502fbce583f91145b61ff34273a50b2225e477898a142d67a717c3eb8ae906bf

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2023, 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ebc9899c5607a8395ed7e5c442ef38e.exe
Size

5.5MB
MD5

0ebc9899c5607a8395ed7e5c442ef38e
SHA1

3c6ca3c4e0163010ae3f38ec49a1a5edeb39aecb
SHA256

502fbce583f91145b61ff34273a50b2225e477898a142d67a717c3eb8ae906bf
SHA512

6dbaf70dfc3c6af6a556e27fa5ef9b12a7111592ea8db5da9d93a1887b55216fab339e3301aff8ef51de953ac006fe7552ccfd7f584ae8c024dcf58c7a8eaa16
SSDEEP

6144:582p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBflC:hp4pNfz3ymJnJ8QCFkxCaQTOlHfU86t

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0ebc9899c5607a8395ed7e5c442ef38e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (3469) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0ebc9899c5607a8395ed7e5c442ef38e.exe

Executes dropped EXE 1 IoCs

pid	Process
3412	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\P:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\Y:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\Q:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\S:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\U:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\H:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\K:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\R:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\W:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\X:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\B:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\T:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\J:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\L:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\O:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\M:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\N:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\G:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\I:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\V:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\Z:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\A:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\E:	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened for modification	C:\AUTORUN.INF	0ebc9899c5607a8395ed7e5c442ef38e.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.WindowsAzure.StorageClient.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ppd.xrm-ms.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\UIAutomationClientSideProviders.resources.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACECORE.DLL.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Common Files\System\wab32.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\gstreamer.md.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\PREVIEW.GIF.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITS.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Core.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Emit.ILGeneration.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\clretwrc.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Common Files\System\ado\msado27.tlb.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_2.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-locale-l1-1-0.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.Formatters.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-file-l2-1-0.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.AeroLite.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\WindowsFormsIntegration.resources.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jre-1.8\bin\JAWTAccessBridge-64.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Java\jdk-1.8\lib\ct.sym.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.tree.dat.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ssleay32.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.ThreadPool.dll.exe	0ebc9899c5607a8395ed7e5c442ef38e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 3412	736	0ebc9899c5607a8395ed7e5c442ef38e.exe	87
PID 736 wrote to memory of 3412	736	0ebc9899c5607a8395ed7e5c442ef38e.exe	87
PID 736 wrote to memory of 3412	736	0ebc9899c5607a8395ed7e5c442ef38e.exe	87

C:\Users\Admin\AppData\Local\Temp\0ebc9899c5607a8395ed7e5c442ef38e.exe
"C:\Users\Admin\AppData\Local\Temp\0ebc9899c5607a8395ed7e5c442ef38e.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:736
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini.exe

Filesize
1.8MB

MD5
8e3a6e1006ed2e96038a14105f60c2cc

SHA1
08209dadd06b074a088f20078326be51f34bd870

SHA256
435e65cc6199d315199bfcdfebfd71c58b6d6c811390cf353595a6b6c15de33b

SHA512
3c209257480152f8abce1b1dd4e778911f9370a310fba25a14f23153c2d023f09cfbf6c701f833d2ed020e01b7496d5faf2ff2964dfd215f1ef4b889588ed864

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9dd4e4f4717767c3ad26c1130bc8491d

SHA1
2ba45c8a478dee7fe7548d7cde23edb086c340c8

SHA256
3efd3a2b42e099918686be4d1e6896b8039e7eb4391d75f6c017a9bf6161200a

SHA512
7004243bb1714ae91a636b7b764d6702a3d797e3acf39ff8f5a59dd41b7c47d700251f8a133fd18bbfa174f97c4cae08a8b3e32b4c79a6dca2fc5340f215730a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1c61103ff16e4c3e2fb20135e8f8a80d

SHA1
61e6b9a7b83d050dc47599570379cda582d7be47

SHA256
3e1110aa640a33c417a0021ddd4f6eb9c7ee2de8f40da78eb53d608b566bd3a9

SHA512
08c867b21e02a8d47b7aed6585aea40125c8a5c51048e481403ccc62be27021eb0754406c731a5262cc719fc1f110c3a21b7fd9ebe388151c08b4eb012f062d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6ef5cbaacfec54f9a0cb29232116dbfe

SHA1
c143240605b38a7712aec323dbda0b7e352dcc9f

SHA256
11592b2322fef0c354756dfb5a246acdaae77efd08f53dfa1ec81a351e1d8226

SHA512
8ed010f2a685f952fa9bbbcdc7ed75897c0059a4e56275fd30c109216ebbe30bc45d3a805a9524a702ed5ae6783c3bc76d0e0cbdc21d9da6be6d62074f1b2cff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fd73ac4a192b5422fc02fec52d3e607a

SHA1
528cd2b116789c2cf402a32a052bf35ae9738bcc

SHA256
fbd3230d991809a578b11a96291bee18ca397537a844f36ecf8c0544488b3780

SHA512
b512a8c014eced109bd10f15f32d874d0430a62527f31607dea6f84dec9b18c5c392b266cc0060d4060ebb9526724055ea99fd9edd3bc61b1a74346081488f4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5b4783c0006bec5e239974447054d2a1

SHA1
279386021e9a7b1cfb188e5fe531f818c496081f

SHA256
29a27c4e6ce9a2d1cd74f46b799cad5f9250f6c6646050db3ee274b9f95fb31f

SHA512
7c975506786dd118ea84d729c106d77d63733ee9c256165e0d3a2b2f76b02f24661497e4610d7175c5ff01d6a40f9b5715e25b190bf910bfb92cff72e04687f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d02d1bcab8ed89245d08a63742c0b54f

SHA1
22c1ee762bf01302a96bedba5b312ea6f486d023

SHA256
94647a45001a4ded158628060642109b7d581921e9b7f2dd7cc8326689b5c640

SHA512
22cd5fa5792fe94a3d8524c7562de574b5e4516a61e6cf92fc93838f1a4754cb97861f8163f3e3f192ae6df99cd9d71fff69c7ebdbad6418b033f9f27872038a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
469968b9539fdeecb2d486b700d1bb2f

SHA1
1c0a758868dbf6694a1a91b0783e023fa5a014fc

SHA256
472082077efee74e76dd0f7ecf86080ca61fda5335b24acf767aa858b459c3d9

SHA512
bdc0dbeebf350e82c6192686c9b357dc2aa1d39ef4260951c10fbdee630799028f9a431e467c35d8e8246b1ea11134f7da5e152e0acd72e62a2540bf97a30962

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
98b61dc6dfa5c8e137a287660b0f0127

SHA1
600a889896a4588891b009d210e6180fd5f9ffe9

SHA256
c287937c3bdbe90ce6263be1f4be1d1d993aa458733774feccacae7af28e0871

SHA512
59e444a2fd03a2e4f43ac3034f5c02a8177d56790b4c9d7186389ec9ed173237891afa5ec6a6af8dbbdf4ab3b34c3fa23d876f9410f26e123b760da513d25237

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7cbf71fafe46cde8531e2c057cbed220

SHA1
bd6672a8a2b4883f0b44ee663af30b4bdbdca0ba

SHA256
fff7753fd223ad8503f0d4554d62bf1d0474ac9d73889bc0e220a2a5aaca99d0

SHA512
0d3cc523093db9467809a1defc1ca538abdca9f4ced3e75be4f469ade7999f0dbad0827057a5ced473ccc7e5bea8df24f552a10fece162277165655b4c94530e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5e07bab6f9cef414bb9a254b6e9276a1

SHA1
3aca3ab1ba8edfa70dd0639c6d031d7b63df2212

SHA256
7c0e021cf93696668d263587b4c94c1ea0c3640a3ed6bc97ab2e931827827a1a

SHA512
6614300fd3a3a3783ff408f3de1a38f79cb618af3a3c9d34437b2f96e8cb9f7ac8c9ce8f1a51130e01714dd35e1fb845e7d34cc8f617468efbf601c948e065aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
73d222a2594e8aab47e86548b4407441

SHA1
67ca71484ae49d4e8a851d91bb2cbfc623c5d90f

SHA256
a256da22639d9e1665821be743c7bc18e8d39317bebad0f83e9fcf2708ab6ed4

SHA512
cd11643a217d9fd4251a4d4e516d33810bfa8a7d4ac7d3ade7a407ab83e7cca53404f71b049337ac29b99904cb7d256b172e04938b705b65d07396ae337691e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
74b9a5a5b1c033820c81be857f5504a0

SHA1
89495431812118e614775d9109b75723cd89a432

SHA256
6849e3a387df34f55bab671b68a987c4febaada6bfbc94e371d992cf51062299

SHA512
4458a03693ff74032bfc1dfccf6c8d6a822a81139e1e480ca7cac38fb0ba0223fadfd851cace36b79822845f4293e4f94925eb14e5039cb0b092d77ab2784d80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a0781108e52e924a01f4ff9acb9f163e

SHA1
c438220d47235d127e14f8d5cfcad4fbd7a2dcdd

SHA256
c9aaa58a8e762c3fad9ac72b153d877d8eca5c4b28fe489bbba2230613622cdf

SHA512
3c1310dcdfe8e0c4144558df953f39e77b3bed39fb74578b93f588fd540f1d5fa249b21a919cc4054168de09dc4d98f9e71e93a5d216ded5113f93c3fc729762

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1a647719d2fef1c2cfd116d8da04daa1

SHA1
c3021623c337162e713285b193a70ed556ddd7c6

SHA256
b31b49ef43039b5359534091bcc500c71babee1606c2cd9ceab08934c9dd2605

SHA512
829a51254a4947c28653ce84cb8392dfa25be44b1ac259c911051dffea56eb04e7a59269b3fa8cab52d4938d98357d55e2b6011b233fc93b86c1bd586c21fd8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d8cc0bea57a7bb25e034795cd1318403

SHA1
6fcdfa6e4d36a308f58bc13ba27d31854ec9915c

SHA256
fb2f99c6269c01e8d79367864a4da92e78c0eb29fa7338e383dd4e4eba8a9449

SHA512
723e9a2c411f48c102fd0cd8f72a0029de2604853f08c3ddfe93692d9cf871dec114820535afbb3b37b8b7ddd20c11d214e160c975b69780df5c446d302b26f3

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
5.5MB

MD5
5168b8dc992e82c362d5abc7ae93b63a

SHA1
ab13c76e49b0fffa9b11a679aa62e45e708a34aa

SHA256
5164bea45c53486c10658bc4d7a8e29c9f2db2a7d9f52261153147fc9a2dfa18

SHA512
bd01bdc1e4e83740e275664bce438d1493e4c852ab25cb0a99e3c399e12bc7146c549c81def59bc1fd0ab78e9ac38aebb31424efc55a8c470f1b4873389ca630

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini.exe

Filesize
2.5MB

MD5
fef0281786437486fdd9f11601392c5f

SHA1
5d0fa148a101aadb45ccd61c6bf7e2c34e27b4fd

SHA256
59265a3596dc9f3272e6838d5cec6b73b4a6b4e49808735dbb88561b5223203b

SHA512
acc916d4d94027aefb3bbcea669f200a5a2fe0099b544297e7e6d1d845f91ff3b5f6326a24177e394e4161c8d1873e658eb38d0fe7db71c6b4997bfdc0d095ff

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
1.5MB

MD5
8b65608b0e26adb646527d99194d5102

SHA1
2be61ca013c21f80c412c33d711cec02f2a16356

SHA256
96416dd1a806f11fd0daf3f15352c80ac50ff696abead6b1dcc1ed35f952452d

SHA512
21750b55df6fce0db8861cd81a1980023f589f7e72fb9caa47d5c75a72ceb39995e0983ff8f6e449708b4c142205832f7296bb43edf28fa007454118f20a8644

Download Submit
memory/736-0-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/736-3129-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3412-5-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads