739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15

Analysis

max time kernel
130s
max time network
214s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
Size

135KB
MD5

4c409a7a1359758ca822fc5df4773cb3
SHA1

33b9ad618fe471998f1ae25612b278f85b2acb8b
SHA256

739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15
SHA512

a5e614866e19d7a2c5aa8c7876df6a772dcdeba361ba70f1b8360a8a4c56378f5e75992f210dc2444754680645c93a9247d96cd901b401be04f66d4d1be55460
SSDEEP

3072:FwPOtVECgmaFlt/xUc+Wn2O5nFk3znoWUyJUbyMOjs:OPOH5SlL/+URFfWUyJu0

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	Process not Found

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	Process not Found

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\‮etadpug\ImagePath = "\"C:\\Program Files (x86)\\Google\\Desktop\\Install\\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\\ \\...\\\u202eﯹ๛\\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\\GoogleUpdate.exe\" <"	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127
Destination IP	85.114.128.127

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Desktop\\Install\\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\\❤≸⋙\\Ⱒ☠⍨\\\u202eﯹ๛\\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\\GoogleUpdate.exe\" >"	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	Process not Found
File created	\systemroot\assembly\GAC_32\Desktop.ini	Process not Found

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1156 set thread context of 668	1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe	28

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\@\:@	Process not Found
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\@	Process not Found
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File created	C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\GoogleUpdate.exe	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File created	C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\@	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe

NTFS ADS 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\@\:@	Process not Found
File opened for modification	C:\Program Files\Windows Defender\en-US:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
460	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1272	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeRestorePrivilege	1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
Token: SeDebugPrivilege	1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
Token: SeDebugPrivilege	1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
Token: SeRestorePrivilege	1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
Token: SeBackupPrivilege	460	Process not Found
Token: SeRestorePrivilege	460	Process not Found
Token: SeSecurityPrivilege	460	Process not Found
Token: SeTakeOwnershipPrivilege	460	Process not Found
Token: SeBackupPrivilege	460	Process not Found
Token: SeRestorePrivilege	460	Process not Found
Token: SeSecurityPrivilege	460	Process not Found
Token: SeTakeOwnershipPrivilege	460	Process not Found
Token: SeBackupPrivilege	460	Process not Found
Token: SeRestorePrivilege	460	Process not Found
Token: SeSecurityPrivilege	460	Process not Found
Token: SeTakeOwnershipPrivilege	460	Process not Found
Token: SeBackupPrivilege	460	Process not Found
Token: SeRestorePrivilege	460	Process not Found
Token: SeSecurityPrivilege	460	Process not Found
Token: SeTakeOwnershipPrivilege	460	Process not Found
Token: SeBackupPrivilege	460	Process not Found
Token: SeRestorePrivilege	460	Process not Found
Token: SeSecurityPrivilege	460	Process not Found
Token: SeTakeOwnershipPrivilege	460	Process not Found
Token: SeBackupPrivilege	460	Process not Found
Token: SeRestorePrivilege	460	Process not Found
Token: SeSecurityPrivilege	460	Process not Found
Token: SeTakeOwnershipPrivilege	460	Process not Found
Token: SeBackupPrivilege	460	Process not Found
Token: SeRestorePrivilege	460	Process not Found
Token: SeSecurityPrivilege	460	Process not Found
Token: SeTakeOwnershipPrivilege	460	Process not Found
Token: SeBackupPrivilege	460	Process not Found
Token: SeRestorePrivilege	460	Process not Found
Token: SeSecurityPrivilege	460	Process not Found
Token: SeTakeOwnershipPrivilege	460	Process not Found
Token: SeDebugPrivilege	460	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1272	Process not Found
1272	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1272	Process not Found
1272	Process not Found

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 668	1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe	28
PID 1156 wrote to memory of 668	1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe	28
PID 1156 wrote to memory of 668	1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe	28
PID 1156 wrote to memory of 668	1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe	28
PID 1156 wrote to memory of 668	1156	739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe	28

C:\Users\Admin\AppData\Local\Temp\739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe
"C:\Users\Admin\AppData\Local\Temp\739c28b267e45fbc5a4a3ce9374978316725ef90c5d5016921e2df56c7470f15.exe"
1⤵
- Modifies security service
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\@

Filesize
2KB

MD5
b079c583712415f3041c9d94f123cc32

SHA1
9d39018fcfd43932f7406a32e1865459ebb9946c

SHA256
3ef49f30b027b1f0d7bffa9b9936d512ef1b73c7ef048f7ea1d001b8527cb9d7

SHA512
e38939f1877959f7bc66d745e582ff1d9cfbf40d6bbc5691682e5b5ac44fb73e15793a42ad5b4bfcf8159c525b89432eb7a24fb5770654a300414a27c08a81c3

Download Submit
memory/460-59-0x0000000000030000-0x0000000000041000-memory.dmp

Filesize
68KB

Download
memory/1156-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1156-55-0x0000000001000000-0x000000000103D000-memory.dmp

Filesize
244KB

Download
memory/1156-57-0x0000000001000000-0x000000000103D000-memory.dmp

Filesize
244KB

Download
memory/1156-61-0x0000000001000000-0x000000000103D000-memory.dmp

Filesize
244KB

Download
memory/1272-58-0x00000000029B0000-0x00000000029C1000-memory.dmp

Filesize
68KB

Download