Thread sleep count: 2290 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe TID: 5416Thread sleep count: 7062 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe TID: 492Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
      Source: FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe.0.drBinary or memory string: vboxtray
      Source: FacebookSecurityUpdate.exe.0.drBinary or memory string: VMwareService
      Source: FacebookSecurityUpdate.exe.0.drBinary or memory string: VMwareTray
      Source: FacebookSecurityUpdate.exe.0.drBinary or memory string: vboxservice
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.205296724.0000000006440000.00000002.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.463352578.0000000005DC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: FacebookSecurityUpdate.exe.0.drBinary or memory string: vmtoolsd
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.205296724.0000000006440000.00000002.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.463352578.0000000005DC0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.205296724.0000000006440000.00000002.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.463352578.0000000005DC0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: FacebookSecurityUpdate.exe, 00000000.00000003.193763428.00000000011CE000.00000004.00000001.sdmpBinary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&
      Source: FacebookSecurityUpdate.exe, 00000002.00000002.205296724.0000000006440000.00000002.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.463352578.0000000005DC0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      .NET source code references suspicious native API functionsShow sources
      Source: FacebookSecurityUpdate.exe.0.dr, xClient/Core/Utilities/NativeMethods.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
      Source: FacebookSecurityUpdate.exe.0.dr, xClient/Core/MouseKeyHook/WinApi/KeyboardNativeMethods.csReference to suspicious API methods: ('MapVirtualKeyEx', 'MapVirtualKeyEx@user32.dll')
      Source: FacebookSecurityUpdate.exe.2.dr, xClient/Core/Utilities/NativeMethods.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
      Source: FacebookSecurityUpdate.exe.2.dr, xClient/Core/MouseKeyHook/WinApi/KeyboardNativeMethods.csReference to suspicious API methods: ('MapVirtualKeyEx', 'MapVirtualKeyEx@user32.dll')
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, xClient/Core/MouseKeyHook/WinApi/KeyboardNativeMethods.csReference to suspicious API methods: ('MapVirtualKeyEx', 'MapVirtualKeyEx@user32.dll')
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, xClient/Core/Utilities/NativeMethods.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Core/Utilities/NativeMethods.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Core/MouseKeyHook/WinApi/KeyboardNativeMethods.csReference to suspicious API methods: ('MapVirtualKeyEx', 'MapVirtualKeyEx@user32.dll')
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Core/MouseKeyHook/WinApi/KeyboardNativeMethods.csReference to suspicious API methods: ('MapVirtualKeyEx', 'MapVirtualKeyEx@user32.dll')
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Core/Utilities/NativeMethods.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeProcess created: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe' Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe' /rl HIGHEST /fJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeProcess created: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe' /rl HIGHEST /fJump to behavior
      Source: FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe.0.drBinary or memory string: Program Manager
      Source: FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe.0.drBinary or memory string: Shell_TrayWnd
      Source: FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe.0.drBinary or memory string: Progman
      Source: FacebookSecurityUpdate.exe, 00000005.00000002.459160941.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\FacebookSecurityUpdate.exeQueries volume information: C:\Users\user\Desktop\FacebookSecurityUpdate.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeQueries volume information: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings:

      barindex
      Contains functionality to disable the Task Manager (.Net Source)Show sources
      Source: FacebookSecurityUpdate.exe.0.dr, xClient/Core/Commands/CommandHandler.cs.Net Code: HandleDoDisableTaskmgr
      Source: FacebookSecurityUpdate.exe.2.dr, xClient/Core/Commands/CommandHandler.cs.Net Code: HandleDoDisableTaskmgr
      Source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, xClient/Core/Commands/CommandHandler.cs.Net Code: HandleDoDisableTaskmgr
      Source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Core/Commands/CommandHandler.cs.Net Code: HandleDoDisableTaskmgr
      Source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, xClient/Core/Commands/CommandHandler.cs.Net Code: HandleDoDisableTaskmgr
      Source: FacebookSecurityUpdate.exe, 00000005.00000002.458760674.0000000000DD5000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
      Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000000.193556825.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.211316911.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.202485476.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 6124, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 3348, type: MEMORY
      Source: Yara matchFile source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Yara detected Quasar RATShow sources
      Source: Yara matchFile source: 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000000.193556825.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.211316911.0000000000182000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.202485476.0000000000602000.00000002.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 6124, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 5640, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: FacebookSecurityUpdate.exe PID: 3348, type: MEMORY
      Source: Yara matchFile source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, type: DROPPED
      Source: Yara matchFile source: 6.0.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.FacebookSecurityUpdate.exe.180000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.0.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.0.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12eacff8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.FacebookSecurityUpdate.exe.600000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.FacebookSecurityUpdate.exe.d90000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12e541c0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.FacebookSecurityUpdate.exe.12dfb378.3.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Replication Through Removable Media11Windows Management Instrumentation131DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools11Input Capture11Peripheral Device Discovery1Replication Through Removable Media11Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsNative API1Scheduled Task/Job1Process Injection12Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information21Security Account ManagerSystem Information Discovery123SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing12NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery151SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol112Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading121DCSyncVirtualization/Sandbox Evasion51Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion51Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection12/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 397328 Sample: FacebookSecurityUpdate.exe Startdate: 24/04/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 10 other signatures 2->65 9 FacebookSecurityUpdate.exe 5 2->9         started        13 FacebookSecurityUpdate.exe 2 2->13         started        process3 file4 39 C:\Users\user\...\FacebookSecurityUpdate.exe, PE32 9->39 dropped 41 C:\Users\...\FacebookSecurityUpdate.exe.log, ASCII 9->41 dropped 75 Detected unpacking (overwrites its own PE header) 9->75 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->77 15 FacebookSecurityUpdate.exe 15 5 9->15         started        signatures5 process6 dnsIp7 49 ip-api.com 208.95.112.1, 49707, 49708, 80 TUT-ASUS United States 15->49 33 C:\Windows\...\FacebookSecurityUpdate.exe, PE32 15->33 dropped 35 C:\Users\...\FacebookSecurityUpdate.exe.log, ASCII 15->35 dropped 51 Antivirus detection for dropped file 15->51 53 May check the online IP address of the machine 15->53 55 Machine Learning detection for dropped file 15->55 57 3 other signatures 15->57 20 FacebookSecurityUpdate.exe 5 15->20         started        25 schtasks.exe 1 15->25         started        file8 signatures9 process10 dnsIp11 43 84.38.133.101, 14782, 49709 DATACLUB-NL Latvia 20->43 45 192.168.2.1 unknown unknown 20->45 47 ip-api.com 20->47 37 C:\autorun.inf, Microsoft 20->37 dropped 67 Antivirus detection for dropped file 20->67 69 Creates autorun.inf (USB autostart) 20->69 71 May check the online IP address of the machine 20->71 73 4 other signatures 20->73 27 schtasks.exe 1 20->27         started        29 conhost.exe 25->29         started        file12 signatures13 process14 process15 31 conhost.exe 27->31         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      FacebookSecurityUpdate.exe57%VirustotalBrowse
      FacebookSecurityUpdate.exe50%ReversingLabsByteCode-MSIL.Trojan.Quasar
      FacebookSecurityUpdate.exe100%AviraHEUR/AGEN.1109370
      FacebookSecurityUpdate.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe100%AviraHEUR/AGEN.1135947
      C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe100%AviraHEUR/AGEN.1135947
      C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe100%Joe Sandbox ML
      C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe100%Joe Sandbox ML

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.0.FacebookSecurityUpdate.exe.b00000.0.unpack100%AviraHEUR/AGEN.1109370Download File
      5.0.FacebookSecurityUpdate.exe.600000.0.unpack100%AviraHEUR/AGEN.1135947Download File
      0.2.FacebookSecurityUpdate.exe.b00000.0.unpack100%AviraHEUR/AGEN.1109370Download File
      5.2.FacebookSecurityUpdate.exe.600000.0.unpack100%AviraHEUR/AGEN.1135947Download File
      6.2.FacebookSecurityUpdate.exe.180000.0.unpack100%AviraHEUR/AGEN.1135947Download File
      2.0.FacebookSecurityUpdate.exe.d90000.0.unpack100%AviraHEUR/AGEN.1135947Download File
      2.2.FacebookSecurityUpdate.exe.d90000.0.unpack100%AviraHEUR/AGEN.1135947Download File
      6.0.FacebookSecurityUpdate.exe.180000.0.unpack100%AviraHEUR/AGEN.1135947Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://schemas.datacontract.org0%URL Reputationsafe
      http://schemas.datacontract.org0%URL Reputationsafe
      http://schemas.datacontract.org0%URL Reputationsafe
      http://schemas.datacontract.org0%URL Reputationsafe
      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
      http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
      http://schemas.datacontract.org/2004/07/xClient.Core.Data0%Avira URL Cloudsafe
      84.38.133.1010%Avira URL Cloudsafe
      http://ip-api.com40%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      ip-api.com
      		208.95.112.1
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://ip-api.com/json/false
          		high
          84.38.133.101true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://api.ipify.org/FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, FacebookSecurityUpdate.exe.0.drfalse
            		high
            http://freegeoip.net/xml/FacebookSecurityUpdate.exe, FacebookSecurityUpdate.exe, 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, FacebookSecurityUpdate.exe.0.drfalse
              		high
              http://schemas.datacontract.orgFacebookSecurityUpdate.exe, 00000002.00000002.203600363.000000000327D000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://schemas.datacontract.org/2004/07/FacebookSecurityUpdate.exe, 00000002.00000002.203600363.000000000327D000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459478315.0000000002B7A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFacebookSecurityUpdate.exe, 00000002.00000002.203567334.000000000322E000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459447063.0000000002B41000.00000004.00000001.sdmpfalse
                		high
                http://schemas.datacontract.org/2004/07/xClient.Core.DataFacebookSecurityUpdate.exe, 00000002.00000002.203600363.000000000327D000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459478315.0000000002B7A000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://ip-api.comFacebookSecurityUpdate.exe, 00000002.00000002.203567334.000000000322E000.00000004.00000001.sdmp, FacebookSecurityUpdate.exe, 00000005.00000002.459447063.0000000002B41000.00000004.00000001.sdmpfalse
                  		high
                  http://ip-api.com4FacebookSecurityUpdate.exe, 00000002.00000002.203567334.000000000322E000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  208.95.112.1
                  		ip-api.comUnited States
                  		53334TUT-ASUSfalse
                  84.38.133.101
                  		unknownLatvia
                  		203557DATACLUB-NLtrue

                  Private

                  IP
                  192.168.2.1

                  General Information

                  Joe Sandbox Version:31.0.0 Emerald
                  Analysis ID:397328
                  Start date:24.04.2021
                  Start time:17:32:14
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 45s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:FacebookSecurityUpdate.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:32
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.rans.spre.troj.spyw.evad.winEXE@12/6@2/3
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 0.1% (good quality ratio 0.1%)
                  • Quality average: 45.7%
                  • Quality standard deviation: 33.5%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 57
                  • Number of non-executed functions: 2
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, wermgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.43.193.48, 40.88.32.150, 20.82.210.154, 52.255.188.83, 184.30.20.56, 92.122.213.194, 92.122.213.247, 13.64.90.137, 93.184.221.240, 20.54.26.129, 20.190.160.8, 20.190.160.6, 20.190.160.4, 20.190.160.136, 20.190.160.75, 20.190.160.2, 20.190.160.134, 20.190.160.73
                  • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, skypedataprdcoleus15.cloudapp.net, login.live.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  17:33:02Task SchedulerRun new task: FacebookSecurityUpdate path: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe
                  17:33:02API Interceptor679x Sleep call for process: FacebookSecurityUpdate.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  208.95.112.1ls7y1NUlhZ.exeGet hashmaliciousBrowse
                  • ip-api.com/json/
                  J89wCWeANu.exeGet hashmaliciousBrowse
                  • ip-api.com/json
                  Cotizacin.jarGet hashmaliciousBrowse
                  • ip-api.com/json/
                  Purchase Order.jarGet hashmaliciousBrowse
                  • ip-api.com/json/
                  Draft-Copy-Bill-Of-Lading-FLXT-1049005B561815.exeGet hashmaliciousBrowse
                  • ip-api.com/line/?fields=country
                  PO#5200668.jarGet hashmaliciousBrowse
                  • ip-api.com/json/
                  PO#5200668.jarGet hashmaliciousBrowse
                  • ip-api.com/json/
                  Worksheet.exeGet hashmaliciousBrowse
                  • ip-api.com/line/?fields=country
                  Olyys.exeGet hashmaliciousBrowse
                  • ip-api.com/json
                  vpn.exeGet hashmaliciousBrowse
                  • ip-api.com/json
                  RemittanceAdvice_20210420_160446.jarGet hashmaliciousBrowse
                  • ip-api.com/json/
                  DHL SHIPPING DOCUMENT.jarGet hashmaliciousBrowse
                  • ip-api.com/json/
                  q7uNNDJUI2.exeGet hashmaliciousBrowse
                  • ip-api.com/json?callback=jQuery191021412557233929374_1618854877576&_=1618854877577
                  BQGxKexU78.exeGet hashmaliciousBrowse
                  • ip-api.com/json?callback=jQuery1910008501960775371242_1618854812302&_=1618854812303
                  SecuriteInfo.com.Trojan.Win32.Save.a.6606.exeGet hashmaliciousBrowse
                  • ip-api.com/json
                  gSyJqxW85g.exeGet hashmaliciousBrowse
                  • ip-api.com/json/
                  SecuriteInfo.com.Variant.Graftor.941749.26444.exeGet hashmaliciousBrowse
                  • ip-api.com/line/
                  OVNQqw2Wx6.exeGet hashmaliciousBrowse
                  • ip-api.com/json
                  SecuriteInfo.com.Dropped.Trojan.GenericKD.46121735.25361.exeGet hashmaliciousBrowse
                  • ip-api.com/json
                  8B2XjWuTog.exeGet hashmaliciousBrowse
                  • ip-api.com/json

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  ip-api.comls7y1NUlhZ.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  J89wCWeANu.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  amCz0268Nl.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  Cotizacin.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  Purchase Order.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  Draft-Copy-Bill-Of-Lading-FLXT-1049005B561815.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  PO#5200668.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  PO#5200668.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  Worksheet.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  Olyys.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  vpn.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  RemittanceAdvice_20210420_160446.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  DHL SHIPPING DOCUMENT.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  q7uNNDJUI2.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  BQGxKexU78.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  SecuriteInfo.com.Trojan.Win32.Save.a.6606.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  gTqtH6gpC1.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  gSyJqxW85g.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  SecuriteInfo.com.Variant.Graftor.941749.26444.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  OVNQqw2Wx6.exeGet hashmaliciousBrowse
                  • 208.95.112.1

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  DATACLUB-NLv1hBv6A71M.exeGet hashmaliciousBrowse
                  • 84.38.133.24
                  Standardequips_Quote.pptGet hashmaliciousBrowse
                  • 185.29.11.15
                  XsNgUDFxLw.exeGet hashmaliciousBrowse
                  • 84.38.133.117
                  18Order.exeGet hashmaliciousBrowse
                  • 185.29.11.103
                  56New Order oct 2018230090.exeGet hashmaliciousBrowse
                  • 185.29.11.103
                  TUT-ASUSls7y1NUlhZ.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  J89wCWeANu.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  Cotizacin.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  Purchase Order.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  Draft-Copy-Bill-Of-Lading-FLXT-1049005B561815.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  PO#5200668.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  PO#5200668.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  Worksheet.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  Olyys.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  vpn.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  RemittanceAdvice_20210420_160446.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  DHL SHIPPING DOCUMENT.jarGet hashmaliciousBrowse
                  • 208.95.112.1
                  q7uNNDJUI2.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  BQGxKexU78.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  SecuriteInfo.com.Trojan.Win32.Save.a.6606.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  gSyJqxW85g.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  UAfjgvOViO.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  SecuriteInfo.com.Variant.Graftor.941749.26444.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  OVNQqw2Wx6.exeGet hashmaliciousBrowse
                  • 208.95.112.1
                  SecuriteInfo.com.Dropped.Trojan.GenericKD.46121735.25361.exeGet hashmaliciousBrowse
                  • 208.95.112.1

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FacebookSecurityUpdate.exe.log
                  Process:C:\Users\user\Desktop\FacebookSecurityUpdate.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):859
                  Entropy (8bit):5.373981576136143
                  Encrypted:false
                  SSDEEP:24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhk:MxHKn1qHGiD0HKeGiYHKGD8Aok
                  MD5:FCA6F8F70EDB011978C6161B2715F1D5
                  SHA1:6AC99F9E4E12508A5F821AB3EBA79C256FEF60A1
                  SHA-256:5D1375876DA08D3A08DFFF8180872B6961402832987E4C71E902B1B15FF382B7
                  SHA-512:901B570F152D2ED442D8EDBAECE834D40BAB10402CFEA3CBA2DA9AFAEB2AC1D94DB0DE3CB4783A03CB362EA46257C036CCC3627447BC70DAB9D56FD4AB21DCA8
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..
                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FacebookSecurityUpdate.exe.log
                  Process:C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1557
                  Entropy (8bit):5.351891643737667
                  Encrypted:false
                  SSDEEP:48:MIHK5HKXE1qHiYHKhQnoNHmHKBfHKntHoxHhAHKzvQTH3:Pq5qXEwCYqhQnoNGqNqntIxHeqzcX
                  MD5:E9163F5673A58133809F22228C6E27DD
                  SHA1:236F6A2107AA2EA3092C50A94B72064FA435D4A9
                  SHA-256:EA9B7A740D92C4113B89E33D9DBB0187CBBF36F2587AA5139421FDBC985EE53D
                  SHA-512:F3124F6846C4730E04EE36698A88E966AEBBF6F7FCCD0C265A8BE183ADF6C641944B7FA35F0F320F65A36335697D55B44BD34B3494B228737FD63C80151229FF
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, Publi
                  C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe
                  Process:C:\Users\user\Desktop\FacebookSecurityUpdate.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):364032
                  Entropy (8bit):6.38591798907471
                  Encrypted:false
                  SSDEEP:6144:76I+Jo/aYStbhzP5Kq+SMv0VGb7bDcllbkfRuQk9tb:rb7+n9zVGkllbkS
                  MD5:269E261FDBD4A955CB4591A39F3E08F4
                  SHA1:2D53C0730B8ACB96B1ED1B90B2DFB75BD6056E64
                  SHA-256:D91C968A77C771A29885EF6A6740846F8434E6D76C97FBAF520B782A45B479F3
                  SHA-512:321B8B4ADC35E19022195660E8780DBBDE508F9EB62BBF6107432B919D7DCE048206BAF70F20098D1D23F5B1D9BB38FE01452C83E6CCEBD0FF0E4897F892DE16
                  Malicious:true
                  Yara Hits:
                  • Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Joe Security
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.................v.............. ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....t... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H.......................D...H............................................0..K.......(.....(....(...........s....o....('...,.(....,.(....-.~....o....(....(....*.n~....-.(....,.(....*.(....*.0..=........o....,4(k.....(....,.*s....%.o....%.o....%.o....(....&(....*....0..N.......(G...~:...,.~:...o....~....,.~....o....~....,.~....o....~....o..........(]...*...0..........~....(s...s.....~....(\...,..o....-.~....(....,..*~....~....(L...~....~....(....,.r...p+.~....r...p(....~....(..
                  C:\Users\user\AppData\Roaming\Logs\04-24-2021
                  Process:C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):224
                  Entropy (8bit):7.083345701054349
                  Encrypted:false
                  SSDEEP:6:6scwA9xdSe0y0poI3m3GS/5PeAbCvmXglR3pw:LcwA9xdt0npoI3m3B/5P7wy
                  MD5:790FFE520EAC3C4BA5F6166734926FE6
                  SHA1:5030D6FA2EBDD066F700131AE95647CF447C1BCC
                  SHA-256:52C8F2883B1FB535BBDE19A205826D9DC7414692E5DD83036B39904A67300FC6
                  SHA-512:ECDDF95D7129F90807504A9398BF7BDD146C68B138849C43C4046F56B878C35B8E1554B30BF4A8D39D8E47CC8A4040EAC64DC6585F69CDE7415B81063CF49941
                  Malicious:false
                  Reputation:low
                  Preview: ..O#.......F.,....!8.e..6]... rAY..c.....r..I...e..[k.....qS[/.4G>..{Q..Kp..h............Ba!..f.~..X...1..e.}j....`Y`....#.M..^.../..Lcn.<..o.Y."^...7.:.jV6..(.C*.C..h.$..v.Qy..=.+....R}.6..O....4.~......
                  C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe
                  Process:C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):364032
                  Entropy (8bit):6.38591798907471
                  Encrypted:false
                  SSDEEP:6144:76I+Jo/aYStbhzP5Kq+SMv0VGb7bDcllbkfRuQk9tb:rb7+n9zVGkllbkS
                  MD5:269E261FDBD4A955CB4591A39F3E08F4
                  SHA1:2D53C0730B8ACB96B1ED1B90B2DFB75BD6056E64
                  SHA-256:D91C968A77C771A29885EF6A6740846F8434E6D76C97FBAF520B782A45B479F3
                  SHA-512:321B8B4ADC35E19022195660E8780DBBDE508F9EB62BBF6107432B919D7DCE048206BAF70F20098D1D23F5B1D9BB38FE01452C83E6CCEBD0FF0E4897F892DE16
                  Malicious:true
                  Yara Hits:
                  • Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Joe Security
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.................v.............. ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text....t... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H.......................D...H............................................0..K.......(.....(....(...........s....o....('...,.(....,.(....-.~....o....(....(....*.n~....-.(....,.(....*.(....*.0..=........o....,4(k.....(....,.*s....%.o....%.o....%.o....(....&(....*....0..N.......(G...~:...,.~:...o....~....,.~....o....~....,.~....o....~....o..........(]...*...0..........~....(s...s.....~....(\...,..o....-.~....(....,..*~....~....(L...~....~....(....,.r...p+.~....r...p(....~....(..
                  C:\autorun.inf
                  Process:C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe
                  File Type:Microsoft Windows Autorun file, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):46
                  Entropy (8bit):4.4393379782107685
                  Encrypted:false
                  SSDEEP:3:0LT4cbS:IHW
                  MD5:3D5D1D844A36EDA0344557B07C488FEC
                  SHA1:4C2023E3F792798D2075D9CF49C1396A0FBBA3CB
                  SHA-256:CF7C8AF251B829009E9D309553E3ADCC9367F993C55356342517FA6F0A5F51E8
                  SHA-512:DAA343AFACCC19BFEEDD197A1132E07547689F622028201E133AC4900034BBC50D51BD6FDE60D7C6C39C2D89BB26A99B8F9BCB8F2A31CEB46D94C5FDFA26CA60
                  Malicious:true
                  Reputation:low
                  Preview: [AutoRun]..action=FacebookSecurityUpdate.exe..

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.757451813979911
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:FacebookSecurityUpdate.exe
                  File size:577024
                  MD5:ac46ae63e68b470fc8fc80f6a74e7964
                  SHA1:373a2d73c34c905b2a52257ed5d432f82e412fd7
                  SHA256:1b12a22d5d562b59030df4697c4157a23766d0b34f9bd17a0ca7374e5a53e28c
                  SHA512:9e96e5e87088a9314334b1ad712d7d8f5b731db9ca7d932e91e857f34c2a2d906478bb4521136b1c00b4ef3de0d3fbb6eb9588caa3b22188de8a180756983996
                  SSDEEP:12288:rLp9s3sp/N349Qptn+drldBIAxHA821QkxNBP6sEJxzenaWMRy:Jusdp9+XI+AZxNBCsOxzenaWMRy
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................&........... ........@.. .......................@............@................................

                  File Icon

                  Icon Hash:d8dccc78ececd4f4

                  Static PE Info

                  General

                  Entrypoint:0x45c49e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x6081DC9E [Thu Apr 22 20:29:18 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v4.0.30319
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5c4480x53.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x5e0000x3229c.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x920000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x5a4a40x5a600False0.99430541148data7.99565745527IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0x5e0000x3229c0x32400False0.556363689366data6.98525544255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x920000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x5e2b00x468GLS_BINARY_LSB_FIRST
                  RT_ICON0x5e7180x988data
                  RT_ICON0x5f0a00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4280695137, next used block 4280629087
                  RT_ICON0x601480x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4280365654, next used block 4280299859
                  RT_ICON0x626f00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4280168014, next used block 4280167500
                  RT_ICON0x669180x5488data
                  RT_ICON0x6bda00x94a8data
                  RT_ICON0x752480x10828data
                  RT_ICON0x85a700xa15cPNG image data, 256 x 256, 8-bit/color RGB, non-interlaced
                  RT_GROUP_ICON0x8fbcc0x84data
                  RT_VERSION0x8fc500x358data
                  RT_MANIFEST0x8ffa80x2f4XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Version Infos

                  DescriptionData
                  Translation0x0000 0x04b0
                  LegalCopyrightFacebook Software Corp
                  Assembly Version14.2321.332.0
                  InternalNameFacebookSecurityUpdate2.exe
                  FileVersion14.2321.332.0
                  ProductNameFacebook Security Update
                  ProductVersion14.2321.332.0
                  FileDescriptionFacebook Security Update
                  OriginalFilenameFacebookSecurityUpdate2.exe

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Apr 24, 2021 17:33:01.390980959 CEST4970780192.168.2.3208.95.112.1
                  Apr 24, 2021 17:33:01.445801020 CEST8049707208.95.112.1192.168.2.3
                  Apr 24, 2021 17:33:01.446028948 CEST4970780192.168.2.3208.95.112.1
                  Apr 24, 2021 17:33:01.446935892 CEST4970780192.168.2.3208.95.112.1
                  Apr 24, 2021 17:33:01.527359962 CEST8049707208.95.112.1192.168.2.3
                  Apr 24, 2021 17:33:01.580270052 CEST4970780192.168.2.3208.95.112.1
                  Apr 24, 2021 17:33:02.931987047 CEST4970780192.168.2.3208.95.112.1
                  Apr 24, 2021 17:33:05.466151953 CEST4970880192.168.2.3208.95.112.1
                  Apr 24, 2021 17:33:05.522080898 CEST8049708208.95.112.1192.168.2.3
                  Apr 24, 2021 17:33:05.522229910 CEST4970880192.168.2.3208.95.112.1
                  Apr 24, 2021 17:33:05.523104906 CEST4970880192.168.2.3208.95.112.1
                  Apr 24, 2021 17:33:05.577888966 CEST8049708208.95.112.1192.168.2.3
                  Apr 24, 2021 17:33:05.627475023 CEST4970880192.168.2.3208.95.112.1
                  Apr 24, 2021 17:33:07.232417107 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:33:07.281754971 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:33:07.281889915 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:33:07.331365108 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:33:07.377507925 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:33:07.561532974 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:33:07.611855030 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:33:07.652221918 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:33:07.701006889 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:33:07.752521992 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:33:08.234658003 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:33:08.318449020 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:33:33.298748970 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:33:33.298831940 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:33:33.348438978 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:33:33.396965981 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:33:48.648020029 CEST8049708208.95.112.1192.168.2.3
                  Apr 24, 2021 17:33:58.342642069 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:33:58.342770100 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:33:58.413042068 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:33:58.462476015 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:34:23.408577919 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:34:23.411606073 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:34:23.477746964 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:34:23.526182890 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:34:48.477258921 CEST147824970984.38.133.101192.168.2.3
                  Apr 24, 2021 17:34:48.477535963 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:34:48.542391062 CEST4970914782192.168.2.384.38.133.101
                  Apr 24, 2021 17:34:48.592410088 CEST147824970984.38.133.101192.168.2.3

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Apr 24, 2021 17:32:49.076206923 CEST6493853192.168.2.38.8.8.8
                  Apr 24, 2021 17:32:49.127868891 CEST53649388.8.8.8192.168.2.3
                  Apr 24, 2021 17:32:51.098517895 CEST6015253192.168.2.38.8.8.8
                  Apr 24, 2021 17:32:51.147774935 CEST53601528.8.8.8192.168.2.3
                  Apr 24, 2021 17:32:52.016324997 CEST5754453192.168.2.38.8.8.8
                  Apr 24, 2021 17:32:52.067889929 CEST53575448.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:01.325345993 CEST5598453192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:01.374416113 CEST53559848.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:05.396831036 CEST6418553192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:05.448391914 CEST53641858.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:22.109328985 CEST6511053192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:22.158248901 CEST53651108.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:24.517347097 CEST5836153192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:24.566210032 CEST53583618.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:25.812463999 CEST6349253192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:25.869924068 CEST53634928.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:26.626514912 CEST6083153192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:26.675209999 CEST53608318.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:27.486002922 CEST6010053192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:27.546190977 CEST53601008.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:28.796895027 CEST5319553192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:28.845627069 CEST53531958.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:29.749547958 CEST5014153192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:29.802673101 CEST53501418.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:32.238526106 CEST5302353192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:32.318536043 CEST53530238.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:33.232979059 CEST4956353192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:33.295241117 CEST53495638.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:34.024082899 CEST5135253192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:34.084923029 CEST53513528.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:34.844892025 CEST5934953192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:34.902410030 CEST53593498.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:35.432708979 CEST5708453192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:35.493843079 CEST53570848.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:35.793600082 CEST5882353192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:35.842441082 CEST53588238.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:36.662992954 CEST5756853192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:36.713629961 CEST53575688.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:37.545612097 CEST5054053192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:37.603224039 CEST53505408.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:38.611670017 CEST5436653192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:38.663388968 CEST53543668.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:39.494961977 CEST5303453192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:39.546591043 CEST53530348.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:44.297728062 CEST5776253192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:44.349764109 CEST53577628.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:45.050790071 CEST5543553192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:45.109697104 CEST53554358.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:45.446702957 CEST5071353192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:45.528189898 CEST53507138.8.8.8192.168.2.3
                  Apr 24, 2021 17:33:57.031213999 CEST5613253192.168.2.38.8.8.8
                  Apr 24, 2021 17:33:57.082958937 CEST53561328.8.8.8192.168.2.3
                  Apr 24, 2021 17:34:00.342904091 CEST5898753192.168.2.38.8.8.8
                  Apr 24, 2021 17:34:00.401925087 CEST53589878.8.8.8192.168.2.3
                  Apr 24, 2021 17:34:01.970400095 CEST5657953192.168.2.38.8.8.8
                  Apr 24, 2021 17:34:02.033829927 CEST53565798.8.8.8192.168.2.3
                  Apr 24, 2021 17:34:02.617705107 CEST6063353192.168.2.38.8.8.8
                  Apr 24, 2021 17:34:02.668427944 CEST53606338.8.8.8192.168.2.3
                  Apr 24, 2021 17:34:31.582560062 CEST6129253192.168.2.38.8.8.8
                  Apr 24, 2021 17:34:31.656702042 CEST53612928.8.8.8192.168.2.3
                  Apr 24, 2021 17:34:33.203248024 CEST6361953192.168.2.38.8.8.8
                  Apr 24, 2021 17:34:33.260485888 CEST53636198.8.8.8192.168.2.3

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Apr 24, 2021 17:33:01.325345993 CEST192.168.2.38.8.8.80x7fe0Standard query (0)ip-api.comA (IP address)IN (0x0001)
                  Apr 24, 2021 17:33:05.396831036 CEST192.168.2.38.8.8.80x82faStandard query (0)ip-api.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Apr 24, 2021 17:33:01.374416113 CEST8.8.8.8192.168.2.30x7fe0No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)
                  Apr 24, 2021 17:33:05.448391914 CEST8.8.8.8192.168.2.30x82faNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)
                  Apr 24, 2021 17:34:02.033829927 CEST8.8.8.8192.168.2.30xeaf2No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)

                  HTTP Request Dependency Graph

                  • ip-api.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.349707208.95.112.180C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe
                  TimestampkBytes transferredDirectionData
                  Apr 24, 2021 17:33:01.446935892 CEST1103OUTGET /json/ HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                  Host: ip-api.com
                  Connection: Keep-Alive
                  Apr 24, 2021 17:33:01.527359962 CEST1104INHTTP/1.1 200 OK
                  Date: Sat, 24 Apr 2021 15:33:01 GMT
                  Content-Type: application/json; charset=utf-8
                  Content-Length: 280
                  Access-Control-Allow-Origin: *
                  X-Ttl: 60
                  X-Rl: 44
                  Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 31 35 32 22 2c 22 6c 61 74 22 3a 34 37 2e 34 33 2c 22 6c 6f 6e 22 3a 38 2e 35 37 31 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 43 64 6e 37 37 20 5a 55 52 20 49 54 58 22 2c 22 61 73 22 3a 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 33 22 7d
                  Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8152","lat":47.43,"lon":8.5718,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Cdn77 ZUR ITX","as":"AS60068 Datacamp Limited","query":"84.17.52.3"}


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.349708208.95.112.180C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe
                  TimestampkBytes transferredDirectionData
                  Apr 24, 2021 17:33:05.523104906 CEST1104OUTGET /json/ HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
                  Host: ip-api.com
                  Connection: Keep-Alive
                  Apr 24, 2021 17:33:05.577888966 CEST1105INHTTP/1.1 200 OK
                  Date: Sat, 24 Apr 2021 15:33:05 GMT
                  Content-Type: application/json; charset=utf-8
                  Content-Length: 280
                  Access-Control-Allow-Origin: *
                  X-Ttl: 55
                  X-Rl: 43
                  Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 22 72 65 67 69 6f 6e 22 3a 22 5a 48 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 72 69 63 68 22 2c 22 63 69 74 79 22 3a 22 5a 75 72 69 63 68 22 2c 22 7a 69 70 22 3a 22 38 31 35 32 22 2c 22 6c 61 74 22 3a 34 37 2e 34 33 2c 22 6c 6f 6e 22 3a 38 2e 35 37 31 38 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 2f 5a 75 72 69 63 68 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 43 64 6e 37 37 20 5a 55 52 20 49 54 58 22 2c 22 61 73 22 3a 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 35 32 2e 33 22 7d
                  Data Ascii: {"status":"success","country":"Switzerland","countryCode":"CH","region":"ZH","regionName":"Zurich","city":"Zurich","zip":"8152","lat":47.43,"lon":8.5718,"timezone":"Europe/Zurich","isp":"Datacamp Limited","org":"Cdn77 ZUR ITX","as":"AS60068 Datacamp Limited","query":"84.17.52.3"}


                  Code Manipulations

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: FacebookSecurityUpdate.exe PID: 5640 Parent PID: 5892

                  General

                  Start time:17:32:55
                  Start date:24/04/2021
                  Path:C:\Users\user\Desktop\FacebookSecurityUpdate.exe
                  Wow64 process (32bit):false
                  Commandline:'C:\Users\user\Desktop\FacebookSecurityUpdate.exe'
                  Imagebase:0xb00000
                  File size:577024 bytes
                  MD5 hash:AC46AE63E68B470FC8FC80F6A74E7964
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.194570475.0000000012DFB000.00000004.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  Chronological Activities

                  Analysis Process: FacebookSecurityUpdate.exe PID: 5648 Parent PID: 5640

                  General

                  Start time:17:32:58
                  Start date:24/04/2021
                  Path:C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe'
                  Imagebase:0xd90000
                  File size:364032 bytes
                  MD5 hash:269E261FDBD4A955CB4591A39F3E08F4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.202794643.0000000000D92000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000002.00000000.193556825.0000000000D92000.00000002.00020000.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000000.193556825.0000000000D92000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe, Author: Joe Security
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  Reputation:low

                  Chronological Activities

                  Analysis Process: schtasks.exe PID: 2644 Parent PID: 5648

                  General

                  Start time:17:33:01
                  Start date:24/04/2021
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe' /rl HIGHEST /f
                  Imagebase:0xb20000
                  File size:185856 bytes
                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: conhost.exe PID: 3180 Parent PID: 2644

                  General

                  Start time:17:33:01
                  Start date:24/04/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6b2800000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: FacebookSecurityUpdate.exe PID: 6124 Parent PID: 5648

                  General

                  Start time:17:33:02
                  Start date:24/04/2021
                  Path:C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe
                  Imagebase:0x600000
                  File size:364032 bytes
                  MD5 hash:269E261FDBD4A955CB4591A39F3E08F4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.457267428.0000000000602000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000005.00000000.202485476.0000000000602000.00000002.00020000.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000000.202485476.0000000000602000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Florian Roth
                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe, Author: Joe Security
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  Reputation:low

                  Chronological Activities

                  Analysis Process: FacebookSecurityUpdate.exe PID: 3348 Parent PID: 528

                  General

                  Start time:17:33:02
                  Start date:24/04/2021
                  Path:C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\FacebookSecurityUpdate.exe
                  Imagebase:0x180000
                  File size:364032 bytes
                  MD5 hash:269E261FDBD4A955CB4591A39F3E08F4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000000.203445324.0000000000182000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000002.211316911.0000000000182000.00000002.00020000.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.211316911.0000000000182000.00000002.00020000.sdmp, Author: Joe Security
                  Reputation:low

                  Chronological Activities

                  Analysis Process: schtasks.exe PID: 580 Parent PID: 6124

                  General

                  Start time:17:33:05
                  Start date:24/04/2021
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:'schtasks' /create /tn 'FacebookSecurityUpdate' /sc ONLOGON /tr 'C:\Windows\SysWOW64\FacebookSecurityUpdate\FacebookSecurityUpdate.exe' /rl HIGHEST /f
                  Imagebase:0xb20000
                  File size:185856 bytes
                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: conhost.exe PID: 5856 Parent PID: 580

                  General

                  Start time:17:33:05
                  Start date:24/04/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6b2800000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Disassembly

                  Code Analysis

                  Reset < >

                    Analysis Process: FacebookSecurityUpdate.exe PID: 5640 Parent PID: 5892 FacebookSecurityUpdate.exeCOMMON

                    Executed Functions

                    Function 00007FFAEEB01888, Relevance: 1.6, APIs: 1, Instructions: 135fileCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.195919690.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: b9c9f7c982041efb3d199149565394c5a3ecacb283a56411c55b0aaad08f766d
                    • Instruction ID: 69c299f23b85e0c323f313165d94cf9baba8f77b0b3e9f093050b6a5a591d1b4
                    • Opcode Fuzzy Hash: b9c9f7c982041efb3d199149565394c5a3ecacb283a56411c55b0aaad08f766d
                    • Instruction Fuzzy Hash: F541073090CB894FD71BDB6888557E97FE0EF57220F08829FD089D71A3DBA8A446C751
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00007FFAEEB00B0F, Relevance: 3.3, Strings: 2, Instructions: 757COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.195919690.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: "s6$4__^
                    • API String ID: 0-990609901
                    • Opcode ID: 3e879ebc53bcc48e14b32b5ed1ca8144dedf9698264d08d4c9967352da11d6c3
                    • Instruction ID: 964df4b4713bcbbce630b40f503a384180b1177fff85062142b4d172198c65b5
                    • Opcode Fuzzy Hash: 3e879ebc53bcc48e14b32b5ed1ca8144dedf9698264d08d4c9967352da11d6c3
                    • Instruction Fuzzy Hash: 5DB115ABE0C2624BD751BB7DF8925E97B90DF9233170500B7C5D8CF1A3E9482C9E8295
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FFAEEB00BAA, Relevance: 3.2, Strings: 2, Instructions: 694COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.195919690.00007FFAEEB00000.00000040.00000001.sdmp, Offset: 00007FFAEEB00000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: "s6$4__^
                    • API String ID: 0-990609901
                    • Opcode ID: d8d5b4b37d37331db580aefe201b27f29d3d82b792f2813c581e62bf54a30f72
                    • Instruction ID: 3d1d853d64bec91cd055a2281c06adda09a43b3f79202a7bbbcb2d3797965e1c
                    • Opcode Fuzzy Hash: d8d5b4b37d37331db580aefe201b27f29d3d82b792f2813c581e62bf54a30f72
                    • Instruction Fuzzy Hash: 9F9125A7E0C2664FD755BB7DF8A21E97B90DF9233070500B7C598CF1A3E9486C9E8291
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Analysis Process: FacebookSecurityUpdate.exe PID: 5648 Parent PID: 5640 FacebookSecurityUpdate.exeCOMMON

                    Executed Functions

                    Function 031F941A, Relevance: 1.8, APIs: 1, Instructions: 259comCOMMON
                    Download Yara Rule
                    APIs
                    • OleInitialize.OLE32(00000000), ref: 031F93DD
                    Memory Dump Source
                    • Source File: 00000002.00000002.203539946.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 76b7e3a19d0adf06a24ceb7e5b26e3e9c6962452c4e5d4d7db560dda17bb1d6a
                    • Instruction ID: 2299f7149191aac4c49b4fae309907e9221aaa590e3ecd08114207e491f35c7e
                    • Opcode Fuzzy Hash: 76b7e3a19d0adf06a24ceb7e5b26e3e9c6962452c4e5d4d7db560dda17bb1d6a
                    • Instruction Fuzzy Hash: F2D182B98017458FD718EF64E8881897BB3FB8E328F605308D1616B6D8D7B454CACF64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031F82C2, Relevance: 6.1, APIs: 4, Instructions: 149threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 031F8398
                    • GetCurrentThread.KERNEL32 ref: 031F83D5
                    • GetCurrentProcess.KERNEL32 ref: 031F8412
                    • GetCurrentThreadId.KERNEL32 ref: 031F846B
                    Memory Dump Source
                    • Source File: 00000002.00000002.203539946.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: a42ca2f3e45b8f6213bc3931aa2ca876d773fea9907f6e5f5a487a3d8d46c2f1
                    • Instruction ID: a125c16caada5e0e5aaf2616cf7f25f08306768a699a2d79ff822777de617deb
                    • Opcode Fuzzy Hash: a42ca2f3e45b8f6213bc3931aa2ca876d773fea9907f6e5f5a487a3d8d46c2f1
                    • Instruction Fuzzy Hash: 6C6167B0E002099FDB14DFA9D648B9EBBF1EF4C308F248469E509B7360DB74A944CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031F8328, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 031F8398
                    • GetCurrentThread.KERNEL32 ref: 031F83D5
                    • GetCurrentProcess.KERNEL32 ref: 031F8412
                    • GetCurrentThreadId.KERNEL32 ref: 031F846B
                    Memory Dump Source
                    • Source File: 00000002.00000002.203539946.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: c1abdb04bb452b5080d739d5ee5e098c51d00668868cde6d7f4cf992ead55280
                    • Instruction ID: 4452b26790b016df08dfc683a892eda3c211c79d66cc9d0a0936cac1062485ee
                    • Opcode Fuzzy Hash: c1abdb04bb452b5080d739d5ee5e098c51d00668868cde6d7f4cf992ead55280
                    • Instruction Fuzzy Hash: 685156B4A006498FDB14CFAAD648B9EBBF1FB4C308F248459E509B7360D734A944CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031F7FF8, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 031F8398
                    • GetCurrentThread.KERNEL32 ref: 031F83D5
                    • GetCurrentProcess.KERNEL32 ref: 031F8412
                    • GetCurrentThreadId.KERNEL32 ref: 031F846B
                    Memory Dump Source
                    • Source File: 00000002.00000002.203539946.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: a941629136dec4de699e1e8df4dbbd1ff4e195ad721a8e4944c6ca4812a4c367
                    • Instruction ID: c50f57b6654845724eadf27fc25b7c0f6d9cf4b81cc105de36a756a7a5ccc3b7
                    • Opcode Fuzzy Hash: a941629136dec4de699e1e8df4dbbd1ff4e195ad721a8e4944c6ca4812a4c367
                    • Instruction Fuzzy Hash: 175146B4A006498FDB14CFAAD648B9EBBF1EF4C308F248459E119B7361D7749944CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031F84E8, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031F85E7
                    Memory Dump Source
                    • Source File: 00000002.00000002.203539946.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 18e4752fbb239fc928e549a19bcc18fcc1e689781bcdb3bb81cfe000be29f28c
                    • Instruction ID: 84e56955e3e292311f99ab8f4c3584eb1144313809c941912d48f28eedffb5b5
                    • Opcode Fuzzy Hash: 18e4752fbb239fc928e549a19bcc18fcc1e689781bcdb3bb81cfe000be29f28c
                    • Instruction Fuzzy Hash: E9412B76900209AFCF01CF99D944AEEBBF9EB5C314F15801AEA54A7320D735A954CFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0185CA26, Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNELBASE(?), ref: 0185CB17
                    Memory Dump Source
                    • Source File: 00000002.00000002.203273430.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: e5381ab5922e08927d4149851dad8c140a28429fe464849e13052da8a72e9693
                    • Instruction ID: da42ea6926277d8065714bcf089281e0ff31787643e76367940bac2099522227
                    • Opcode Fuzzy Hash: e5381ab5922e08927d4149851dad8c140a28429fe464849e13052da8a72e9693
                    • Instruction Fuzzy Hash: ED4162B1E003588FDB51CFA9D88079EBFF5EB48314F04812AE804EB284E7749949CF82
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01852F24, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 01852FE1
                    Memory Dump Source
                    • Source File: 00000002.00000002.203273430.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 866e873c5e6a8e0ede365eafc2a8748c615f6e24541377dbb6bcb8a3fcd77f7d
                    • Instruction ID: 27f9e127cac8a6c06b23569eb3d5f02c923b923f3a1b15e7cc9fa2f14ba24213
                    • Opcode Fuzzy Hash: 866e873c5e6a8e0ede365eafc2a8748c615f6e24541377dbb6bcb8a3fcd77f7d
                    • Instruction Fuzzy Hash: F041E4B1C00318CFDB24CFA9C884BDDBBB1BF48304F24855AD919AB251DB756A45CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01859318, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNELBASE(?), ref: 0185CB17
                    Memory Dump Source
                    • Source File: 00000002.00000002.203273430.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 849f55153e381e398eab3540f298f45230159c07d6c21bcf1a3af3a6bee5a307
                    • Instruction ID: 1734144961a09469a4ccc9955507a1765b1e75265ea8c3e96353d5700dea3ba5
                    • Opcode Fuzzy Hash: 849f55153e381e398eab3540f298f45230159c07d6c21bcf1a3af3a6bee5a307
                    • Instruction Fuzzy Hash: 884122B0E007189FDB50CFA9D88579EBBF5EB48314F148129E819EB384E7749945CF92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0185158C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 01852FE1
                    Memory Dump Source
                    • Source File: 00000002.00000002.203273430.0000000001850000.00000040.00000001.sdmp, Offset: 01850000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 5b0ce06ddbfa04c7b2a4120dfba13b78d87271a9d9f0a81c692d154b2305b758
                    • Instruction ID: dfed234f08509171ce777b580069c4d908463309be4fe5a9feb0acaae93423b6
                    • Opcode Fuzzy Hash: 5b0ce06ddbfa04c7b2a4120dfba13b78d87271a9d9f0a81c692d154b2305b758
                    • Instruction Fuzzy Hash: 0441C170C0071CCFDB24CFA9C884B9DBBB5BF48304F10846AD919AB251DB756A49CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031F768F, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.203539946.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5789de770034cb0d9182d9b746bc2f3581de554068d1be9608b5e3833e58dadf
                    • Instruction ID: fac887f517c7285a522961e37d2ec7fc6093c66300c3052ecc4f2f73b5714d15
                    • Opcode Fuzzy Hash: 5789de770034cb0d9182d9b746bc2f3581de554068d1be9608b5e3833e58dadf
                    • Instruction Fuzzy Hash: A02177B2D083949FCF10CBA8C8157DDBFB0AF09214F064196D648AB2D1DB38A905CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031F8560, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 031F85E7
                    Memory Dump Source
                    • Source File: 00000002.00000002.203539946.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: b1da50ce6e082ede5815d64933671caaafd7182c0e3ae36d7102b176d3288c34
                    • Instruction ID: 7969846c6ec0c158add52beb97d5862c9ad193c81225b13e2f222c8285c7e4fb
                    • Opcode Fuzzy Hash: b1da50ce6e082ede5815d64933671caaafd7182c0e3ae36d7102b176d3288c34
                    • Instruction Fuzzy Hash: 7621C4B59002099FDB10CFAAD984AEEBBF4EB48324F14841AE954A7350D774A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031F7400, Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,031F7705), ref: 031F7788
                    Memory Dump Source
                    • Source File: 00000002.00000002.203539946.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 1e81d91526c2dfaebfc7b58527b7c198c69b113fc298fef6a203c43fed7107b8
                    • Instruction ID: 140839aeb2adc629af4a41445f08dada97e0f4ce4c9a2118d3556fd8a1d2a1ae
                    • Opcode Fuzzy Hash: 1e81d91526c2dfaebfc7b58527b7c198c69b113fc298fef6a203c43fed7107b8
                    • Instruction Fuzzy Hash: 2B2135B5C006199FCB10CF9AD5487AEFBF4EB48224F058629D918B7240D774A945CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031F7711, Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,031F7705), ref: 031F7788
                    Memory Dump Source
                    • Source File: 00000002.00000002.203539946.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: ab1cbee85af2ecd1b1ec104f9fe530b68c51ce51f0c6af3eb448a3282a94b74a
                    • Instruction ID: 6fe50e3ffa39a88f7937201167043d2d49b92149ae5e573c70000e1db3cda0e5
                    • Opcode Fuzzy Hash: ab1cbee85af2ecd1b1ec104f9fe530b68c51ce51f0c6af3eb448a3282a94b74a
                    • Instruction Fuzzy Hash: C52144B5C0061A8FCB10CFA9D5457EEFBF4AF08324F05862AD819B7640D738AA45CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031F8BF0, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                    Download Yara Rule
                    APIs
                    • OleInitialize.OLE32(00000000), ref: 031F93DD
                    Memory Dump Source
                    • Source File: 00000002.00000002.203539946.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 04bc73d32ba0984b60de4de0b9200d0425f244b04d90780cb269b3abb073671a
                    • Instruction ID: d4b01aadba761ce50595327aa394475946a92de1d61499511b2d3d65d6d89c32
                    • Opcode Fuzzy Hash: 04bc73d32ba0984b60de4de0b9200d0425f244b04d90780cb269b3abb073671a
                    • Instruction Fuzzy Hash: C21115B19047088FCB10DFAAD588BDEBBF4EB48324F148419D559B7340D774A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031F9387, Relevance: 1.5, APIs: 1, Instructions: 41comCOMMON
                    Download Yara Rule
                    APIs
                    • OleInitialize.OLE32(00000000), ref: 031F93DD
                    Memory Dump Source
                    • Source File: 00000002.00000002.203539946.00000000031F0000.00000040.00000001.sdmp, Offset: 031F0000, based on PE: false
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: b1e25f15ac4c5b8106f94e3ca56f57a3c87643fe35a8f9ff4c5125fa51edce6f
                    • Instruction ID: 07d8c3761e3058d6d8d07fac3cee41de23ce9e81a1bf0d203b312116c982d19a
                    • Opcode Fuzzy Hash: b1e25f15ac4c5b8106f94e3ca56f57a3c87643fe35a8f9ff4c5125fa51edce6f
                    • Instruction Fuzzy Hash: 2711F0B5D00209CFCB10DFAAD5887DEBBF4AB48328F14841AD559B7740D778A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: FacebookSecurityUpdate.exe PID: 6124 Parent PID: 5648 FacebookSecurityUpdate.exeCOMMON

                    Executed Functions

                    Function 0502FC30, Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0502FCA0
                    • GetCurrentThread.KERNEL32 ref: 0502FCDD
                    • GetCurrentProcess.KERNEL32 ref: 0502FD1A
                    • GetCurrentThreadId.KERNEL32 ref: 0502FD73
                    Memory Dump Source
                    • Source File: 00000005.00000002.462693962.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 88a5fca11dd824eee28e0a2d740aa40b379df950f295dcd54b148173c7ae3385
                    • Instruction ID: 56644409588d0d4abb5c773b3a900a47077fe933fc29688480b6e6c18759f96c
                    • Opcode Fuzzy Hash: 88a5fca11dd824eee28e0a2d740aa40b379df950f295dcd54b148173c7ae3385
                    • Instruction Fuzzy Hash: E15154B0A047498FDB40CFAAD649BEEBBF1FF48308F20845AE419A7350C7345948CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0502FC40, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0502FCA0
                    • GetCurrentThread.KERNEL32 ref: 0502FCDD
                    • GetCurrentProcess.KERNEL32 ref: 0502FD1A
                    • GetCurrentThreadId.KERNEL32 ref: 0502FD73
                    Memory Dump Source
                    • Source File: 00000005.00000002.462693962.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 943256f4aae9f4ef7e335a4639d81c2ab6f46a4db5ca600e96e18b2d9c86c6cf
                    • Instruction ID: cb12b0468be6fbd8e79b6ffedd3a55bcc4cf9952c956a8408c2b643ce6f4a23c
                    • Opcode Fuzzy Hash: 943256f4aae9f4ef7e335a4639d81c2ab6f46a4db5ca600e96e18b2d9c86c6cf
                    • Instruction Fuzzy Hash: 895143B0A047498FDB54CFAAD649BAEBBF1FF48308F208459E419A7350D734A944CF66
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 064C94E9, Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 064C973E
                    Memory Dump Source
                    • Source File: 00000005.00000002.464253349.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 0e1152e20133397bd0cb3b61e012b95f9248b61530ee9a5e924687a98fa271be
                    • Instruction ID: ee6d6128c64c1eb282f91c6768eb10ed063051e129af2e20e68f9b646319d566
                    • Opcode Fuzzy Hash: 0e1152e20133397bd0cb3b61e012b95f9248b61530ee9a5e924687a98fa271be
                    • Instruction Fuzzy Hash: 38812274A01B059FD7A5DF2AD4416AABBF1BB88314F00892ED486DBB40D735E909CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0502C0F8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowsHookExW.USER32(?,00000000,?,?,?,?,?,00000000,00000000,?,05029F9D,00000000,00000000), ref: 0502C320
                    Memory Dump Source
                    • Source File: 00000005.00000002.462693962.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                    Similarity
                    • API ID: HookWindows
                    • String ID:
                    • API String ID: 2559412058-0
                    • Opcode ID: 37ea0797ec6eafd04c5aa02c80a13334ca16ccde8fc3011a3a2f6aa1babcc78f
                    • Instruction ID: 186e1e21313c0ef060efed1504566fb1a548648e89f8c93e7792146f75044b33
                    • Opcode Fuzzy Hash: 37ea0797ec6eafd04c5aa02c80a13334ca16ccde8fc3011a3a2f6aa1babcc78f
                    • Instruction Fuzzy Hash: 0171B674A0021A9FCB50DFA9D8809AEBBF6FF88318F058429E505EB341DB34AD05CF95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 061C0048, Relevance: 1.7, Strings: 1, Instructions: 427COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.464070340.00000000061C0000.00000040.00000001.sdmp, Offset: 061C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: ?
                    • API String ID: 0-1684325040
                    • Opcode ID: 6ee78a0e0364ddc76aee1e58c50a2c904fc06e75897b4b1237f9eb941ec373fd
                    • Instruction ID: 054172b6676ad2362d4e4e9067c2a83c3edbe513bf1d5cb0d323f3bc70dc4641
                    • Opcode Fuzzy Hash: 6ee78a0e0364ddc76aee1e58c50a2c904fc06e75897b4b1237f9eb941ec373fd
                    • Instruction Fuzzy Hash: 4FF1D474F00608CFEB58CBA8C951A6EB7B2BF98315F258419D5069F7A5CB35EC41CB81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 028F2F24, Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 028F2FE1
                    Memory Dump Source
                    • Source File: 00000005.00000002.459237659.00000000028F0000.00000040.00000001.sdmp, Offset: 028F0000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: a4c3f94be86dff7a3a3ffe5e62e36fd7d75e929c1bfce2511d6d0115495f0f0d
                    • Instruction ID: 44c37ebaea5d2204dcfc771c0d9b162cf380eaf30d8cd63e1e324c3bc01fbbc3
                    • Opcode Fuzzy Hash: a4c3f94be86dff7a3a3ffe5e62e36fd7d75e929c1bfce2511d6d0115495f0f0d
                    • Instruction Fuzzy Hash: EA5123B5D00659CFDB20CFA9C8847DEBBF1BF88308F20845AD509AB252D779594ACF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 064CB58E, Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064CB6AA
                    Memory Dump Source
                    • Source File: 00000005.00000002.464253349.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: 4c0af06f991cf910ddeaa8dcd382513e723c05957fb0e4427eea350e0c9a28ad
                    • Instruction ID: 978d1aba19fc7651ac2025d91f39cfdab8a7daeb58aa933d16c4260ef13497ef
                    • Opcode Fuzzy Hash: 4c0af06f991cf910ddeaa8dcd382513e723c05957fb0e4427eea350e0c9a28ad
                    • Instruction Fuzzy Hash: 7151BDB5D007089FDB55CFAAC885ADEBBB5FF88314F24812AE819AB310D7709845CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 064CB598, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064CB6AA
                    Memory Dump Source
                    • Source File: 00000005.00000002.464253349.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: bda7699edbd6d4a2349ac727caf39e4546310f02a4455f7b44d96d64a56b0d17
                    • Instruction ID: 1f1b2be4ecf30f8a34168b03e2ff2cff5431a946e3fbabfcdbcc629c2ab8725a
                    • Opcode Fuzzy Hash: bda7699edbd6d4a2349ac727caf39e4546310f02a4455f7b44d96d64a56b0d17
                    • Instruction Fuzzy Hash: 0A41BDB5D007089FDB55CF9AC885ADEBBB5FF48314F24812AE819AB310D7749885CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 028FCA26, Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNELBASE(?), ref: 028FCB17
                    Memory Dump Source
                    • Source File: 00000005.00000002.459237659.00000000028F0000.00000040.00000001.sdmp, Offset: 028F0000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 3008a42830ed8c57ba5c7878e8d23d725c56eabf3752595c256b537c51a9c296
                    • Instruction ID: cc7566f8e11f836c04a839fb1f37b88bba906af016b33e3cf3b27880a15914ac
                    • Opcode Fuzzy Hash: 3008a42830ed8c57ba5c7878e8d23d725c56eabf3752595c256b537c51a9c296
                    • Instruction Fuzzy Hash: FC4165B9E0061C8FDB50CFA9C88179EBBF1EB48314F10812AE919EB380D7749946CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 064C8F8C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 064CDC01
                    Memory Dump Source
                    • Source File: 00000005.00000002.464253349.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                    Similarity
                    • API ID: CallProcWindow
                    • String ID:
                    • API String ID: 2714655100-0
                    • Opcode ID: 576a5855c7a01213dcdc33a4fa80467caeae6cf47156017c3e2389540d7405f1
                    • Instruction ID: 9d930014d93d074a43455c6cfb2b6b9a1e49497e11f664e57fc3aef8ac1278a3
                    • Opcode Fuzzy Hash: 576a5855c7a01213dcdc33a4fa80467caeae6cf47156017c3e2389540d7405f1
                    • Instruction Fuzzy Hash: 19410AB8E003058FDB94CF99C488AAABBF5FF88324F14845DE515A7311D774A941CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 028F9318, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNELBASE(?), ref: 028FCB17
                    Memory Dump Source
                    • Source File: 00000005.00000002.459237659.00000000028F0000.00000040.00000001.sdmp, Offset: 028F0000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: f242aedaf089a57556355d4ba141bc309d02334ac3199245c1a214303cc4c7be
                    • Instruction ID: 6598d8a39d4a334f5c661324721cb47fd17997a8aed5c0f1fa4140e38b9d3444
                    • Opcode Fuzzy Hash: f242aedaf089a57556355d4ba141bc309d02334ac3199245c1a214303cc4c7be
                    • Instruction Fuzzy Hash: D04115B8E0061C8FDB50CFA9C88579EBBF1EB48314F14812AE919EB384D774A945CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 028F158C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 028F2FE1
                    Memory Dump Source
                    • Source File: 00000005.00000002.459237659.00000000028F0000.00000040.00000001.sdmp, Offset: 028F0000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: f8f4a33a24116f35368045ee0307d4e330b6237f3d1bab1c7dc2257f9a2bf59b
                    • Instruction ID: 8b640283ac9691d76ec7a2ad5ea46379fac9ccf5e90bb71524cc447921057b32
                    • Opcode Fuzzy Hash: f8f4a33a24116f35368045ee0307d4e330b6237f3d1bab1c7dc2257f9a2bf59b
                    • Instruction Fuzzy Hash: 6A41C174C0061DCBDB24CFA9C884BDEBBB5BF88308F10846AD509AB251DB755946CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0502FDF0, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0502FEEF
                    Memory Dump Source
                    • Source File: 00000005.00000002.462693962.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: be6cc792c9294d7d60ff0243f82f080669e875e1ff0a06b772edddc7f0f43197
                    • Instruction ID: 0522fd3a3ee95548bf3594beacb63125b82159d9411e084fc550d604ef3d8eec
                    • Opcode Fuzzy Hash: be6cc792c9294d7d60ff0243f82f080669e875e1ff0a06b772edddc7f0f43197
                    • Instruction Fuzzy Hash: 9A318975904259AFCB01CFA9D840AEEBFF5EF49310F15805AF944E7222C3349A15DFA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0502C288, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowsHookExW.USER32(?,00000000,?,?,?,?,?,00000000,00000000,?,05029F9D,00000000,00000000), ref: 0502C320
                    Memory Dump Source
                    • Source File: 00000005.00000002.462693962.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                    Similarity
                    • API ID: HookWindows
                    • String ID:
                    • API String ID: 2559412058-0
                    • Opcode ID: 363c615a06061046541bdc0d366ccc00a58ef5fc847a1fa6bc3641d88a2339c7
                    • Instruction ID: a7fb6351843e28397eae1a27b291d242ed32dc85c444fb725efc087c219a9f1f
                    • Opcode Fuzzy Hash: 363c615a06061046541bdc0d366ccc00a58ef5fc847a1fa6bc3641d88a2339c7
                    • Instruction Fuzzy Hash: 452104B59002189FDB50DFA9D884ADEFBF5BF48314F108419E509A7350DB74A944CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 050276AF, Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,05027705), ref: 05027788
                    Memory Dump Source
                    • Source File: 00000005.00000002.462693962.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: d3860452193205fe0397a9196c355fe39ff5ce6ba59c0d0df06c7dcbd49fa684
                    • Instruction ID: 4a5f2741f8b223efba59669245542777afdb97f673d0945b1476c36172b74bd4
                    • Opcode Fuzzy Hash: d3860452193205fe0397a9196c355fe39ff5ce6ba59c0d0df06c7dcbd49fa684
                    • Instruction Fuzzy Hash: 69213A72D083648FCB00DBA8D9647DE7BB0EF05318F054596D944B7642D738AD45CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05029E34, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowsHookExW.USER32(?,00000000,?,?,?,?,?,00000000,00000000,?,05029F9D,00000000,00000000), ref: 0502C320
                    Memory Dump Source
                    • Source File: 00000005.00000002.462693962.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                    Similarity
                    • API ID: HookWindows
                    • String ID:
                    • API String ID: 2559412058-0
                    • Opcode ID: 624a25ba4a60a1f41ce0cbcb6a5762e56d34dc625bd00dfa663fdabacc5eb2bf
                    • Instruction ID: 082bb3759b00dd867bb69338b61103d40e257d31cff794e9cbaa429ba705c186
                    • Opcode Fuzzy Hash: 624a25ba4a60a1f41ce0cbcb6a5762e56d34dc625bd00dfa663fdabacc5eb2bf
                    • Instruction Fuzzy Hash: D42124B4D006189FCB50DFA9D884AEEFBF5BF48314F108819E50AA7350DB74A804CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0502FE61, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0502FEEF
                    Memory Dump Source
                    • Source File: 00000005.00000002.462693962.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: e114c85edf5bfadc717d5e0bb1c974e7e903154792af5a9ee6b838ec4275d2e6
                    • Instruction ID: ed8aab3d946734eb652dcfd07aa2d2d9d2be4d274ee9001d093717f305de45b2
                    • Opcode Fuzzy Hash: e114c85edf5bfadc717d5e0bb1c974e7e903154792af5a9ee6b838ec4275d2e6
                    • Instruction Fuzzy Hash: F321F2B5900259AFDB10CFAAD884ADEBBF4EB49324F14841AE955A7310D378A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0502FE68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0502FEEF
                    Memory Dump Source
                    • Source File: 00000005.00000002.462693962.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: ba8a7a16aade7cd04657c398bd3e5c39acc9e8200af743cc14a53de04bec9612
                    • Instruction ID: 3cfa862a0b88aece2dbfc5128b6f10fa0062776ec2ff67eec6f4db9b858537fc
                    • Opcode Fuzzy Hash: ba8a7a16aade7cd04657c398bd3e5c39acc9e8200af743cc14a53de04bec9612
                    • Instruction Fuzzy Hash: B321E4B59002599FDB10CF9AD485ADEBBF4FB48324F14801AE914A7310D374A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05027400, Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,05027705), ref: 05027788
                    Memory Dump Source
                    • Source File: 00000005.00000002.462693962.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 31a85df95ddbecf321a3eb772ef351f5723a0db2c057fd89fd33c8ad584960b0
                    • Instruction ID: da87f01945c9e3d8715c3bdd6c433de1c4bf3efaab20bd31786404d2ecfc708e
                    • Opcode Fuzzy Hash: 31a85df95ddbecf321a3eb772ef351f5723a0db2c057fd89fd33c8ad584960b0
                    • Instruction Fuzzy Hash: 722133B1D046299BCB10CF9AD5447AEFBF4EB48324F01812AE819A7240D738A945CFE1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 064C993A, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,064C97B9,00000800,00000000,00000000), ref: 064C99AA
                    Memory Dump Source
                    • Source File: 00000005.00000002.464253349.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 21da7e0560e9e42cbd32f6e3125608e6a12d84d2456f61a510f894022fe280f2
                    • Instruction ID: 8704986162eeec799042e9657601f111a127d8d45cd8e433b9f648486792bb87
                    • Opcode Fuzzy Hash: 21da7e0560e9e42cbd32f6e3125608e6a12d84d2456f61a510f894022fe280f2
                    • Instruction Fuzzy Hash: 161114B6D002099FDB10CF9AD844AEEFBF4EB88324F10842EE555A7300C775A945CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 05027711, Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,05027705), ref: 05027788
                    Memory Dump Source
                    • Source File: 00000005.00000002.462693962.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 91bba9db649dae4db54b8c23ee44883738e3846fc9fa42ee80619cf6f9c24abd
                    • Instruction ID: d2d126837a1036c3cdabea7c29e56eb4e49eb5bc3c082c6a7c3ca7c5ce6efb36
                    • Opcode Fuzzy Hash: 91bba9db649dae4db54b8c23ee44883738e3846fc9fa42ee80619cf6f9c24abd
                    • Instruction Fuzzy Hash: E62115B5C006199FCB10CF99D6457EEFBF4EF48324F05812AD819A7640D738A945CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 064C8D00, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,064C97B9,00000800,00000000,00000000), ref: 064C99AA
                    Memory Dump Source
                    • Source File: 00000005.00000002.464253349.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 1574467da76296ae9672cf6589d83cef54d4809d68ed7293fa388642639d32f5
                    • Instruction ID: 2f5b4a0e83cf50f5eac92c79f7265190c75c9dc5b32b28692387551f31b1e0b7
                    • Opcode Fuzzy Hash: 1574467da76296ae9672cf6589d83cef54d4809d68ed7293fa388642639d32f5
                    • Instruction Fuzzy Hash: 8C11C2B6D00209DFDB50CF9AC444AAEFBF4AB88324F15842EE555A7300C775A945CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 064CFC62, Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                    Download Yara Rule
                    APIs
                    • OleInitialize.OLE32(00000000), ref: 064CFCBD
                    Memory Dump Source
                    • Source File: 00000005.00000002.464253349.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: f3d59734fbd280df9112ec77ca5ffe25816034eedf33cec865536545f35805ee
                    • Instruction ID: 230d43a74dea89eab82aae3b3b4a5533164b6f4033ad3dc54fe8a34e2ce98f1c
                    • Opcode Fuzzy Hash: f3d59734fbd280df9112ec77ca5ffe25816034eedf33cec865536545f35805ee
                    • Instruction Fuzzy Hash: 121145B5D007488FCB50CF9AD889BDEBBF8EB48324F10841AE519A7300C778A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 064C96D8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNELBASE(00000000), ref: 064C973E
                    Memory Dump Source
                    • Source File: 00000005.00000002.464253349.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 42bcf1d483072656f018e038cc0dce2b30a2710ec17fffb466894f68e5deee46
                    • Instruction ID: d29802eab1bef57a333ea7c1a5209c1eb7c480649531c2e586b377f520290b0b
                    • Opcode Fuzzy Hash: 42bcf1d483072656f018e038cc0dce2b30a2710ec17fffb466894f68e5deee46
                    • Instruction Fuzzy Hash: 3C110FB5D01649CFCB50DF9AC448ADEFBF4AB88324F10841AD459A7300C374A545CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 064CEC48, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                    Download Yara Rule
                    APIs
                    • OleInitialize.OLE32(00000000), ref: 064CFCBD
                    Memory Dump Source
                    • Source File: 00000005.00000002.464253349.00000000064C0000.00000040.00000001.sdmp, Offset: 064C0000, based on PE: false
                    Similarity
                    • API ID: Initialize
                    • String ID:
                    • API String ID: 2538663250-0
                    • Opcode ID: 8b5c5aa48661b1f1b4c2f3b926c0c4420d58ff9c16f3a999d656723d1fbfe7b7
                    • Instruction ID: 7dddd355549778b3d523b17bfbf8c2b213ac176d12b8f31a1c33c06ceb19ab28
                    • Opcode Fuzzy Hash: 8b5c5aa48661b1f1b4c2f3b926c0c4420d58ff9c16f3a999d656723d1fbfe7b7
                    • Instruction Fuzzy Hash: 9F1103B59047088FDB90DF9AD5887DEBBF4EF48324F10841AE959A7300D378A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 061C0000, Relevance: 1.5, Strings: 1, Instructions: 252COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.464070340.00000000061C0000.00000040.00000001.sdmp, Offset: 061C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: ?
                    • API String ID: 0-1684325040
                    • Opcode ID: f26fd21ad406e98e06f3141d44c38ab723eb385bb2541e8c3a97bb77d2e7902d
                    • Instruction ID: 6ac5c3aa6b294ac6786ac93e3831e94990845ece4db30fec6ea1bd81d0db15dd
                    • Opcode Fuzzy Hash: f26fd21ad406e98e06f3141d44c38ab723eb385bb2541e8c3a97bb77d2e7902d
                    • Instruction Fuzzy Hash: E491F170F04745CFEB148FA8C89066E7BB6AF99314F26496AD101DF3E1CBB69C418B81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 061C4A79, Relevance: .1, Instructions: 129COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.464070340.00000000061C0000.00000040.00000001.sdmp, Offset: 061C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: be76f6f9cb8477f8d7ecf7ce0baca8074055b77aed7cc6caa464c971fdf0989f
                    • Instruction ID: 6311d045b33ae0dae00941f042cb6a83bda7df577e8fa77dac83ebc6b2b0a9bd
                    • Opcode Fuzzy Hash: be76f6f9cb8477f8d7ecf7ce0baca8074055b77aed7cc6caa464c971fdf0989f
                    • Instruction Fuzzy Hash: 4341D7743055659FC3C95F34D49449EBB66EB8AA103148746E88287746DB34ED0FCBE2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 061C4ADF, Relevance: .1, Instructions: 82COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.464070340.00000000061C0000.00000040.00000001.sdmp, Offset: 061C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f7108518c2ed65afbf93865199032da5a7b78dc721bb2a8ff2555c6438b3625a
                    • Instruction ID: e5208a6f784ee9389e61e9eba56372251c347eb75a17e9748987d59b16394c93
                    • Opcode Fuzzy Hash: f7108518c2ed65afbf93865199032da5a7b78dc721bb2a8ff2555c6438b3625a
                    • Instruction Fuzzy Hash: 4E219A78300A129FC7CA9B24D49845EBB72FB8A610304C346ED4283781DB34ED1BCBE2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00F5D210, Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.458961715.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f39d72d249df0604957d0267f87222f53aaaae5d2a107c81922b28a5b132765a
                    • Instruction ID: b1e71677a6432f0f912f9b74769b242cfbd27ece9806dd518e6e3b47658aef16
                    • Opcode Fuzzy Hash: f39d72d249df0604957d0267f87222f53aaaae5d2a107c81922b28a5b132765a
                    • Instruction Fuzzy Hash: 7D214572905340EFCB15CF50D9C4B2BBB65FB88325F208569EE054B246C336D85AEBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00F5D124, Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.458961715.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3fb59b8857a043e6e33586e74c463892ad833a78bbb88619b0182a6253fba516
                    • Instruction ID: 6da35a147c9c9e92e443a24a67c24c3dcbed0f2c2750f64757334c27040da4e3
                    • Opcode Fuzzy Hash: 3fb59b8857a043e6e33586e74c463892ad833a78bbb88619b0182a6253fba516
                    • Instruction Fuzzy Hash: DC216AB2504644DFEB11CF50C8C0B17BF75FB84324F248569EE050B246C336D849EBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00F6D208, Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.458996733.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 23c5b9713cdce552f89f37f57044c1bfec9df3d80d6fc8916bb3ca65eb7c1232
                    • Instruction ID: 63e80d1ee9558044624fb4bdfdf160e9405d3bc25021b752ff0dc0798f797334
                    • Opcode Fuzzy Hash: 23c5b9713cdce552f89f37f57044c1bfec9df3d80d6fc8916bb3ca65eb7c1232
                    • Instruction Fuzzy Hash: 14210775E04244DFCB05CF54D5D4B26BB65FB88328F24C96DE8094F246C377D846EA61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00F5D20B, Relevance: .1, Instructions: 57COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.458961715.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d8ae0dfe8499d5622830881d3d04f1d95d58c220c932647f6ad712eed90872a2
                    • Instruction ID: b68c67c81b17d9c76d96f229309c6985cb084d9ccf1dc381cb41647a6e32dc98
                    • Opcode Fuzzy Hash: d8ae0dfe8499d5622830881d3d04f1d95d58c220c932647f6ad712eed90872a2
                    • Instruction Fuzzy Hash: 6C21B176805280DFCB16CF50D9C4B16BF71FB88324F24C6AADD040B65AC33AD85ADBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00F5D11F, Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.458961715.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                    • Instruction ID: a9bb1b04f6f04ebffc5e3f3fa4c133d75a7b267edcb60238945b89b92d5be3ab
                    • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                    • Instruction Fuzzy Hash: 42110376804280CFDB12CF10D9C4B16BF71FB84324F24C6A9DD040B616C336D85ADBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00F6D203, Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.458996733.0000000000F6D000.00000040.00000001.sdmp, Offset: 00F6D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                    • Instruction ID: d820f474bb772d6731324b78cffd7adeece9becbbe268d4a479e43196e5a27b1
                    • Opcode Fuzzy Hash: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                    • Instruction Fuzzy Hash: F611DD75A04284DFCB01CF10D5D4B16BFB1FB84328F28C6AED8494B656C33AD84ADB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 061C4B18, Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.464070340.00000000061C0000.00000040.00000001.sdmp, Offset: 061C0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 592335962198333369ab527a01f9ba16735166d73f7c8b2e0237aa2b610b3694
                    • Instruction ID: 7a2c36094f0484b3113ce1eccca037e96b5e6d8307257ed576bbd4eca7585437
                    • Opcode Fuzzy Hash: 592335962198333369ab527a01f9ba16735166d73f7c8b2e0237aa2b610b3694
                    • Instruction Fuzzy Hash: 2D1178783009169B86859B29D09881EF763BBCD611314C316ED0683B44DB74FD5ADBE5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: FacebookSecurityUpdate.exe PID: 3348 Parent PID: 528 FacebookSecurityUpdate.exeCOMMON

                    Executed Functions

                    Function 0244CA26, Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNELBASE(?), ref: 0244CB17
                    Memory Dump Source
                    • Source File: 00000006.00000002.212127136.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 72ba3e1355f58cc7275710448df96ab3222783461770a8a79cec78c2cc8e25bc
                    • Instruction ID: 2d3145245bea0023e70c09dc3af890e0955862a357bc9a4d891a9af4b268d2bf
                    • Opcode Fuzzy Hash: 72ba3e1355f58cc7275710448df96ab3222783461770a8a79cec78c2cc8e25bc
                    • Instruction Fuzzy Hash: 314158B4E012589FEB10CFA8D9857DEBBF1FB48314F14852AD819AB344DB749946CF81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02449318, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNELBASE(?), ref: 0244CB17
                    Memory Dump Source
                    • Source File: 00000006.00000002.212127136.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 25f60793289d3c9cc2f8bf571ecf8021046d1e55faeafa3c31cede6c4ee79de8
                    • Instruction ID: 5431002f32103bda1ae2c97811de9918fef7df85f906a283091ec1e50750ae84
                    • Opcode Fuzzy Hash: 25f60793289d3c9cc2f8bf571ecf8021046d1e55faeafa3c31cede6c4ee79de8
                    • Instruction Fuzzy Hash: 8C4139B0E016589FEB10CFA9D98579EBBF1EB48318F18812BE815A7344DB749845CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0244158C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 02442FE1
                    Memory Dump Source
                    • Source File: 00000006.00000002.212127136.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 2d5ec12c51b16589559ff14d57d8358da858d9e755c56aa1d4b4640d9e3ed82a
                    • Instruction ID: 40cfd7722f61e3b86ccd912ed9b33b79d33ff7468bfda085cd8218900e2696fe
                    • Opcode Fuzzy Hash: 2d5ec12c51b16589559ff14d57d8358da858d9e755c56aa1d4b4640d9e3ed82a
                    • Instruction Fuzzy Hash: B141D3B0C0461CCFEB24CF99C884BDEBBB5BF49308F20816AD509AB255DB756946CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02442F2E, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                    Download Yara Rule
                    APIs
                    • CreateActCtxA.KERNEL32(?), ref: 02442FE1
                    Memory Dump Source
                    • Source File: 00000006.00000002.212127136.0000000002440000.00000040.00000001.sdmp, Offset: 02440000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 7e6ce2640d7f639f8eb645f726ce7a78ba10d9523d0db6483426854bcec0574f
                    • Instruction ID: b26e06465e9e6abe9e7fbd1e43e20ea3c88f8a20f04d6ec9f4a4911443878881
                    • Opcode Fuzzy Hash: 7e6ce2640d7f639f8eb645f726ce7a78ba10d9523d0db6483426854bcec0574f
                    • Instruction Fuzzy Hash: 1341C3B1C00619CFEB24CFA9C884BDEFBB5BF49308F20856AD409AB251DB756946CF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098D3EC, Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.211989981.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 20e4e27fab253507865e6f31717bd0f43e0b8f84d44a15e5735d8dae0a19fdb5
                    • Instruction ID: 27260b1f42df689485aa3894b5689f19f88a9dfb51f6e9e5d64de7b16a1c2afa
                    • Opcode Fuzzy Hash: 20e4e27fab253507865e6f31717bd0f43e0b8f84d44a15e5735d8dae0a19fdb5
                    • Instruction Fuzzy Hash: DE214B71504204EFCB01EF60D4C0B27BB65FB94324F20C969E9050B3E6C33AE845D7A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0098D3E7, Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000006.00000002.211989981.000000000098D000.00000040.00000001.sdmp, Offset: 0098D000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                    • Instruction ID: 3a4be9c758c98a35bbfcaa74a87485c5736fd17e605dfe0fa4303bf2ca0a2f26
                    • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                    • Instruction Fuzzy Hash: 5511D376405280DFCB01DF10D5C4B16BF72FB94324F24C6A9D8490B7A6C33AE85ACBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions