577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446

General

Target

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
Size

1.0MB
MD5

203bd1419cb3a6f70d6606a7e7a7a4a2
SHA1

46faa2aade421560da587f6e7ce91be481470c89
SHA256

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446
SHA512

0af366b975037ae85d7472094158979f2d5268bc09da9c0f0de46c9ef3a1b87a3839d4b16fb38a099044e1d5a15fd3fe2efb449caeedc4ebaf23194a5a089101

Score

10^/10

evasion persistence suricata

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1"
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0"
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo

suricata: ET MALWARE ZeroAccess Outbound udp traffic detected
suricata: ET MALWARE ZeroAccess Outbound udp traffic detected
suricata
suricata: ET MALWARE ZeroAccess udp traffic detected
suricata: ET MALWARE ZeroAccess udp traffic detected
suricata

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\‮etadpug\ImagePath = "\"C:\\Program Files (x86)\\Google\\Desktop\\Install\\{23056970-5253-e417-cf3c-cfeed1bb69f9}\\ \\...\\\u202eﯹ๛\\{23056970-5253-e417-cf3c-cfeed1bb69f9}\\GoogleUpdate.exe\" <"	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2044 cmd.exe

pid	process
2044	cmd.exe

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Desktop\\Install\\{23056970-5253-e417-cf3c-cfeed1bb69f9}\\❤≸⋙\\Ⱒ☠⍨\\\u202eﯹ๛\\{23056970-5253-e417-cf3c-cfeed1bb69f9}\\GoogleUpdate.exe\" >"	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

description ioc process

File created \systemroot\assembly\GAC_64\Desktop.ini
File created \systemroot\assembly\GAC_32\Desktop.ini

description	ioc	process
File created	\systemroot\assembly\GAC_64\Desktop.ini
File created	\systemroot\assembly\GAC_32\Desktop.ini

Suspicious use of SetThreadContext 2 IoCs

Processes:

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

description	pid	process	target process
PID 900 set thread context of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 964 set thread context of 2044	964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	cmd.exe

Drops file in Program Files directory 22 IoCs

Processes:

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{23056970-5253-e417-cf3c-cfeed1bb69f9}\ \...\‮ﯹ๛\{23056970-5253-e417-cf3c-cfeed1bb69f9}\@
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File created	C:\Program Files (x86)\Google\Desktop\Install\{23056970-5253-e417-cf3c-cfeed1bb69f9}\ \...\‮ﯹ๛\{23056970-5253-e417-cf3c-cfeed1bb69f9}\GoogleUpdate.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File created	C:\Program Files (x86)\Google\Desktop\Install\{23056970-5253-e417-cf3c-cfeed1bb69f9}\ \...\‮ﯹ๛\{23056970-5253-e417-cf3c-cfeed1bb69f9}\@	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{23056970-5253-e417-cf3c-cfeed1bb69f9}\ \...\‮ﯹ๛\{23056970-5253-e417-cf3c-cfeed1bb69f9}\@\:@
File opened for modification	C:\Program Files\Windows Defender\en-US:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

NTFS ADS 19 IoCs

Processes:

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{23056970-5253-e417-cf3c-cfeed1bb69f9}\ \...\‮ﯹ๛\{23056970-5253-e417-cf3c-cfeed1bb69f9}\@\:@
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

pid	process
964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
460

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

pid	process
964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

description	pid	process
Token: SeRestorePrivilege	964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
Token: SeDebugPrivilege	964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
Token: SeDebugPrivilege	964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
Token: SeRestorePrivilege	964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
Token: SeBackupPrivilege	460
Token: SeRestorePrivilege	460
Token: SeSecurityPrivilege	460
Token: SeTakeOwnershipPrivilege	460
Token: SeBackupPrivilege	460
Token: SeRestorePrivilege	460
Token: SeSecurityPrivilege	460
Token: SeTakeOwnershipPrivilege	460
Token: SeBackupPrivilege	460
Token: SeRestorePrivilege	460
Token: SeSecurityPrivilege	460
Token: SeTakeOwnershipPrivilege	460
Token: SeBackupPrivilege	460
Token: SeRestorePrivilege	460
Token: SeSecurityPrivilege	460
Token: SeTakeOwnershipPrivilege	460
Token: SeBackupPrivilege	460
Token: SeRestorePrivilege	460
Token: SeSecurityPrivilege	460
Token: SeTakeOwnershipPrivilege	460
Token: SeDebugPrivilege	460

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1252
1252
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1252
1252

pid	process
1252
1252

pid	process
1252
1252

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe

C:\Users\Admin\AppData\Local\Temp\577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
"C:\Users\Admin\AppData\Local\Temp\577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
"C:\Users\Admin\AppData\Local\Temp\577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe"
2⤵
- Modifies security service
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Deletes itself
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Desktop\Install\{23056970-5253-e417-cf3c-cfeed1bb69f9}\ \...\‮ﯹ๛\{23056970-5253-e417-cf3c-cfeed1bb69f9}\@
Filesize
2KB

MD5
90d1020a0258e462638d55d96f29cbe6

SHA1
2cd975610c607b27e156aae87feac3499fd87b9c

SHA256
1d30bb28ba1505ac3733c08e989c3c8122ffa71352732770e5bc59cf149e01d1

SHA512
edaf9853d31b346a826d62b67b7638c39f33069c2bf3502325d8970a4340968f3db320ae51fa4971ecb39de901c5a7430cd9b8332c9c7571a0bf77a68c6ac5d6

Download Submit
memory/460-75-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/460-71-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/900-65-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/900-54-0x0000000076211000-0x0000000076213000-memory.dmp

Filesize
8KB

Download
memory/964-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-64-0x0000000000401E4A-mapping.dmp

Download
memory/964-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-68-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-69-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-60-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-73-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-58-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/964-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1252-70-0x0000000002AC0000-0x0000000002AD2000-memory.dmp

Filesize
72KB

Download
memory/2044-72-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 900 wrote to memory of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 900 wrote to memory of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 900 wrote to memory of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 900 wrote to memory of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 900 wrote to memory of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 900 wrote to memory of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 900 wrote to memory of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 900 wrote to memory of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 900 wrote to memory of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 900 wrote to memory of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 900 wrote to memory of 964	900	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe
PID 964 wrote to memory of 2044	964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	cmd.exe
PID 964 wrote to memory of 2044	964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	cmd.exe
PID 964 wrote to memory of 2044	964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	cmd.exe
PID 964 wrote to memory of 2044	964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	cmd.exe
PID 964 wrote to memory of 2044	964	577c6c2c6fdf17a6ed04dff2e8da4c982332c955cda48bdae87c340e46626446.exe	cmd.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads