d7b1bfbe9ec9e5b7907d9bb193e777d180a9007ea369c9a287a18f486707fbaa

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

032dea2d1b675752515ca40898f051d2.exe
Size

880KB
MD5

032dea2d1b675752515ca40898f051d2
SHA1

9c6a22799cb1c07f28095d314b4aed0d532846f0
SHA256

d7b1bfbe9ec9e5b7907d9bb193e777d180a9007ea369c9a287a18f486707fbaa
SHA512

e5833389342bf4d7bf2ee7a17e14407ab9f5e796e181823dc71e54ce17819b94c8c16d5d66944a04df6291f8d3705179e40b87203ead79327185eff72e7578a9
SSDEEP

12288:Cp4pNfz3ymJnJ8QCFkxCaQTOl2QU8E4vbAfxu/F0ShFgFDTf2:8Etl9mRda1hc4kfxueSG2

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	032dea2d1b675752515ca40898f051d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (1303) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	032dea2d1b675752515ca40898f051d2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	032dea2d1b675752515ca40898f051d2.exe

Executes dropped EXE 1 IoCs

pid	Process
1048	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\K:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\U:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\B:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\E:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\L:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\M:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\V:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\W:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\R:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\X:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\Z:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\Q:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\T:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\Y:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\I:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\O:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\H:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\N:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\P:	032dea2d1b675752515ca40898f051d2.exe
File opened (read-only)	\??\J:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	032dea2d1b675752515ca40898f051d2.exe
File opened for modification	C:\AUTORUN.INF	032dea2d1b675752515ca40898f051d2.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	032dea2d1b675752515ca40898f051d2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Tools.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Numerics.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\PresentationUI.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\UIAutomationTypes.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-debug-l1-1-0.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Security.Cryptography.Pkcs.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-fibers-l1-1-0.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Linq.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\PresentationUI.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\WindowsFormsIntegration.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Mail.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Emit.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\PresentationCore.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\System.Windows.Forms.Primitives.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\UIAutomationClient.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Encoding.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\System.Windows.Input.Manipulations.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.Design.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\UIAutomationClient.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Cryptography.OpenSsl.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\UIAutomationClient.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\dotnet.exe.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\Microsoft.VisualBasic.Forms.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\PresentationFramework.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-multibyte-l1-1-0.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\msquic.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\System.Windows.Forms.Design.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\UIAutomationClient.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\PresentationCore.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Extensions.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\System.Windows.Input.Manipulations.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationProvider.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Input.Manipulations.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework.Aero2.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\ReachFramework.resources.dll.exe	032dea2d1b675752515ca40898f051d2.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.exe	032dea2d1b675752515ca40898f051d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1048	1052	032dea2d1b675752515ca40898f051d2.exe	31
PID 1052 wrote to memory of 1048	1052	032dea2d1b675752515ca40898f051d2.exe	31
PID 1052 wrote to memory of 1048	1052	032dea2d1b675752515ca40898f051d2.exe	31

C:\Users\Admin\AppData\Local\Temp\032dea2d1b675752515ca40898f051d2.exe
"C:\Users\Admin\AppData\Local\Temp\032dea2d1b675752515ca40898f051d2.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1815711207-1844170477-3539718864-1000\desktop.ini.exe

Filesize
84KB

MD5
2031268883692b165bb763ef373963cf

SHA1
cd1182918ca588b0ab96b628be72486fe0c44a2e

SHA256
e78d911833369946e3cbe2708047e65d5bf206309645de9c234085559f0eb33e

SHA512
0e4bf9ad37fb9a36ef20270ed1b99ec510c5423cf2d26e2797d907fb7ea3d06f903367b8a279d40386af716a84d6a1a4fcfeb001719a9b3c28f24deab41df07f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c610c43d131b979449c72d9b5cadac8

SHA1
4c3152add897d3a58069651edaa5008e4768c51b

SHA256
bc3c01c30ab550225edbf516f4ca85f41d3960d2952160c40468e7e6e8d0fc76

SHA512
7ebae88e7414bd2f99875f13837d16cadd8b7c25b01274ea9ac942e28cc7f877dd7fb101115ddc1feedaacb991c7cabe605fbe04f35a559f8cbd79e9e1f8c124

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
72de7e3a6c8b715dca8535f4e34feca6

SHA1
84e35976d55c16a10bfc57a3d6be3e12db5a4e1b

SHA256
38757c292ca7c3f67a7f8b3dc66ab07c99b894e2ddcc53b5ab6c0fb887e29e4c

SHA512
6b896ce905b96aa12dec3e898be05c968d21e13a62f6bd78573dfcc3ca010ef2c6e5d3e385587262012a5845b84e637f1b4804c82d5c1ad168c9dd8fa07515f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c636e97ef0422d2554178a69e6facaef

SHA1
a2f13e3f21c35ed6003d4b89e8da604863dd7b2d

SHA256
0b2edf0485123506c435bf3bd84efb1e903358a5bb606971c8f8ca25cdd73496

SHA512
ba91ee6676ee216079b1b657bb4c887c4e886c9ca610edb223f66a666226a9f52801c999d459d6a47e9d74026d9459084c4283bede449c55511bc29bcf02f851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d56439cb8c9824e8e76441bf89614b57

SHA1
d395976a3423a40abbccaa6dc7cbf490d4b0a62e

SHA256
a32472f30974679a742b02353b1967761e5ddd8d42017e39167e5b8c8b780b1f

SHA512
460e3db7e77a8d286945689b8486fa5d86c2f61ffe3f046834111b3b923ae7e2e41363179f2702e29cdc2726c701032633e65ca3792b1be0ff975d3e380ab83d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3cd6fc5e9a4db03831c9787710c670f8

SHA1
4a9e416578bc74af67ac77255aae593fc0daf473

SHA256
538ae2239875bdb79011d5c3bbbf64f43ac7cc5f264cb4e833466d64e8710eac

SHA512
2f40f9f0c9157ce5b8f489044208c69dfc8fba1adf2e6938f556773b9506cafaf2824133b7c45506eeb679abcb109ad2f31464a5236b17f80b670ebb2d1b5790

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5f665af0a4ad5187e52fa890b07fd2bc

SHA1
03f9948090842595597a823880654dc6d199e064

SHA256
15d0b1f84cd9764b6ee834fd29c7a09ae3a0cbb7f843d00b27a73214032f9c4f

SHA512
1fab30a86f97dcc2d606c7fa2967e032fff59c09ebe40327c45e7b4596da49ec6a561953a0924a86312b1833eb22a84025638f5447adb72254d17bc3fe609e1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b9893e23628b2c3c8d63bda1fba9f7ef

SHA1
8a0e7bd36309f5bcecfb80b430a6462e5c0362ab

SHA256
86768b26e70965a206844da6a6b7427169ecdb57eb928133a2675c4cbd9d4f50

SHA512
25e06e10f71f5de14c3e4f7ab23ec6848184bd836817163db771c1b80148ee69c19b517e6777083d514ac994be046f2341608d5571f05047a147d51518194bd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d593ac13b7e8540e938237749c7438ee

SHA1
114b9922727f5918cadbe0ba4dd49a7a90ed423d

SHA256
66fbce8b8cc37ee4cb3bfcf93c740e2cf5c23e90c04fcbbcffd59970710ee634

SHA512
c23312ca4e56b8dee9ee02df6028ea91182de89eb5225da83b9547bd7926f4a42501f6f3d6e03ed3165c167bf6e8bae5256c1186e67d14acdd78f8dc52319fdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4313c680daf3cde2eb57d31a6e630394

SHA1
1bb1529170f1edfe5127ff27cdd79ba744dd8d6b

SHA256
ae33a54399b0b17f00c01a5203e95a03984310e7766814cff1ad2379462f96cd

SHA512
a571f7007cbb93dd0d5d262d94f4f88bf6a691bafffc47472564bf325589dcc4eb9519bd83f0325ea0643484ac4989605f8f85cdce5b72fe0d04edbcdea5fb05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c9bc07124738e53c58e9a072f4381624

SHA1
c3a308f5dcc88272924b54f7b5cb998c2f2db6e1

SHA256
b250e670e57fad92db8c32b9c2f4d7aed9f5b5a07e7ca9de2a29e9a1e03dd520

SHA512
9532b6dcbe6096e8e1b4211d8665419fab31bd79c3d777722112632c294eea977949a2785d650ac5f5e3c04661640d4d8ba3858a84ebe70ada08b2ba97d8d6e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
af56ab15522b9817998f73bad6472c2c

SHA1
3c1ff1cfbbb579cabca2c9bb20669b6a83ecf30d

SHA256
9ac2a3d08868cb4ff22258dfbea896fc5d5c0148fe7d788cf3d31a782ea10c38

SHA512
68c631a2ff43a8d3546ae59624cdd740a83fa0ed1695fe290eeb5f4ca7f5d712a81bddc7b1bf8c90627e8f309b5114dc5c4daa51fa6c66100a742122853b56e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
dd4970053fa94bd153cafd7fff3eb173

SHA1
64d08e492710fefb6550c579191e21571ec399ca

SHA256
383de47d57480d02b786090795eac365e40760406538c9cd5b70b75fe9e44be2

SHA512
2dadd2fa4fcac5b29eb6f7be0eeed94d43c4f376d494cffdd115e2998189239a7d5e55df24851fe824bb4aaf7839e8f12d5b141299da264a949f2d74215b37be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7d9d7ef37aa7335a5e146dfa7ddda01e

SHA1
897c0adf19dcd70b0561516cdf149a3980e41ffc

SHA256
d1a60fc688cc0c25afb60c0cc9d38e6c014bbd67ab963788cdb5263e36bf75d9

SHA512
1beca713ffecbedc68ca4fa5db13c8c2ea41623eb994274f5d1c1875973e71b7dc0510e98edca6cf12cd0cbc59d1e548eb38ba13a09dfdf5052ee8c02a3bdf2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
17ff7c44f77ccb27d369dc39ac2718a9

SHA1
711ed177d52daf31b173b4aac7a29184655bc837

SHA256
b342c1006751090cd8eb54d9735be0a5b13ea05a9d3b385ed4a6839766af5898

SHA512
635f4552e35592c822e21a343a6d49148c739410089eb1cc4f3ed1621af51c41f5568b9329a8e93dc0620f33322956cde0a3b87a47d9a668c236de348fc12e78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d0c2d0e058637dc86a53a16a7d47e880

SHA1
7c5506074f70b4895101eef96961c2e4632b0612

SHA256
91f888320f2b741aaba4b31e7c6453d6494f2b81d34014714d48253b521f1b0a

SHA512
5c357f0134650901af7af4de801f7bf8eb6507700ca06c726020624ff4a45f37ec9bbfcf9b4eca7ba699d66b8a3bb1580b157442a117612895324d27a1084def

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d2acf63faf2b3efc8147433e2e62f2da

SHA1
510c26006df09fc22fb129d9dadb63303d65be44

SHA256
56ddc8114be9b9fd1703820415142a26ed7bb444b8df3ef9562841216c3ec023

SHA512
8478e81be501b6c5e1e085e3d4cdf8c97a885bdfa18b6908ff257d675081967c7c046fbe253ecda680db29b3e7572928c55a0be47b60636d3bbdcd76ac246e73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
da790ec84cf766b20817dc621d433830

SHA1
a5f824ca4f0f62f41bbf3c37401e481dd098b07d

SHA256
56d6145d7f16f7ef7861fad65558b3916bf63a3c1141d1d95680b1467e609451

SHA512
f4ce95ff5323514319b2e51903ec76583ca7d08361ca68ca67cd15c578204879ba8074793be4a3cb6659ed30fe77d2562e9e79bc0b9da8af84dc45224b101645

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
387716fd7077c256a967dad7f0ef0b36

SHA1
898edcc59979241e1b61ff0f2179467c61ff6774

SHA256
6388b84269a091134e5891e9abb1e6a0cde72c4d11af062638745a5dbe956113

SHA512
d2192338998fa7d385710bb0614b4493aff632eac62095ead20966c8be7c2d2fc945b47757519cb7aa4b872e3f4b43a117d8b048b2917d3adedac0bb005ebe09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a49c54d7bf2d4146cf5de9883663ae99

SHA1
0e101339ce919b2d37cace9da601806f80b9deaa

SHA256
555b3448e4861354d763e6bb41c9c5b203c26d03ef2856ab6eb771a3b1e0e659

SHA512
e36b4cc2e17c150939fa8bc74bfe83943c2502565b4c81b06c039b61a8a86c8eec61e21e372a9b510e206cac83f524917fe2b9817765ae9566f041f15d05514a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3636f0225e72d0f0b2df8d3bd3602dfb

SHA1
c397c5d1ba0c57d093856708e853c6f47b3d7a4e

SHA256
e80274a1f74b4d0965344d68fa942804a34d4c52a721c45f64f85ae35f9ab4cc

SHA512
9462a35db09baa1ad3a9091a36232f0fdff1fd2bf95d0039abb7384780b85bf365b5a90ed09c2c6f99d152bafe17c175b3e4bf1b315c84254a600c25e88d2125

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9ed5083bedaa16ca8a19a1d1f6cfc384

SHA1
595a4b3088e5ddb3c968de9c7ec39f93faeaa24d

SHA256
8833acee381326a1a4bae6dccc223f16e88e55896d7654eeb2a2107fbf88b4aa

SHA512
d5ca26d72f406ab97037e6cdbec92f556433da9be989a450947bd613c2df67d58385393ac28fc0685ebb64be6b144db4019e1310ab87dd72c53d94337d24c6aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f2bb1fd22b5864651dd2279f94c6c935

SHA1
a2c55bc6d1df2afc0348c88ae7045355d1bdca3a

SHA256
919b1c60538f3045876f1863e3d1cb8d66df5cc88cdeb24fd6ab63b2a0d98b8a

SHA512
0cd465f4c2dc068ed6c92b15cd91b88131d71185a46c7c194d13a0851d9d360c6f0c162ed69ec069190cfc2fd6bec644dff75759c967d919d0149c71b3e6a4f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3820cb6146f8b5d7c3096445e998f3d3

SHA1
8949b538a55feba21dd93dab7c7f134ce9cfb545

SHA256
6c6474d95883c6d2f759ce7cec3b4f29b5bd3b8f12a9ef240b0d1b229d786be7

SHA512
e76db11a2713c5d430141e21f583fbc8f851afd2d6d30c17a2c38963e59dd4007d4f7a24245c16cc4bfcaf28e3cd3f161649fa9b1d7066d79f19994bbb0623e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e7cf8f0cd905b2ac891d5520b7142946

SHA1
81fd0e5b100fcc2c1972cb38b9c5a6a895503415

SHA256
440d51220278dd9dda6d4f1b9c5dd84ca25369870b9707349bac962341549f2c

SHA512
663e55355c4c8eab72911daed4df4689d840f56e90565c0e784217d1fd81f8a2e74a6d2232f99b720a627b52481247788466b44dbd9f349d6ff84d580b8d30e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8d450e2dd373a6af09ac2591c81fe4f1

SHA1
1699a051e8526d068873a4147fe8b0ed1b38e78a

SHA256
b4c6517985f3a59e098ebc6abdf11d0581a3a8d42f336ffae94e8fda70504642

SHA512
05ff8ae22ed90a31479f53132e2aa71c43a6e21f9ca564b52f6b14ada60d0f3bb4bcb799175f23cd5238da8d302b7c59994d9a8731fd837165537b8e3781a1b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b24c917d6dc5b4aa8f9eacfa8362643e

SHA1
b6614e3e764f2c454a315bb7fde7182b046b9ffe

SHA256
828b5d6e46c7239a773ebcd32b2fe6718cb1fcce8dd121421e6d168e47a86343

SHA512
3c3d46e8d65078fc4408197f203a993be1b531850714419e18d68096b0aad91e135e25b151d171dc93cafd4a04fe38bfde9e1ecd837b614a64475094d055c745

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ef89c3f8c5bb1ffb857428bcb858b6a2

SHA1
6c356447c73baf6868fb6926a5ca2b5238b5d587

SHA256
24510971499696ef94f49058fcee553effd6d1320b31bb8f9c71d7184cdcf93d

SHA512
1e68fbcafa174babd749b1f4ac82e8e5dbb8e2566f2f8bd19b278f4e9bb2f572f044ac9af9520c175eb8599a2d258398e8d46dd47863e8e9827976cdc7d32170

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0e1420a405d74881b9e05ecd9734421e

SHA1
4f93bdddaf6076762d649fcadecdacec52e36eb0

SHA256
fe28bac9934eac4e25ec7e6cfbf64bd1abc7905be11544923f62f57df95d23fe

SHA512
1820467ac175b644c079c121bcd338ade1f876840ad96193d22502ce05e5511c5173774984fff7e53a95d3cb54333bad4d601e44b096789d4e54133b35f8c375

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b05c989d76862b06afbeace09066b39f

SHA1
5b109b9cc122a8002ed4b73b6f0127769d3f516e

SHA256
3f43ed953df8056461514d61308ae37b9863c88371f6aeeda40e6c06e2875769

SHA512
a2f14eeefbbd43cd43286542d595a0f5a864b1570e2dba2957fa6b3ceabbaed6e51dbbe854f3549fe60967afe59ab537ee838df7929bb2315b19dc57f6a2e429

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
72KB

MD5
71df2653737c8b50407ab0149d3fb450

SHA1
83f85e20fd74ce462cdc65c727ee8964659b5a15

SHA256
39f376be212a9801a6519fa63e519c6250d2b3d9d48b448543e93148ced62b1c

SHA512
4fdea1811c1359b19277c23d586543b902be088c8703bb58a1e03572fb407da337a6a0467088a7a158729dce26c8306182d40ff00040fdd5a641834ade14b9e4

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
46KB

MD5
b790d58ae16203ecf8659bfffd420e3f

SHA1
2c2985bdf0b17abfee2cf9fe4b8255ffac76f0af

SHA256
02bc3f6fa26f4933f46c30ef1fe88e753bbe466f6fdd772a6205f34ec18da385

SHA512
ef26a4996a1e9c0bd59c2624f89f1cf4851e7ae55743655c6e8430d974a045e99c34124d140a517a3c4841e689b29cd5058b4d28a1746505d36def41dd8d17e8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1815711207-1844170477-3539718864-1000\desktop.ini.exe

Filesize
68KB

MD5
b78fee03d5470a3bce925cb7c697f649

SHA1
d8674989fc05e4537586dad695d0c7ca908eb297

SHA256
e306d89201fee72c64840cbd4809c8efa382ac189f1f275799a242353557b2b4

SHA512
92460e11c5488620f2d4b86b3af16edae8f2e7d8918c5c30ea08514c1ef585dc39fc68f26f3245e50b40f65cc90d000237bbd98a03881a87c041af28b8ce0f34

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
39KB

MD5
6c16f3c5f89ac68eb9a69dc9a22ecff8

SHA1
398f301a7af4bcac7cdaa1d63c1a74f005a38bf9

SHA256
10267e662f1c51d0e7f54c6001beb4a5c386ffaa200c16868f9e1144650ced57

SHA512
129da6b6408ebbf4818e6ce0dadc20c8e04d324229d8fbb91bb1a6df71a2f9f746ae307e59dfa414054a744989fa85a20c59f8fee670b5d5a5e508d6be77f405

Download Submit
memory/1048-5-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1052-346-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1052-0-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads