Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- <SYSTEM32>\tasks\googlesystem\googleupdater\googleupdatertasksystem141.0.7340.0{f1894a6a-f0ab-431c-87e2-e7b5e39e8674}
- <SYSTEM32>\tasks\windowspowershell.wbemscripting.windowsdata
Sets the following service settings
- [HKLM\SYSTEM\CurrentControlSet\Services\Cndom6] 'ImagePath' = 'C:\Cndom6.sys'
- [HKLM\SYSTEM\CurrentControlSet\Services\GoogleUpdaterInternalService141.0.7340.0] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\GoogleUpdaterInternalService141.0.7340.0] 'ImagePath' = '"%ProgramFiles(x86)%\Google\GoogleUpdater\141.0.7340.0\updater.exe" --system --windows-service -...
- [HKLM\SYSTEM\CurrentControlSet\Services\GoogleUpdaterService141.0.7340.0] 'Start' = '00000002'
- [HKLM\SYSTEM\CurrentControlSet\Services\GoogleUpdaterService141.0.7340.0] 'ImagePath' = '"%ProgramFiles(x86)%\Google\GoogleUpdater\141.0.7340.0\updater.exe" --system --windows-service --service...
Creates the following services
- 'Cndom6' C:\Cndom6.sys
- 'GoogleUpdaterInternalService141.0.7340.0' %ProgramFiles(x86)%\Google\GoogleUpdatera.0.7340.0�pdater.exe" --system --windows-service --service=update-interna
- 'GoogleUpdaterService141.0.7340.0' %ProgramFiles(x86)%\Google\GoogleUpdatera.0.7340.0�pdater.exe" --system --windows-service --service=updat
Modifies file system
Creates the following files
- %TEMP%\is-3cpmi.tmp\<File name>.tmp
- %TEMP%\is-cvesd.tmp\_isetup\_setup64.tmp
- %TEMP%\is-cvesd.tmp\_isetup\_shfoldr.dll
- %ALLUSERSPROFILE%\windowsdata\is-qf8vv.tmp
- %ALLUSERSPROFILE%\windowsdata\is-loa23.tmp
- %ALLUSERSPROFILE%\windowsdata\is-7vftr.tmp
- %ALLUSERSPROFILE%\windowsdata\is-punut.tmp
- %ALLUSERSPROFILE%\windowsdata\funzip.exe
- %ALLUSERSPROFILE%\windowsdata\mainzttrjtfyhnidcaf.xml
- %ALLUSERSPROFILE%\windowsdata\man10.dat
- %ALLUSERSPROFILE%\windowsdata\server.log
- %ALLUSERSPROFILE%\windowsdata\men.exe
- %ALLUSERSPROFILE%\windowsdata\setup.exe
- C:\users\public\documents\x86-microsoft-windowsdata\tree.exe
- %ProgramFiles(x86)%\google\googleupdater\updater.log
- %TEMP%\google4316_1717153245\updater.packed.7z
- %TEMP%\google4316_780594889\updater.7z
- %TEMP%\google4316_780594889\bin\uninstall.cmd
- %TEMP%\google4316_780594889\bin\updater.exe
- C:\users\public\documents\x86-microsoft-windowsdata\wudfcompanionhoste.exe
- C:\users\public\documents\x86-microsoft-windowsdata\searchindexers.exe
- C:\cndom6.sys
- C:\users\public\documents\x86-microsoft-windowsdata\kang.exe
- %ProgramFiles(x86)%\google\googleupdater\141.0.7340.0\crashpad\settings.dat
- %ProgramFiles(x86)%\google\googleupdater\141.0.7340.0\uninstall.cmd
- %ProgramFiles(x86)%\google\googleupdater\141.0.7340.0\updater.exe
- %ProgramFiles(x86)%\google\googleupdater\2b1e341a-8b4e-4858-9bb3-b11f7fa79b29.tmp
- %ALLUSERSPROFILE%\windowsdata\del.bat
- nul
- %ProgramFiles(x86)%\google\update\googleupdate.exe
- %ProgramFiles(x86)%\google\googleupdater\99acd956-4dc1-4786-ab5f-2564f71638c2.tmp
- %ProgramFiles(x86)%\google\googleupdater\141.0.7340.0\5161f26b-64ff-488e-9e63-3d6ac14bff85.tmp
- %ProgramFiles(x86)%\google\googleupdater\a07324ff-373d-486a-a4d4-0dcb809addf4.tmp
- %ProgramFiles(x86)%\google\googleupdater\crx_cache\2496aa58-ce4b-4b1b-9cb5-2c9117e9a06c.tmp
- %ProgramFiles(x86)%\google\googleupdater\27689d67-2564-4ed9-8692-9def6627f919.tmp
- %ProgramFiles(x86)%\google\googleupdater\5b42bb25-4fd3-411e-969a-2a8f3dfc975d.tmp
Deletes following files that it created itself
- %ALLUSERSPROFILE%\windowsdata\main.1
- %ALLUSERSPROFILE%\windowsdata\main.2
- %ALLUSERSPROFILE%\windowsdata\mainzttrjtfyhnidcaf.xml
- %TEMP%\is-cvesd.tmp\_isetup\_setup64.tmp
- %TEMP%\is-cvesd.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-3cpmi.tmp\<File name>.tmp
- %TEMP%\google4316_780594889\updater.7z
- %TEMP%\google4316_780594889\bin\uninstall.cmd
- %TEMP%\google4316_780594889\bin\updater.exe
- %ALLUSERSPROFILE%\windowsdata\setup.exe
Moves the following files
- from %ALLUSERSPROFILE%\windowsdata\is-qf8vv.tmp to %ALLUSERSPROFILE%\windowsdata\unzip.1
- from %ALLUSERSPROFILE%\windowsdata\is-loa23.tmp to %ALLUSERSPROFILE%\windowsdata\unzip.2
- from %ALLUSERSPROFILE%\windowsdata\is-7vftr.tmp to %ALLUSERSPROFILE%\windowsdata\main.1
- from %ALLUSERSPROFILE%\windowsdata\is-punut.tmp to %ALLUSERSPROFILE%\windowsdata\main.2
- from %ALLUSERSPROFILE%\windowsdata\server.log to C:\users\public\documents\x86-microsoft-windowsdata\server.log
- from %ProgramFiles(x86)%\google\googleupdater\2b1e341a-8b4e-4858-9bb3-b11f7fa79b29.tmp to %ProgramFiles(x86)%\google\googleupdater\prefs.json
- from %ProgramFiles(x86)%\google\googleupdater\141.0.7340.0\5161f26b-64ff-488e-9e63-3d6ac14bff85.tmp to %ProgramFiles(x86)%\google\googleupdater\141.0.7340.0\prefs.json
- from %ProgramFiles(x86)%\google\googleupdater\crx_cache\2496aa58-ce4b-4b1b-9cb5-2c9117e9a06c.tmp to %ProgramFiles(x86)%\google\googleupdater\crx_cache\metadata.json
Network activity
UDP
- DNS ASK up####.googleapis.com
- DNS ASK dl.google.com
Miscellaneous
Creates and executes the following
- '%TEMP%\is-3cpmi.tmp\<File name>.tmp' /SL5="$A01E4,14966256,140800,<Full path to file>"
- '%ALLUSERSPROFILE%\windowsdata\funzip.exe' x -y -phtLcENyRFYwXsHFnUnqK -o"%ALLUSERSPROFILE%\WindowsData" "%ALLUSERSPROFILE%\WindowsData\mainZTtRjTfyhNIDCAF.xml"
- '%ALLUSERSPROFILE%\windowsdata\setup.exe'
- '%ALLUSERSPROFILE%\windowsdata\men.exe'
- '%ALLUSERSPROFILE%\windowsdata\funzip.exe' x "C:\Users\Public\Documents\x86-Microsoft-Windowsdata\tree.exe" -pServer8888 -o"C:\Users\Public\Documents\x86-Microsoft-Windowsdata" -y
- '%ProgramFiles(x86)%\google\googleupdater\141.0.7340.0\updater.exe' --system --windows-service --service=update-internal
- '%ProgramFiles(x86)%\google\googleupdater\141.0.7340.0\updater.exe' --crash-handler --system "--database=%ProgramFiles(x86)%\Google\GoogleUpdater\141.0.7340.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=141.0...
- '%ProgramFiles(x86)%\google\googleupdater\141.0.7340.0\updater.exe' --system --windows-service --service=update
Executes the following
- '%WINDIR%\syswow64\cmd.exe' /c copy /b "%ALLUSERSPROFILE%\WindowsData\unzip.1" + "%ALLUSERSPROFILE%\WindowsData\unzip.2" "%ALLUSERSPROFILE%\WindowsData\funzip.exe" && del "%ALLUSERSPROFILE%\WindowsData\unzip.1" "%ALLUSERS...
- '%WINDIR%\syswow64\cmd.exe' /c copy /b /y "%ALLUSERSPROFILE%\WindowsData\main.1" + "%ALLUSERSPROFILE%\WindowsData\main.2" "%ALLUSERSPROFILE%\WindowsData\mainZTtRjTfyhNIDCAF.xml"
- '<SYSTEM32>\cmd.exe' /c "takeown /f "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\WindowsPowerShell.WbemScripting.SWbemLocator" /a >nul 2>&1 & icacls "HKLM\\SOFTWARE\\Microsoft\\...
- '<SYSTEM32>\cmd.exe' /c (del /f /q /s "C:\Users\Public\Documents\x86-Microsoft-Windowsdata\*" && del /f /q /s "%ALLUSERSPROFILE%\WindowsData\*" && rmdir /q /s "C:\Users\Public\Documents\x86-Microsoft-Windowsdata" &...
- '<SYSTEM32>\cmd.exe' /c del.bat
- '<SYSTEM32>\takeown.exe' /f "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\WindowsPowerShell.WbemScripting.SWbemLocator" /a
- '<SYSTEM32>\ping.exe' -n 2 127.0.0.1
- '<SYSTEM32>\icacls.exe' "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\WindowsPowerShell.WbemScripting.SWbemLocator" /grant Administrators:F
- '<SYSTEM32>\takeown.exe' /f "C:\\Windows\\System32\\Tasks\WindowsPowerShell.WbemScripting.SWbemLocator" /grant Administrators:F
- '<SYSTEM32>\icacls.exe' "C:\\Windows\\System32\\Tasks\WindowsPowerShell.WbemScripting.SWbemLocator" /deny Everyone:D
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command \"$regPath = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\WindowsPowerShell.WbemScripting.SWbemLocator'; $acl = (Get-Item -Path $regPath).GetAccess...
- '%WINDIR%\syswow64\cmd.exe' /c copy /b "%ALLUSERSPROFILE%\WindowsData\unzip.1" + "%ALLUSERSPROFILE%\WindowsData\unzip.2" "%ALLUSERSPROFILE%\WindowsData\funzip.exe" && del "%ALLUSERSPROFILE%\WindowsData\unzip.1" "%ALLUSERS...' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c copy /b /y "%ALLUSERSPROFILE%\WindowsData\main.1" + "%ALLUSERSPROFILE%\WindowsData\main.2" "%ALLUSERSPROFILE%\WindowsData\mainZTtRjTfyhNIDCAF.xml"' (with hidden window)
- '%ALLUSERSPROFILE%\windowsdata\funzip.exe' x -y -phtLcENyRFYwXsHFnUnqK -o"%ALLUSERSPROFILE%\WindowsData" "%ALLUSERSPROFILE%\WindowsData\mainZTtRjTfyhNIDCAF.xml"' (with hidden window)
- '%ALLUSERSPROFILE%\windowsdata\men.exe' ' (with hidden window)
- '%ALLUSERSPROFILE%\windowsdata\funzip.exe' x "C:\Users\Public\Documents\x86-Microsoft-Windowsdata\tree.exe" -pServer8888 -o"C:\Users\Public\Documents\x86-Microsoft-Windowsdata" -y' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "takeown /f "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\WindowsPowerShell.WbemScripting.SWbemLocator" /a >nul 2>&1 & icacls "HKLM\\SOFTWARE\\Microsoft\\...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c (del /f /q /s "C:\Users\Public\Documents\x86-Microsoft-Windowsdata\*" && del /f /q /s "%ALLUSERSPROFILE%\WindowsData\*" && rmdir /q /s "C:\Users\Public\Documents\x86-Microsoft-Windowsdata" &...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c del.bat' (with hidden window)
