asyncrat | b434527e3f55425dc624118395ee28b4725e81464863dfd15d175dd74fbd9a6a

Resubmissions

02-09-2024 02:19

240902-crxs1syfmm 10

07-07-2024 21:02

240707-zvllgsyaqp 10

01-07-2024 21:37

240701-1gjemsverk 10

Analysis

max time kernel
294s
max time network
315s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07-07-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

asyncrat meduza redline stormkitty 1 default venom clients collection discovery infostealer persistence privilege_escalation rat spyware stealer upx

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6082381502:AAEEe5dVvSMdEf-_fKUh7iRqcNun3Q5DzxM/sendMessage?chat_id=5795480469

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

94.232.249.204:6660

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

94.232.249.204:1912

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\a\PACKAGE_DEMO.exe	family_meduza

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral5/memory/2040-456-0x00000000011F0000-0x0000000001242000-memory.dmp	family_redline

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\Server.exe	family_stormkitty
behavioral5/memory/1724-413-0x0000000000D50000-0x0000000000D82000-memory.dmp	family_stormkitty

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\Server.exe	family_asyncrat
C:\Users\Admin\AppData\Local\Temp\a\aaa.exe	family_asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

GoogleUpdate.exe

flow pid process

80 2660 GoogleUpdate.exe
Downloads MZ/PE file

flow	pid	process
80	2660	GoogleUpdate.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

GoogleUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0"	GoogleUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PACKAGE_DEMO.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	PACKAGE_DEMO.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 27 IoCs

Processes:

PACKAGE_DEMO.exek.exelumma0607.exewin.exelolMiner.exemy.exewindows_update.exe1.exe1.exeigccu.exeGoogleUpdate.exeServer.exeaaa.exebuild.exeGoogleUpdate.exeupdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exe109.0.5414.120_chrome_installer.exesetup.exesetup.exe

pid	process
2680	PACKAGE_DEMO.exe
2372	k.exe
1344
2564	lumma0607.exe
760	win.exe
920	lolMiner.exe
2688	my.exe
1728	windows_update.exe
796	1.exe
2300	1.exe
2384	igccu.exe
1648	GoogleUpdate.exe
1724	Server.exe
2724	aaa.exe
2040	build.exe
2732	GoogleUpdate.exe
1552	update.exe
2808	GoogleUpdate.exe
2320	GoogleUpdateComRegisterShell64.exe
2240	GoogleUpdateComRegisterShell64.exe
1612	GoogleUpdateComRegisterShell64.exe
2660	GoogleUpdate.exe
3060	GoogleUpdate.exe
2476	GoogleUpdate.exe
288	109.0.5414.120_chrome_installer.exe
2808	setup.exe
2668	setup.exe

Loads dropped DLL 57 IoCs

Processes:

New Text Document mod.exeWerFault.exe1.exeigccu.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exe109.0.5414.120_chrome_installer.exesetup.exe

pid	process
3068	New Text Document mod.exe
3068	New Text Document mod.exe
3068	New Text Document mod.exe
2136
2096	WerFault.exe
2096	WerFault.exe
2096	WerFault.exe
3068	New Text Document mod.exe
3068	New Text Document mod.exe
3036
3068	New Text Document mod.exe
1176
3068	New Text Document mod.exe
3068	New Text Document mod.exe
2592
3068	New Text Document mod.exe
3068	New Text Document mod.exe
2816
796	1.exe
2384	igccu.exe
1648	GoogleUpdate.exe
1648	GoogleUpdate.exe
1648	GoogleUpdate.exe
1648	GoogleUpdate.exe
2732	GoogleUpdate.exe
2732	GoogleUpdate.exe
2732	GoogleUpdate.exe
3068	New Text Document mod.exe
3068	New Text Document mod.exe
1648	GoogleUpdate.exe
2808	GoogleUpdate.exe
2808	GoogleUpdate.exe
2808	GoogleUpdate.exe
2320	GoogleUpdateComRegisterShell64.exe
2808	GoogleUpdate.exe
2808	GoogleUpdate.exe
2240	GoogleUpdateComRegisterShell64.exe
2808	GoogleUpdate.exe
2808	GoogleUpdate.exe
1612	GoogleUpdateComRegisterShell64.exe
2808	GoogleUpdate.exe
1648	GoogleUpdate.exe
1648	GoogleUpdate.exe
1648	GoogleUpdate.exe
2660	GoogleUpdate.exe
1648	GoogleUpdate.exe
3060	GoogleUpdate.exe
3060	GoogleUpdate.exe
3060	GoogleUpdate.exe
2476	GoogleUpdate.exe
2476	GoogleUpdate.exe
2476	GoogleUpdate.exe
2476	GoogleUpdate.exe
3060	GoogleUpdate.exe
2476	GoogleUpdate.exe
288	109.0.5414.120_chrome_installer.exe
2808	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\a\k.exe	upx
behavioral5/memory/2372-74-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/2372-93-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/2372-94-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/2372-95-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/2372-97-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/2372-106-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/2372-108-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/2372-109-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\a\win.exe	upx
behavioral5/memory/760-120-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2372-121-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/760-122-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/760-124-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2372-125-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/760-128-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\a\lolMiner.exe	upx
behavioral5/memory/920-135-0x000000013F590000-0x0000000143CEF000-memory.dmp	upx
behavioral5/memory/760-136-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2372-137-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/760-138-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2372-139-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/760-140-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2372-141-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/760-144-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2372-145-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/760-146-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2372-147-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/760-148-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2372-158-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/760-159-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\a\windows_update.exe	upx
behavioral5/memory/2372-169-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/760-170-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/1728-172-0x0000000000DC0000-0x0000000001DE5000-memory.dmp	upx
behavioral5/memory/760-173-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2372-174-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/1728-175-0x0000000000DC0000-0x0000000001DE5000-memory.dmp	upx
behavioral5/memory/760-176-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\a\1.exe	upx
behavioral5/memory/796-187-0x0000000000FC0000-0x00000000017AD000-memory.dmp	upx
behavioral5/memory/2372-188-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/1728-191-0x0000000000DC0000-0x0000000001DE5000-memory.dmp	upx
behavioral5/memory/760-192-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2300-194-0x0000000000FC0000-0x00000000017AD000-memory.dmp	upx
behavioral5/memory/2372-193-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/1728-195-0x0000000000DC0000-0x0000000001DE5000-memory.dmp	upx
behavioral5/memory/760-196-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2300-197-0x0000000000FC0000-0x00000000017AD000-memory.dmp	upx
behavioral5/memory/2372-457-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/1728-460-0x0000000000DC0000-0x0000000001DE5000-memory.dmp	upx
behavioral5/memory/760-580-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2300-583-0x0000000000FC0000-0x00000000017AD000-memory.dmp	upx
behavioral5/memory/2372-582-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/1728-584-0x0000000000DC0000-0x0000000001DE5000-memory.dmp	upx
behavioral5/memory/760-623-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2300-625-0x0000000000FC0000-0x00000000017AD000-memory.dmp	upx
behavioral5/memory/2372-674-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/1728-682-0x0000000000DC0000-0x0000000001DE5000-memory.dmp	upx
behavioral5/memory/760-687-0x00000000002F0000-0x0000000001316000-memory.dmp	upx
behavioral5/memory/2300-809-0x0000000000FC0000-0x00000000017AD000-memory.dmp	upx
behavioral5/memory/2372-811-0x0000000000A70000-0x0000000001A96000-memory.dmp	upx
behavioral5/memory/1728-812-0x0000000000DC0000-0x0000000001DE5000-memory.dmp	upx
behavioral5/memory/760-814-0x00000000002F0000-0x0000000001316000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

PACKAGE_DEMO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 5 IoCs

Processes:

Server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\3bb311ebc534bbb7aabc8a3bfa44b968\Admin@MVFYZPLM_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\3bb311ebc534bbb7aabc8a3bfa44b968\Admin@MVFYZPLM_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Server.exe
File opened for modification	C:\Users\Admin\AppData\Local\3bb311ebc534bbb7aabc8a3bfa44b968\Admin@MVFYZPLM_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\3bb311ebc534bbb7aabc8a3bfa44b968\Admin@MVFYZPLM_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Server.exe
File created	C:\Users\Admin\AppData\Local\3bb311ebc534bbb7aabc8a3bfa44b968\Admin@MVFYZPLM_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Server.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.ipify.org
16 api.ipify.org
95 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
14	api.ipify.org
16	api.ipify.org
95	icanhazip.com

Drops file in Program Files directory 64 IoCs

Processes:

GoogleUpdate.exeigccu.exe109.0.5414.120_chrome_installer.exeGoogleUpdate.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_it.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_es.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_nl.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_es-419.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_lv.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\psmachine.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\GoogleUpdateSetup.exe	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_bn.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_cs.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_en-GB.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_kn.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\Install\{668C4DFE-8CFC-4746-AE9C-28FD18492632}\CR_D4C9A.tmp\CHROME.PACKED.7Z	109.0.5414.120_chrome_installer.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_zh-CN.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_ms.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_pt-PT.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{668C4DFE-8CFC-4746-AE9C-28FD18492632}\109.0.5414.120_chrome_installer.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\psmachine.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_bg.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_pt-BR.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateOnDemand.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\psuser_64.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_mr.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_de.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdate.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_fi.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_nl.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_th.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_bn.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_fil.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_sk.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_sl.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_vi.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_fi.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_vi.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_ml.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler64.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_pl.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_sk.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\109.0.5414.120\109.0.5414.120_chrome_installer.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\GoogleUpdate.exe	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_cs.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_ko.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_lt.dll	igccu.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\GoogleUpdateSetup.exe	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_bg.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_sw.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\GoogleUpdateOnDemand.exe	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_fr.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_hu.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateBroker.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\Install\{668C4DFE-8CFC-4746-AE9C-28FD18492632}\109.0.5414.120_chrome_installer.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_ro.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_fr.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_no.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_ms.dll	igccu.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{668C4DFE-8CFC-4746-AE9C-28FD18492632}\CR_D4C9A.tmp\SETUP.EX_	109.0.5414.120_chrome_installer.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\psmachine_64.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_gu.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_iw.dll	igccu.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\psuser_64.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_el.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.122\goopdateres_hi.dll	GoogleUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2096 2564 WerFault.exe lumma0607.exe

pid	pid_target	process	target process
2096	2564	WerFault.exe	lumma0607.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Server.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\Identifier	Server.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2980 tasklist.exe
2208 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2524 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2496 systeminfo.exe

pid	process
2980	tasklist.exe
2208	tasklist.exe

pid	process
2524	ipconfig.exe

pid	process
2496	systeminfo.exe

Modifies registry class 64 IoCs

Processes:

GoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods\ = "11"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalizedString = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\goopdate.dll,-3000"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\ProgID\ = "GoogleUpdate.PolicyStatusMachine.1.0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ = "IRegistrationUpdateHook"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine.1.0\CLSID\ = "{25461599-633D-42B1-84FB-7CD68D026E53}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID\ = "GoogleUpdate.CredentialDialogMachine.1.0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0CE63743-3E8B-463F-90D8-0274D20FCEBB}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\psmachine.dll"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ = "IProcessLauncher2"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\Elevation\IconReference = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.122\\goopdate.dll,-1004"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods\ = "8"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoreClass.1\CLSID\ = "{E225E692-4B47-4777-9BED-4FD7FE257F0E}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DE778FE-F195-4EE3-9DAB-FE446C239221}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\PROGID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID\ = "GoogleUpdate.Update3WebSvc.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ = "IAppCommandWeb"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass\CurVer\ = "GoogleUpdate.CoreMachineClass.1"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync.1.0\ = "CoCreateAsync"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\NumMethods\ = "16"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods\ = "4"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32\ = "{0CE63743-3E8B-463F-90D8-0274D20FCEBB}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C4CDEFF-756A-4804-9E77-3E8EB9361016}\ = "Google Update Policy Status Class"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusMachine.1.0\CLSID\ = "{521FDB42-7130-4806-822A-FC5163FAD983}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc\CurVer\ = "GoogleUpdate.OnDemandCOMClassSvc.1.0"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VERSIONINDEPENDENTPROGID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID	GoogleUpdate.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

New Text Document mod.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

k.exePACKAGE_DEMO.exewin.exemy.exewindows_update.exe1.exe1.exeGoogleUpdate.exeupdate.exetasklist.exeServer.exe

pid	process
2372	k.exe
2372	k.exe
2680	PACKAGE_DEMO.exe
760	win.exe
760	win.exe
2688	my.exe
2688	my.exe
1728	windows_update.exe
1728	windows_update.exe
796	1.exe
2300	1.exe
1648	GoogleUpdate.exe
1648	GoogleUpdate.exe
1648	GoogleUpdate.exe
1648	GoogleUpdate.exe
1648	GoogleUpdate.exe
1648	GoogleUpdate.exe
1552	update.exe
1552	update.exe
1552	update.exe
1552	update.exe
2208	tasklist.exe
2208	tasklist.exe
1724	Server.exe
1724	Server.exe
1724	Server.exe
1552	update.exe
1552	update.exe
1552	update.exe
1552	update.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

New Text Document mod.exewhoami.exewhoami.exewhoami.exeGoogleUpdate.exeServer.exetasklist.exeaaa.exetasklist.exeWMIC.exemsiexec.exe109.0.5414.120_chrome_installer.exe

description	pid	process
Token: SeDebugPrivilege	3068	New Text Document mod.exe
Token: SeDebugPrivilege	1924	whoami.exe
Token: SeDebugPrivilege	2508	whoami.exe
Token: SeDebugPrivilege	1088	whoami.exe
Token: SeDebugPrivilege	1648	GoogleUpdate.exe
Token: SeDebugPrivilege	1648	GoogleUpdate.exe
Token: SeDebugPrivilege	1648	GoogleUpdate.exe
Token: SeDebugPrivilege	1724	Server.exe
Token: SeDebugPrivilege	2980	tasklist.exe
Token: SeDebugPrivilege	2724	aaa.exe
Token: SeDebugPrivilege	2208	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2432	WMIC.exe
Token: SeSecurityPrivilege	2432	WMIC.exe
Token: SeTakeOwnershipPrivilege	2432	WMIC.exe
Token: SeLoadDriverPrivilege	2432	WMIC.exe
Token: SeSystemProfilePrivilege	2432	WMIC.exe
Token: SeSystemtimePrivilege	2432	WMIC.exe
Token: SeProfSingleProcessPrivilege	2432	WMIC.exe
Token: SeIncBasePriorityPrivilege	2432	WMIC.exe
Token: SeCreatePagefilePrivilege	2432	WMIC.exe
Token: SeBackupPrivilege	2432	WMIC.exe
Token: SeRestorePrivilege	2432	WMIC.exe
Token: SeShutdownPrivilege	2432	WMIC.exe
Token: SeDebugPrivilege	2432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2432	WMIC.exe
Token: SeRemoteShutdownPrivilege	2432	WMIC.exe
Token: SeUndockPrivilege	2432	WMIC.exe
Token: SeManageVolumePrivilege	2432	WMIC.exe
Token: 33	2432	WMIC.exe
Token: 34	2432	WMIC.exe
Token: 35	2432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2432	WMIC.exe
Token: SeSecurityPrivilege	2432	WMIC.exe
Token: SeTakeOwnershipPrivilege	2432	WMIC.exe
Token: SeLoadDriverPrivilege	2432	WMIC.exe
Token: SeSystemProfilePrivilege	2432	WMIC.exe
Token: SeSystemtimePrivilege	2432	WMIC.exe
Token: SeProfSingleProcessPrivilege	2432	WMIC.exe
Token: SeIncBasePriorityPrivilege	2432	WMIC.exe
Token: SeCreatePagefilePrivilege	2432	WMIC.exe
Token: SeBackupPrivilege	2432	WMIC.exe
Token: SeRestorePrivilege	2432	WMIC.exe
Token: SeShutdownPrivilege	2432	WMIC.exe
Token: SeDebugPrivilege	2432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2432	WMIC.exe
Token: SeRemoteShutdownPrivilege	2432	WMIC.exe
Token: SeUndockPrivilege	2432	WMIC.exe
Token: SeManageVolumePrivilege	2432	WMIC.exe
Token: 33	2432	WMIC.exe
Token: 34	2432	WMIC.exe
Token: 35	2432	WMIC.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeSecurityPrivilege	2196	msiexec.exe
Token: 33	288	109.0.5414.120_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	288	109.0.5414.120_chrome_installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document mod.exelumma0607.exewin.exewindows_update.exe1.exe1.exeigccu.exe

description	pid	process	target process
PID 3068 wrote to memory of 2680	3068	New Text Document mod.exe	PACKAGE_DEMO.exe
PID 3068 wrote to memory of 2680	3068	New Text Document mod.exe	PACKAGE_DEMO.exe
PID 3068 wrote to memory of 2680	3068	New Text Document mod.exe	PACKAGE_DEMO.exe
PID 3068 wrote to memory of 2372	3068	New Text Document mod.exe	k.exe
PID 3068 wrote to memory of 2372	3068	New Text Document mod.exe	k.exe
PID 3068 wrote to memory of 2372	3068	New Text Document mod.exe	k.exe
PID 3068 wrote to memory of 2564	3068	New Text Document mod.exe	lumma0607.exe
PID 3068 wrote to memory of 2564	3068	New Text Document mod.exe	lumma0607.exe
PID 3068 wrote to memory of 2564	3068	New Text Document mod.exe	lumma0607.exe
PID 3068 wrote to memory of 2564	3068	New Text Document mod.exe	lumma0607.exe
PID 2564 wrote to memory of 2096	2564	lumma0607.exe	WerFault.exe
PID 2564 wrote to memory of 2096	2564	lumma0607.exe	WerFault.exe
PID 2564 wrote to memory of 2096	2564	lumma0607.exe	WerFault.exe
PID 2564 wrote to memory of 2096	2564	lumma0607.exe	WerFault.exe
PID 3068 wrote to memory of 760	3068	New Text Document mod.exe	win.exe
PID 3068 wrote to memory of 760	3068	New Text Document mod.exe	win.exe
PID 3068 wrote to memory of 760	3068	New Text Document mod.exe	win.exe
PID 760 wrote to memory of 1924	760	win.exe	whoami.exe
PID 760 wrote to memory of 1924	760	win.exe	whoami.exe
PID 760 wrote to memory of 1924	760	win.exe	whoami.exe
PID 3068 wrote to memory of 920	3068	New Text Document mod.exe	lolMiner.exe
PID 3068 wrote to memory of 920	3068	New Text Document mod.exe	lolMiner.exe
PID 3068 wrote to memory of 920	3068	New Text Document mod.exe	lolMiner.exe
PID 3068 wrote to memory of 2688	3068	New Text Document mod.exe	my.exe
PID 3068 wrote to memory of 2688	3068	New Text Document mod.exe	my.exe
PID 3068 wrote to memory of 2688	3068	New Text Document mod.exe	my.exe
PID 3068 wrote to memory of 1728	3068	New Text Document mod.exe	windows_update.exe
PID 3068 wrote to memory of 1728	3068	New Text Document mod.exe	windows_update.exe
PID 3068 wrote to memory of 1728	3068	New Text Document mod.exe	windows_update.exe
PID 1728 wrote to memory of 2508	1728	windows_update.exe	whoami.exe
PID 1728 wrote to memory of 2508	1728	windows_update.exe	whoami.exe
PID 1728 wrote to memory of 2508	1728	windows_update.exe	whoami.exe
PID 3068 wrote to memory of 796	3068	New Text Document mod.exe	1.exe
PID 3068 wrote to memory of 796	3068	New Text Document mod.exe	1.exe
PID 3068 wrote to memory of 796	3068	New Text Document mod.exe	1.exe
PID 3068 wrote to memory of 796	3068	New Text Document mod.exe	1.exe
PID 796 wrote to memory of 2300	796	1.exe	1.exe
PID 796 wrote to memory of 2300	796	1.exe	1.exe
PID 796 wrote to memory of 2300	796	1.exe	1.exe
PID 796 wrote to memory of 2300	796	1.exe	1.exe
PID 2300 wrote to memory of 1088	2300	1.exe	whoami.exe
PID 2300 wrote to memory of 1088	2300	1.exe	whoami.exe
PID 2300 wrote to memory of 1088	2300	1.exe	whoami.exe
PID 2300 wrote to memory of 1088	2300	1.exe	whoami.exe
PID 3068 wrote to memory of 2384	3068	New Text Document mod.exe	igccu.exe
PID 3068 wrote to memory of 2384	3068	New Text Document mod.exe	igccu.exe
PID 3068 wrote to memory of 2384	3068	New Text Document mod.exe	igccu.exe
PID 3068 wrote to memory of 2384	3068	New Text Document mod.exe	igccu.exe
PID 3068 wrote to memory of 2384	3068	New Text Document mod.exe	igccu.exe
PID 3068 wrote to memory of 2384	3068	New Text Document mod.exe	igccu.exe
PID 3068 wrote to memory of 2384	3068	New Text Document mod.exe	igccu.exe
PID 2384 wrote to memory of 1648	2384	igccu.exe	GoogleUpdate.exe
PID 2384 wrote to memory of 1648	2384	igccu.exe	GoogleUpdate.exe
PID 2384 wrote to memory of 1648	2384	igccu.exe	GoogleUpdate.exe
PID 2384 wrote to memory of 1648	2384	igccu.exe	GoogleUpdate.exe
PID 2384 wrote to memory of 1648	2384	igccu.exe	GoogleUpdate.exe
PID 2384 wrote to memory of 1648	2384	igccu.exe	GoogleUpdate.exe
PID 2384 wrote to memory of 1648	2384	igccu.exe	GoogleUpdate.exe
PID 3068 wrote to memory of 1724	3068	New Text Document mod.exe	Server.exe
PID 3068 wrote to memory of 1724	3068	New Text Document mod.exe	Server.exe
PID 3068 wrote to memory of 1724	3068	New Text Document mod.exe	Server.exe
PID 3068 wrote to memory of 1724	3068	New Text Document mod.exe	Server.exe
PID 3068 wrote to memory of 2724	3068	New Text Document mod.exe	aaa.exe
PID 3068 wrote to memory of 2724	3068	New Text Document mod.exe	aaa.exe

outlook_office_path 1 IoCs

Processes:

PACKAGE_DEMO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe

outlook_win_path 1 IoCs

Processes:

PACKAGE_DEMO.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PACKAGE_DEMO.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\a\PACKAGE_DEMO.exe
"C:\Users\Admin\AppData\Local\Temp\a\PACKAGE_DEMO.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:2680

C:\Users\Admin\AppData\Local\Temp\a\k.exe
"C:\Users\Admin\AppData\Local\Temp\a\k.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Users\Admin\AppData\Local\Temp\a\lumma0607.exe
"C:\Users\Admin\AppData\Local\Temp\a\lumma0607.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 112
3⤵
- Loads dropped DLL
- Program crash
PID:2096

C:\Users\Admin\AppData\Local\Temp\a\win.exe
"C:\Users\Admin\AppData\Local\Temp\a\win.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Users\Admin\AppData\Local\Temp\a\lolMiner.exe
"C:\Users\Admin\AppData\Local\Temp\a\lolMiner.exe"
2⤵
- Executes dropped EXE
PID:920

C:\Users\Admin\AppData\Local\Temp\a\my.exe
"C:\Users\Admin\AppData\Local\Temp\a\my.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2688

C:\Users\Admin\AppData\Local\Temp\a\windows_update.exe
"C:\Users\Admin\AppData\Local\Temp\a\windows_update.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Users\Admin\AppData\Local\Temp\a\1.exe
"C:\Users\Admin\AppData\Local\Temp\a\1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\a\1.exe
C:\Users\Admin\AppData\Local\Temp\a\1.exe --foreground
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\whoami.exe
whoami
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Users\Admin\AppData\Local\Temp\a\igccu.exe
"C:\Users\Admin\AppData\Local\Temp\a\igccu.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2384

C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty"
3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2808

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2320

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2240

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1612

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Njg0OThBRjAtNzI5RC00NDEyLUEyMDUtNjEzMzZEQkQzNTg2fSIgdXNlcmlkPSJ7NUNBQzI4NzMtODdGOS00NDIzLUIxMEItQTFGQjAyRTk1QTg4fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0MwNUNEMjEwLTMyOTgtNEIzNC04NTc1LTFBRTAxMjQ3QjMzM30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjE1MSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMjIiIGxhbmc9ImVuIiBicmFuZD0iQ0hCRiIgY2xpZW50PSIiIGlpZD0iezQ2MTFFMDg3LUNCNzAtMjQ0Qi05MjAyLUY2MDUzNTdBMDJGNH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNDU0OSIvPjwvYXBwPjwvcmVxdWVzdD4
4⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
PID:2660

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty" /installsource taggedmi /sessionid "{68498AF0-729D-4412-A205-61336DBD3586}"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060

C:\Users\Admin\AppData\Local\Temp\a\Server.exe
"C:\Users\Admin\AppData\Local\Temp\a\Server.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
PID:2664

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1580

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2316

C:\Windows\SysWOW64\findstr.exe
findstr All
4⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
3⤵
PID:2324

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1056

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1256

C:\Users\Admin\AppData\Local\Temp\a\aaa.exe
"C:\Users\Admin\AppData\Local\Temp\a\aaa.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Users\Admin\AppData\Local\Temp\a\build.exe
"C:\Users\Admin\AppData\Local\Temp\a\build.exe"
2⤵
- Executes dropped EXE
PID:2040

C:\Users\Admin\AppData\Local\Temp\a\update.exe
"C:\Users\Admin\AppData\Local\Temp\a\update.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist > Running_processes.txt
3⤵
PID:2636

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist /v > Open_windows.txt
3⤵
PID:2904

C:\Windows\system32\tasklist.exe
tasklist /v
4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c driverquery > Drivers.txt
3⤵
PID:2940

C:\Windows\system32\driverquery.exe
driverquery
4⤵
PID:2168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic product get name,version > Installed_apps.txt
3⤵
PID:2220

C:\Windows\System32\Wbem\WMIC.exe
wmic product get name,version
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /all > Network.txt
3⤵
PID:2928

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:2524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c systeminfo > Info.txt
3⤵
PID:2660

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c for /d %i in (C:\Users\*) do if not "%i"=="C:\Users\Public" tree /F /A "%i" >> DirectoriesAndFiles.txt
3⤵
PID:2520

C:\Windows\system32\tree.com
tree /F /A "C:\Users\Admin"
4⤵
PID:2144

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2476

C:\Program Files (x86)\Google\Update\Install\{668C4DFE-8CFC-4746-AE9C-28FD18492632}\109.0.5414.120_chrome_installer.exe
"C:\Program Files (x86)\Google\Update\Install\{668C4DFE-8CFC-4746-AE9C-28FD18492632}\109.0.5414.120_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --system-level /installerdata="C:\Windows\TEMP\guiB857.tmp"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Program Files (x86)\Google\Update\Install\{668C4DFE-8CFC-4746-AE9C-28FD18492632}\CR_D4C9A.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{668C4DFE-8CFC-4746-AE9C-28FD18492632}\CR_D4C9A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{668C4DFE-8CFC-4746-AE9C-28FD18492632}\CR_D4C9A.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --system-level /installerdata="C:\Windows\TEMP\guiB857.tmp"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808

C:\Program Files (x86)\Google\Update\Install\{668C4DFE-8CFC-4746-AE9C-28FD18492632}\CR_D4C9A.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{668C4DFE-8CFC-4746-AE9C-28FD18492632}\CR_D4C9A.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fb31148,0x13fb31158,0x13fb31168
4⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "882383489-1417368646105317077521372782941648779516-1119681279690758577927240563"
1⤵
PID:2904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Image File Execution Options Injection

T1546.012

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Image File Execution Options Injection

T1546.012

Component Object Model Hijacking

T1546.015

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\GoogleCrashHandler.exe
Filesize
292KB

MD5
497b4cc61ee544d71b391cebe3a72b87

SHA1
95d68a6a541fee6ace5b7481c35d154cec57c728

SHA256
a61fa37d4e2f6a350616755344ea31f6e4074353fc1740cfabf8e42c00a109f4

SHA512
d0b8968377db2886a9b7b5e5027d265a1ef986106ad1ca4a53fe0df0e3d92644e87458736f8f2d2b044612c9b6970a98d9a1e46c62981cade42bfbe078cb58fe

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\GoogleCrashHandler64.exe
Filesize
372KB

MD5
c733cc368027bf6ce7e28428922c26ff

SHA1
bc7a1e7416d595f1221b4f60daf46bcefd087520

SHA256
fe4f716ac9a242194b166cc50ed41d9e9d3b7e338276f13542d070e0467f72fa

SHA512
761097fb2dfe5009dc3bac5ccb306a6a3826d81408c2ca698c815ae6558c44d60925f630a5f51675b28d2cab8c2bb5e8e5330fd769d824230921a496a6d1658b

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\GoogleUpdateComRegisterShell64.exe
Filesize
178KB

MD5
a201b4e3527eeef223f3b0231188fb15

SHA1
d76b2d195de3e42b62ba46af4c8dc09d4759184a

SHA256
ad4b3cb532c565a396cbc5d3d985e87b1a0208b52645f964c88eeb8443881223

SHA512
faeba872f7c26c8615ebc597cf6d2f1114fd568a1a44bafd3f0b2244b4dbab926292c976c7361b5f17cd04fa1321f54644531295e0e2cd3e53c6956c42a88b70

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\GoogleUpdateCore.exe
Filesize
218KB

MD5
082672346547312fabc549e92f2cb59a

SHA1
3bd084b10bcf2d665005db99d29a41c3c43eecdb

SHA256
4ecc2e174a0f8c919faba5a7839cc1d5b4d07a27c7eb2b000f86a1656beba5bc

SHA512
ae5077fd04f566159bdbc044f38e50475d0958ce4c93331f7b48880a68048f3bd7ae8107b21f37c51530376aa960e37a0bf4a31d54ae8a3c6df017b82ce76fff

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdate.dll
Filesize
1.9MB

MD5
b235a510d74783594b5a50f60d6a841a

SHA1
101395a59c156139786554153e29a72e445776f7

SHA256
6a478176c0e2257485b517c5b549d6a4b9b93264b8ae67f134c8e87571db50ba

SHA512
78adc152a2b11a750e398f19fc611e27b6a53c6dd0aec959f49d3ac0bc6121901c58a32fca065cc9bbe41fbbc034d4807c8d26d7c9719dcb133073a05687d292

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_am.dll
Filesize
46KB

MD5
545c8bb42505f22fbee877ea0be03fcc

SHA1
59d2927418d36d2a8eb25b56d56906907197e16c

SHA256
da6016d8f9436c6066b73af1351f88405bfb6e22eff8a457c69cccda4035fbfd

SHA512
3c9a162b3ecf50f887c9d549c79c4dcfd23e90af496da0c6546a8827ffa31be179b94cf728cbcaf046e1282f0c23de276db17c2c2eafb2a6573f7357937a92d1

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_ar.dll
Filesize
45KB

MD5
fc3c2aee312e5372dc4e160d344bc9f4

SHA1
0e4179ad40c6d5eb8e55071cb2665d828fb8adce

SHA256
e7b036a4c4c24ad229876b4029d60ffb60bbd56b1e6c7bec1d03427727d23aea

SHA512
f2369f7de1d0c06531295184acb5272c80bbe92e19a423d31bf760a04c30cbb6752806c9312f106c4f6e12b63d90ad16410b34ff4e0c8cec40846a25f4b0c172

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_bg.dll
Filesize
48KB

MD5
21a5f5b59e8905d375052eba2ad46897

SHA1
cc13c36bfa6c23666d28e820b606ab4995210a4c

SHA256
5ee45e26517642d8ebc856ed4bb9db957b94158f1e86221ffa5579af5252924c

SHA512
c6e0e925bbf45374e741a0c5228d4d91f143c8915629d9e1a38e107ddc8c5c37e20e0860ee0520efcb0a0ae65b0a5bafcf43c928d4b626abc34606105182171d

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_bn.dll
Filesize
48KB

MD5
e7225b76978566a38e4a2daca5d8fa66

SHA1
eb2de4d268bba04d2479597f7002ba7633ca12d5

SHA256
86683cda7130f770d4b70f739668504747bae948c0770c8fcd9787780874dc02

SHA512
a385efd4d66b43b6bc9ff3a1becbfc8e6632dd0ee6e68a44c13d02f04cc383d381593492e43079a29912772513959ed97dd819a2807971e54e601559d474504b

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_ca.dll
Filesize
48KB

MD5
b2ff289de022bd242bec4922612b5351

SHA1
692eddb44679a037ffe43b333438bf5b23c2d8ea

SHA256
3dc5ea2aa930d35789c8cf3140884222095f9f1e0b5b30779d3900e3a4a35cd7

SHA512
8bdea179b9cb82f2bf65f2fb1c03ebb1690ea2e9beb6b53f5753be0c1b4376a11a70e2ce42aa56df541e6e3cdc55bb92a6ca35058836fc78c701d305b08ce927

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_cs.dll
Filesize
47KB

MD5
ca7d2ce7bb8c96fd00febfec417d4686

SHA1
42fa3166b0c0f082c703426d6ac121915f190689

SHA256
f27f092b1b9608d4445346cc65313fcab2f4cc9e69549c490d3987dbfa5d49a2

SHA512
e0f9b856b3429852ed8ede280364cdd6844f80988e6ff7b283068730812bf2de7c607d3bc2d0bdb0d81cf58bc9151af86514681d368e2d35d480ccf629d20082

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_da.dll
Filesize
47KB

MD5
cda387e37dc9f6a087ef4cc48484589f

SHA1
e70a6d2681485647fa9f72043dec87f731b5a833

SHA256
382321cc30dfbc6a91b919f93b3ef8c18fcd7099a53170ab174617816f32ddc5

SHA512
7eca9b244e18b7c9fab28832bee26fe662fd9c999660b7f06393af72f8d26efb7c33feb6e663ac2a061cc8ae4a7f13040f7fa75801484a5de1db63948cf13090

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_de.dll
Filesize
49KB

MD5
43d0cb0ab016a502d26f7b09725f9a06

SHA1
9fedd528def5125a06343f612230db14a073d9e6

SHA256
191f8e5ed6135ad55036ffc6bfd26731f04815a9172052f575f8bb5a7c85f1b5

SHA512
efff6051ce200cdacf674080f7191c905599340a5c5c571adc7471fc5305d4338e40d7fdd39e434214039fe3120142a3f3170629e2487b767d86643cca331147

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_el.dll
Filesize
49KB

MD5
29b22cb3730f409bcc7715aa08219f13

SHA1
6b213f526b49621b4e57b07eea675d840f8d85b9

SHA256
4def02e3936f096df38d32e091f39befc47d2f0abdca50df9320351a4ced89a1

SHA512
8c0de5796c7c9f53ee7c9c49a023281775a55a1046cfa660b5ce38e20ac751d1213a8379f62d901ad86472347770d760e342a090407de23efb86c39f3f903c04

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_en-GB.dll
Filesize
46KB

MD5
496aab9df60dad2e536577415da111b0

SHA1
2765297d33727138f207540e34fb6c47b862b34f

SHA256
f1c1c5fec50524aeb2ed8b327fc5bd968b2263643900bf559cf17e5ac83aaa9d

SHA512
3bdd1eaeb8347c7d9e045e7c5fdeb2a38b8475cf7b7472c8ec93825c72cff06e60e8c1e88ea8772e5c9bf92fbda25a01e275cddd8e5e55ace296f9db20f301a7

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_es-419.dll
Filesize
48KB

MD5
83a62f554420383925f4c5427d9d74af

SHA1
2356616b2f636bf202cc3075edff619428f12b73

SHA256
37d1d70eb84ce0c26bceabe3f341d07e147e4adda82ecb0d885c7bcc4d625d14

SHA512
1160306257a1ee58102351ece67d7d6e0eed723c0113f5e68179ac7b1070e69d5c494ee8a12521147cc9123550215aa789c12c501e10f3dbced2e9a9d04a7aa3

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_es.dll
Filesize
49KB

MD5
c624ef6c7d9bf1ed4d6dccf690886f06

SHA1
4e5b70b3b2227c9b1972f8a21ea035858ee94a16

SHA256
4905c5e8c0f4cac3678cfb50f27e8a6aa56f97a6751777e6aab89a73d2316359

SHA512
25e68f97868075cabb64883c0f5769c0bce8b9f89aa80b91b75172bf6546a418cc28a00946da7f5d5731f6a143740213f0d8a1986bbe3919cdfc5fbfc64816f3

Download Submit
C:\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_et.dll
Filesize
47KB

MD5
21ae9c7b03c50b4ea86c6b184b842f12

SHA1
e21cd55904436d18e6814bf0b33cd66399a65895

SHA256
fd4f259b0bebf709545b23bc72d5755c41c92337d66ad898e47bd5ece86bd5c7

SHA512
b2756c4145b3f2586782ea4e5f82352e4218e459cbcfe01a7b9b266ff99d46c80ac7a09c8a9815a6244587d3e083cdbe627a35424169dd5915652ccf835d0144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
937d05d27724294546c7265ec33a47eb

SHA1
0592f407ab533e4839b5c70dc0b899e70fc992a0

SHA256
f0b03d37535ff6cfa949e60abf180f2a0b12c492d935de3b82f0533f0ca8c374

SHA512
bc80447d6f313944dac14830b1be6482d731aa7cbf5b8577a544863a00aeb4f952dd84605e29605074a50a504baef2949776724e5911ab12a41ea7dd2ee267ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6221976fe8bd3fb3afcdbc12d7374d05

SHA1
776edcde0c8c9e3355fda431dcf84a5fe92f1882

SHA256
9939cd5c2750db44d9382fba650485c018d4a514c8cba64b6d30cb02a22c60ed

SHA512
3baa964c895d879d0786f336a7ae539cc45a13a690110317241620508a44a55ca4b9eff929553e49025a053cdcec4f036162a312d8ef0ec6dde022afeb089946

Download Submit
C:\Users\Admin\AppData\Local\238D3EC08A02684570291\System_info.txt
Filesize
420B

MD5
e74bc9b8836ca7ef596d7e31f432cb60

SHA1
1f00946ad566f471738c69c5517a1cc9d4aa63f7

SHA256
7fbd1f1a64d7174b3f2e345038a810eea4ac9ed32f52b47b91d932a167b06400

SHA512
7c83bd59302e2b4752a8b82f977c26cba69cf527c40c51fada16d3544ae029da9a46b4f7bdb18a3fd63d72936446f53cbe0812a03dc2ce87c059b0fcb333d875

Download Submit
C:\Users\Admin\AppData\Local\3bb311ebc534bbb7aabc8a3bfa44b968\Admin@MVFYZPLM_en-US\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\5de47cd928ab8d0216d664abdad169df\msgid.dat
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6347.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6379.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe
Filesize
2.9MB

MD5
ed44c98c40576ef50f6abcf6e40c71d7

SHA1
3fa4d2232ebaef519eb388cae03a329123410113

SHA256
05d385e9faa8175db3c963f7fad2b3ecee0bb45deacfbf8824bdea9a181e63b1

SHA512
c66dd4cbf1b4743e455a70f65ffa4fba0a95926767c1a1c03fe9bfba52cc364c2f609bf5b65c786213718a139dd5b2ff40f7cf8a60d8e2663347c0168c9a72ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Server.exe
Filesize
175KB

MD5
68fad5f5f8de1c290df5d3754b4af358

SHA1
0028395243f38a03b13726915144b9848e8da39a

SHA256
dbacc134902ee72d1464d3b61a3518402b7ab54807bb7b7541fc2916c8119e9e

SHA512
ce44611d5c47fdcb979c715352f5050c816d4e5a814b102836856ede279f774e4709ca48fb95639ca66476ca547176370da7afc5185af066832732da2c80ee01

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aaa.exe
Filesize
63KB

MD5
e52ba92d25281e90aa7f27bd3719951f

SHA1
f67b856dbac5bdd315dce1df2738a1b4f88f4f39

SHA256
8215ed905544d217f656b5b226f71798970698eefa4f24cb48532778d8409baa

SHA512
96a3e30a0fbe049f69b07155cfe3e1a431ff63e8dabc4baa13eada61668ebc4d4171fdaf70fb7fac4d92fc7e8383fa400dcf11eeaee98e47511857e30a23f53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\igccu.exe
Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lolMiner.exe
Filesize
7.7MB

MD5
03ab160d92dd13e549a778a844d008b4

SHA1
e1a147adc6b19ef1b61d171dc724e6073318c369

SHA256
8846c90b130f131059261045607983827e68aa26e699c591fb7e4a9235389e4e

SHA512
c865df80f6a97cd9e04b0e963d2b10dd71811271d47c554d410561bb4e69b08d276116c071c256f79b504975d2f6e2002b598a181d3c7c1959aae082d394ed51

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lumma0607.exe
Filesize
512KB

MD5
383dc98d03038d2374701a5bfa5d8c0a

SHA1
e7fb6995ef4ea1b28f9527c96321452ac59686e1

SHA256
48a4712ae782ae16698b8a85c74dcb790e610c5a31c746319fb1d30e0e3c6096

SHA512
b846e728ec92a77af8b2a822c970646170951254dbd9ec5332191dc7d4b1fd15708e4850912049a772e4af1992fe2658ae3af49a377fb2172eb588fe8c6baff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\my.exe
Filesize
10.9MB

MD5
6470b936622d9502880cae6452d1bb48

SHA1
46f9dcbaec8def83dd90a5b56b480c70c0d8dd28

SHA256
8dff8555a5960f7dd9b5915c7046d006eafabe9181627d0ee7f56aeddfc727af

SHA512
6c9fcaa7c896f1dd26b0f69ee4c049702424e4a4227918dab5679602c1b1382143fcc01b833dd2e989100ed6bac9f71883f6db9340c62ca33ee0d479f6e898ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\update.exe
Filesize
826KB

MD5
f8ae25eb2bef827759f8cd837ad85bda

SHA1
5cd4441eb81e030bffd682c5bdbe14142b7b575f

SHA256
11cd1472cd1cc75245a148d4e9560bf7f7917443b36dec3f92ed79b8e743b399

SHA512
a64693a004e48bc8acdef52b453b2f7bc315f800d63221c56963d26542d44ca8c609de016a20d72fea47938122690f573fd8f808d23c72d1779bb4ea5ed108b1

Download Submit
\Program Files (x86)\Google\Temp\GUM9F0.tmp\GoogleUpdate.exe
Filesize
152KB

MD5
e4bf1e4d8477fbf8411e274f95a0d528

SHA1
a3ff668cbc56d22fb3b258fabff26bac74a27e21

SHA256
62f622b022d4d8a52baf02bcf0c163f6fd046265cc4553d2a8b267f8eded4b76

SHA512
429d99fc7578d07c02b69e6daf7d020cff9baa0098fbd15f05539cb3b78c3ac4a368dee500c4d14b804d383767a7d5e8154e61d4ab002d610abed4d647e14c70

Download Submit
\Program Files (x86)\Google\Temp\GUM9F0.tmp\goopdateres_en.dll
Filesize
47KB

MD5
b6fea8f291da55bb35d408040f354250

SHA1
19ed99a4f169467055474454f2b35204f2cd6568

SHA256
6dcbd0c88d81ffa42a926787cbdecf8042685cc44f0484ef87307f89ec220bcc

SHA512
1b47352ddc03bb1b6a171e7cf58bfd1e1214a4f9cc04cf8ad58326e17a33b4c639cf23b4f7372b1010021ce3816129ca270d06a2c55ba3a3b001e1587c5ab75a

Download Submit
\Users\Admin\AppData\Local\Temp\a\PACKAGE_DEMO.exe
Filesize
914KB

MD5
e450ca946d4bf6173ebe3f00c3d08d81

SHA1
3653f8f0231dfad94100f3f3ae3fbae0c3b0d208

SHA256
44e715e3d9b5434c099452cc2cd991b1f02d4aba25114341a37dc142efd089ff

SHA512
9c884eb29f2d084973a7cc760d3c4e41f3601ef9b22081e083e371301d5b6b22d8e52cacaf6e4a2fd7466d5819876a69921326fa59a24ff75ed85297cda88fba

Download Submit
\Users\Admin\AppData\Local\Temp\a\k.exe
Filesize
5.7MB

MD5
4af91af5e4cdc7c3ffcb265d1d4ba84e

SHA1
0822bc3f0daa2af8cf7ce3ea2d170eddda1f8474

SHA256
d410edc3f58ae5fc315e6a991ec7f695ecec65695234fca528be1c7d87c8323b

SHA512
2edf7dfe8f9db0d541e726eb0414a845bfd333e092e7f93b81bf1399f254bc1a15d2cd501cbd14b7b5ffb9d725760b67b8b202fbf3741a27179a6346bc212a7a

Download Submit
\Users\Admin\AppData\Local\Temp\a\win.exe
Filesize
5.7MB

MD5
36dcf115331160b2f88e83e5b8d07036

SHA1
70a1eacbb83628c336792a5d5a1961a81b8d3a48

SHA256
6730f3ff0586fe95fd3c8514df7dc362eb4efe30a3a43f072797681bb196ad2c

SHA512
c63046a6decdddd1fccd4854bb76a38dc796677497b1cfdde03f1c8c72f60e3292bfcb335651220b89e8de70b5772a47ec73cb0e796045aeff0145c2af3552c1

Download Submit
\Users\Admin\AppData\Local\Temp\a\windows_update.exe
Filesize
5.7MB

MD5
14129aa32bbd6bf03d3cde8837119e2a

SHA1
ad34a9a1b7bba694acdcc89da603f13424e9c138

SHA256
a14cf7fe50d04752115b10db3af584676082152adae4295b44c1aefd2074fbf4

SHA512
a4bb9b1cef0031746df7bcf5605c812e6805d8e3686541593d1e71d0ab698f2d25c09c94f79fa9b150a2b3cf4e8b7bae0ec7e86ef6b00a75dd74558a1cf065b2

Download Submit
memory/760-144-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-140-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-146-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-138-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-148-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-687-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-136-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-159-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-623-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-128-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-170-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-814-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-173-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-580-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-124-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-176-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-122-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-192-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-120-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/760-196-0x00000000002F0000-0x0000000001316000-memory.dmp

Filesize
16.1MB

Download
memory/796-187-0x0000000000FC0000-0x00000000017AD000-memory.dmp

Filesize
7.9MB

Download
memory/920-135-0x000000013F590000-0x0000000143CEF000-memory.dmp

Filesize
71.4MB

Download
memory/1552-564-0x0000000180000000-0x00000001800E8000-memory.dmp

Filesize
928KB

Download
memory/1724-413-0x0000000000D50000-0x0000000000D82000-memory.dmp

Filesize
200KB

Download
memory/1728-812-0x0000000000DC0000-0x0000000001DE5000-memory.dmp

Filesize
16.1MB

Download
memory/1728-195-0x0000000000DC0000-0x0000000001DE5000-memory.dmp

Filesize
16.1MB

Download
memory/1728-191-0x0000000000DC0000-0x0000000001DE5000-memory.dmp

Filesize
16.1MB

Download
memory/1728-682-0x0000000000DC0000-0x0000000001DE5000-memory.dmp

Filesize
16.1MB

Download
memory/1728-175-0x0000000000DC0000-0x0000000001DE5000-memory.dmp

Filesize
16.1MB

Download
memory/1728-172-0x0000000000DC0000-0x0000000001DE5000-memory.dmp

Filesize
16.1MB

Download
memory/1728-584-0x0000000000DC0000-0x0000000001DE5000-memory.dmp

Filesize
16.1MB

Download
memory/1728-460-0x0000000000DC0000-0x0000000001DE5000-memory.dmp

Filesize
16.1MB

Download
memory/2040-456-0x00000000011F0000-0x0000000001242000-memory.dmp

Filesize
328KB

Download
memory/2300-197-0x0000000000FC0000-0x00000000017AD000-memory.dmp

Filesize
7.9MB

Download
memory/2300-583-0x0000000000FC0000-0x00000000017AD000-memory.dmp

Filesize
7.9MB

Download
memory/2300-625-0x0000000000FC0000-0x00000000017AD000-memory.dmp

Filesize
7.9MB

Download
memory/2300-809-0x0000000000FC0000-0x00000000017AD000-memory.dmp

Filesize
7.9MB

Download
memory/2300-194-0x0000000000FC0000-0x00000000017AD000-memory.dmp

Filesize
7.9MB

Download
memory/2372-106-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-93-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-125-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-193-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-121-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-811-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-188-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-109-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-108-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-137-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-97-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-95-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-139-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-141-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-457-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-145-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-94-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-674-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-147-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-174-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-158-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-582-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-169-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2372-74-0x0000000000A70000-0x0000000001A96000-memory.dmp

Filesize
16.1MB

Download
memory/2724-350-0x0000000001320000-0x0000000001336000-memory.dmp

Filesize
88KB

Download
memory/3068-73-0x000000001CE30000-0x000000001DE56000-memory.dmp

Filesize
16.1MB

Download
memory/3068-76-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/3068-127-0x000000001CC30000-0x000000001DC56000-memory.dmp

Filesize
16.1MB

Download
memory/3068-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/3068-72-0x000000001CE30000-0x000000001DE56000-memory.dmp

Filesize
16.1MB

Download
memory/3068-70-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/3068-119-0x000000001CC30000-0x000000001DC56000-memory.dmp

Filesize
16.1MB

Download
memory/3068-126-0x000000001CC30000-0x000000001DC56000-memory.dmp

Filesize
16.1MB

Download
memory/3068-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/3068-1-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download