b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f

Analysis

max time kernel
167s
max time network
222s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
Size

163KB
MD5

32a678bbd6eedab3232e50a3378e0391
SHA1

2dda667fb3de88dad5ab2609dcf55ea1504726d2
SHA256

b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f
SHA512

0a52904d696283aead58fa0c66286a2acae7765b7072438f592bb3b6eabb106570cc36379fde6ecdbe8118f25afdab764fbc35897f2b056d1a748d78d8d70296
SSDEEP

3072:3m4azbjjC9C+q+bAgFwIpOLKOAwWxWK7xYOOQbHoPl8qBYQVl7Bp:3mp+q+bAgFwt/5+WiYOOQbIiqCQV

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	Process not Found

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type = "32"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSIn	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\RPC-EPMap	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\Teredo	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl = "0"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\DeleteFlag = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Type = "32"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ErrorControl = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\DeleteFlag = "1"	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\IPTLSOut	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords	Process not Found
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\‮etadpug\ImagePath = "\"C:\\Program Files (x86)\\Google\\Desktop\\Install\\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\\ \\...\\\u202eﯹ๛\\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\\GoogleUpdate.exe\" <"	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe

Deletes itself 1 IoCs

pid	Process
784	cmd.exe

Unexpected DNS network traffic destination 11 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "\"C:\\Users\\Admin\\AppData\\Local\\Google\\Desktop\\Install\\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\\❤≸⋙\\Ⱒ☠⍨\\\u202eﯹ๛\\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\\GoogleUpdate.exe\" >"	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 784	560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe	28

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File created	C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\GoogleUpdate.exe	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File created	C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\@	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\@	Process not Found
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\@\:@	Process not Found
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe

NTFS ADS 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
File opened for modification	C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\@\:@	Process not Found
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1284	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeRestorePrivilege	560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
Token: SeDebugPrivilege	560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
Token: SeDebugPrivilege	560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
Token: SeRestorePrivilege	560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeBackupPrivilege	464	Process not Found
Token: SeRestorePrivilege	464	Process not Found
Token: SeSecurityPrivilege	464	Process not Found
Token: SeTakeOwnershipPrivilege	464	Process not Found
Token: SeShutdownPrivilege	1284	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1284	Process not Found
1284	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1284	Process not Found
1284	Process not Found

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 784	560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe	28
PID 560 wrote to memory of 784	560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe	28
PID 560 wrote to memory of 784	560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe	28
PID 560 wrote to memory of 784	560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe	28
PID 560 wrote to memory of 784	560	b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe	28

C:\Users\Admin\AppData\Local\Temp\b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe
"C:\Users\Admin\AppData\Local\Temp\b5476ccbfe4347afa745481b7577b056e34891c01760fc6d378f696f4e87e11f.exe"
1⤵
- Modifies security service
- Sets service image path in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Deletes itself
  PID:784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Desktop\Install\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\ \...\‮ﯹ๛\{f6ae883d-87b2-8e92-33b2-e7745dda3830}\@

Filesize
2KB

MD5
2f1dba12ee42f91b884c485b01f3a6a4

SHA1
96cd2e7e299f3c430884535cafb1e7d715c77c49

SHA256
faebf1e6356d9db5be4d81dcb6cd0d3b723f0f9ba3136469eace396cf88b8286

SHA512
21c1969a513bf09bb2476e1449e2bd8243602b8cd32f054c82accf876bd41a1cd6d4383f03e41824d9ac8298f59caf0814d71aeb8f42ea40a2f2c4e3a29b3ea1

Download Submit
memory/464-58-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/560-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/560-55-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/560-56-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/560-59-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/560-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1284-57-0x0000000002A70000-0x0000000002A7C000-memory.dmp

Filesize
48KB

Download