e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72

General

Target

e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
Size

4.6MB
MD5

9af5d90da7497bd4b24dce6e9d8c1d0f
SHA1

90e2af60443ca536a1bd8e71d2abde5be8ed3fb4
SHA256

e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72
SHA512

a59daa791d610a8650045227262c51ec24300d2dba9a75f4fc47c318a18b220e862c1defb502ae457f6c191b68b51572b4069e867f8c0f8d3622240e4bda7c34
SSDEEP

98304:byENIIut+hl5pU9HLOaFAIH3TcLWGO7d09GZkrCRfR:mEN2tm5pOuU3TcLWGO7djZkrC5R

Score

7^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

Logo1_.exee1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exee1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe

pid	process
4464	Logo1_.exe
2884	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
1628	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\vi-VN\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre8\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pl-PL\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\Logo1_.exe	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

Logo1_.exee1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe

pid	process
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
2884	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
2884	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
2884	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
2884	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe
4464	Logo1_.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exeLogo1_.exenet.execmd.exee1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe

description	pid	process	target process
PID 1360 wrote to memory of 2664	1360	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	cmd.exe
PID 1360 wrote to memory of 2664	1360	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	cmd.exe
PID 1360 wrote to memory of 2664	1360	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	cmd.exe
PID 1360 wrote to memory of 4464	1360	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	Logo1_.exe
PID 1360 wrote to memory of 4464	1360	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	Logo1_.exe
PID 1360 wrote to memory of 4464	1360	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	Logo1_.exe
PID 4464 wrote to memory of 3972	4464	Logo1_.exe	net.exe
PID 4464 wrote to memory of 3972	4464	Logo1_.exe	net.exe
PID 4464 wrote to memory of 3972	4464	Logo1_.exe	net.exe
PID 3972 wrote to memory of 376	3972	net.exe	net1.exe
PID 3972 wrote to memory of 376	3972	net.exe	net1.exe
PID 3972 wrote to memory of 376	3972	net.exe	net1.exe
PID 2664 wrote to memory of 2884	2664	cmd.exe	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
PID 2664 wrote to memory of 2884	2664	cmd.exe	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
PID 2664 wrote to memory of 2884	2664	cmd.exe	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
PID 2884 wrote to memory of 1628	2884	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
PID 2884 wrote to memory of 1628	2884	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
PID 2884 wrote to memory of 1628	2884	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe	e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
PID 4464 wrote to memory of 3448	4464	Logo1_.exe	Explorer.EXE
PID 4464 wrote to memory of 3448	4464	Logo1_.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
"C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5062.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
"C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe
C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe --crash-handler --database=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\126.0.6462.0\Crashpad --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=126.0.6462.0 --attachment=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log --initial-client-data=0x280,0x284,0x288,0x25c,0x28c,0xa9965c,0xa99668,0xa99674
5⤵
- Executes dropped EXE
PID:1628

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
4⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
5⤵
PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
2fc3d998f33e5a9a76c861c54484807d

SHA1
404b263336e610bd5d30223c730430006ee25f3e

SHA256
5061cf591a2aace164d1a62cc1e6f516b97d1b6f9f08b0dfd12c89eb14a58876

SHA512
f75522cb9e8c565fbe4608ae702e37b248ae9caa24167f920b73d38f3631afa97895095989027fea7193e3d86c7ffaf4c2e83a3f30d2b138432e4933250f036e

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
53ee62011469b286a2a1b5658c86b9bf

SHA1
9bdac0b23b0a965947c780c6a6b48fc7122f9ade

SHA256
7125735e4e8595f1c17ff3235bc65dacabc2ec874b29ac7ba8eddd80ad10b3c0

SHA512
c9c24e578da0a38048e71548fac66465bcb624e971f745bba559e8c49fd621752e718d4c983a90a97277407bb23348ca109436e1eeebef030c3b599c712ff236

Download Submit
C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
16c68227ebb7fdf68c014d22a020a429

SHA1
769e7b072e2ecbc4b30851c84a92d5f6889ce866

SHA256
e9be07764a4c28292d2cf4b9a2964476d474932daaadd1d1e78fba9b5718db2f

SHA512
144a6d9812175a3cab869fc81fe22aef1b53526459d62bc3248bd76084a9832b260bad47d5fc35ae5daf1b10a807ae7877f684317b192a5df4fed324cbebb4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a5062.bat

Filesize
722B

MD5
1be92093a6394ed1fbb42ec3eae0f8aa

SHA1
f093c7ba42db2fea2dcb6bf1aaddf4e2714482c8

SHA256
0f0a05b0edd9c411bbe6eff7187217bb49c557d612b86c77be19afaaea41b07d

SHA512
c79778b307ca004363e357c36e53317ecc40e2cfedef1a4440a115ca59a48d7bef5cba8660a533891cdb7a7465ace20ef64072eb3b57a5fcc83a8f2762179418

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1008ff4bc191d9e4ef446ebd3c066a7e01623580829e07716c13799c0688f72.exe.exe

Filesize
4.6MB

MD5
95222faeeab2cebe9502f2e123d5dd2a

SHA1
dac0e46c7b0bc998bee826538a3128fbe396e638

SHA256
b8af4588875e697e49db4e1ff5833ef8f89ffde327ab9dc9fad101551d6aec28

SHA512
aaec6212bb69d7dbf4b7d09dfa6ccfca803835c19a5974f534f7db2d6235e741bb404969b2695ff9487ee2c7ac2ab1f740a436332b740b45fbaf579c6e13bf4f

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
64a926d15aa028690bc14ef51132d6d6

SHA1
66638b0a02ecc310024bd3b3ccec85efbf467a10

SHA256
52a165a2cef64c6d5b99666985d18d0caf21dff39a40871ce30bd1a377b050b0

SHA512
1afecb82683ee0a55b445d7fcea8ebc13d1dbb3d6ae826e3ae1b2b7137f1f28f022c08b6ea64ff9648c5bda8b81fe57f4168aee0098aef1bc1f38d1a12ab7c86

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1360-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-1236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-4801-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4464-5240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads