e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb

Analysis

max time kernel
139s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 09:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
Size

129KB
MD5

077d1dd4556d145108d75b08b9c5b6c4
SHA1

a7d57b234b518e44836d80bf96e424f6776dbb3c
SHA256

e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb
SHA512

7cbff5548898757f1fff506e00b8c0794ff42e10a3f78774d97f5be41b794f8f8912b2ff48cc83aadbb11e03c66ad12d39dab1eceded9b5d1df36bc7fe901272
SSDEEP

3072:+R0h/lwCrnR3HWtId+VO91I2X3ymXJ+eoYxGA/jH:i0saR3HfQVuqbmXJ+FMGAb

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	Process not Found

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo	Process not Found

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\‮etadpug\ImagePath = "\"C:\\Program Files (x86)\\Google\\Desktop\\Install\\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\\ \\...\\\u202eﯹ๛\\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\\GoogleUpdate.exe\" <"	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe

Deletes itself 1 IoCs

pid	Process
848	cmd.exe

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Desktop\\Install\\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\\❤≸⋙\\Ⱒ☠⍨\\\u202eﯹ๛\\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\\GoogleUpdate.exe\" >"	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 848	1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe	26

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\ \...\‮ﯹ๛\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\@\:@	Process not Found
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File created	C:\Program Files (x86)\Google\Desktop\Install\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\ \...\‮ﯹ๛\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\GoogleUpdate.exe	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File created	C:\Program Files (x86)\Google\Desktop\Install\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\ \...\‮ﯹ๛\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\@	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\ \...\‮ﯹ๛\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\@	Process not Found

NTFS ADS 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\en-US:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\ \...\‮ﯹ๛\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\@\:@	Process not Found
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeRestorePrivilege	1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
Token: SeDebugPrivilege	1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
Token: SeDebugPrivilege	1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
Token: SeRestorePrivilege	1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1272	Process not Found
1272	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1272	Process not Found
1272	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 848	1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe	26
PID 1408 wrote to memory of 848	1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe	26
PID 1408 wrote to memory of 848	1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe	26
PID 1408 wrote to memory of 848	1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe	26
PID 1408 wrote to memory of 848	1408	e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe	26

C:\Users\Admin\AppData\Local\Temp\e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe
"C:\Users\Admin\AppData\Local\Temp\e0aef12b5add650469602f565833f554a380ede2f1ca0e0d1f21e35d1c4384fb.exe"
1⤵
- Modifies security service
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Desktop\Install\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\ \...\‮ﯹ๛\{f545a6cb-6387-4d75-375b-4ac5befd06b3}\@

Filesize
2KB

MD5
8f826c235090950baa8e873f50885fb0

SHA1
56fbe148a32ac80d653efe0d5ef8afe6ca15e388

SHA256
d0ebf488dfa13757dec67faf78f884f902f4802e11cc36490179fb19788d1b7a

SHA512
fe53a0aa3b7a99fe4369118400b1e929ac18a400c1a905fc440fea8e2fb46eebcdfeee9f446b3f6f58400e9a43911b4eb648ee623e9d198eecd07d43d1007148

Download Submit
memory/464-58-0x00000000000F0000-0x00000000000FE000-memory.dmp

Filesize
56KB

Download
memory/464-62-0x00000000000F0000-0x00000000000FE000-memory.dmp

Filesize
56KB

Download
memory/1272-57-0x0000000001DC0000-0x0000000001DCE000-memory.dmp

Filesize
56KB

Download
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1408-55-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download
memory/1408-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1408-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download