2e865b614c74214691ed21ac380db63c7bbaa4380bc2681a4e531fbb360f7d1f

Analysis

max time kernel
186s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d3df37aa8a77c5d709214548a8754a6.exe
Size

2.6MB
MD5

0d3df37aa8a77c5d709214548a8754a6
SHA1

8a59fd156e89136c8e4ccb9d47d6681767415306
SHA256

2e865b614c74214691ed21ac380db63c7bbaa4380bc2681a4e531fbb360f7d1f
SHA512

ed4039bdcd9c066a4c79181a592ce58ab98d8e41cf9634bae0131fa7eb1feae41a427f67f7d40734498976cdaa17ff3660ff275f65a20d00da9559074d3fa699
SSDEEP

24576:zMMpXS0hN0V0HDIH/SGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63x:gwi0L0qK6l

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0d3df37aa8a77c5d709214548a8754a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (214) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000500000001e715-4.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-17.dat	aspack_v212_v242
behavioral2/files/0x000200000001e7e1-35.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0d3df37aa8a77c5d709214548a8754a6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\X:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\N:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\B:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\I:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\G:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\V:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\Z:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\L:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\R:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\T:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\W:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\M:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\E:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\H:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\J:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\K:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\S:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\O:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\U:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Y:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\P:	0d3df37aa8a77c5d709214548a8754a6.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	0d3df37aa8a77c5d709214548a8754a6.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	0d3df37aa8a77c5d709214548a8754a6.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\License.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2680	3004	0d3df37aa8a77c5d709214548a8754a6.exe	90
PID 3004 wrote to memory of 2680	3004	0d3df37aa8a77c5d709214548a8754a6.exe	90
PID 3004 wrote to memory of 2680	3004	0d3df37aa8a77c5d709214548a8754a6.exe	90

C:\Users\Admin\AppData\Local\Temp\0d3df37aa8a77c5d709214548a8754a6.exe
"C:\Users\Admin\AppData\Local\Temp\0d3df37aa8a77c5d709214548a8754a6.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini.exe

Filesize
609KB

MD5
33412c2bc437c4e484eb45cc01c7614e

SHA1
09425381d0e356c8ac411273d8c1731a058c1135

SHA256
55364df865d6972b162083c4ede3d1d613615a0599419f7ee7275c3b911827c2

SHA512
616db48f3d03f82d7d4a9585d229e701f9b78ddb4fbe330a448bca40daa551220b4de657421085fc55102c01e297196d267bbff23d11959be24164131e8988e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
372adc8373671a4e41dba3fcbf6c7fe6

SHA1
2720c016782bf1dc732a995dbb018be870a77e94

SHA256
08f171496d4b54ce3096c6c5048718367a4d63bb485744860c9fb07136b6e07f

SHA512
4cce31bb11037ecd0f85c9405befae7fed59890f8953bd7f6cfea14a5509de5fa077290b068f53ed95d617a92ee8b86623b06567f46464bd6f1faa23bf2b3867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f7acca4491dc356ba848b697c0b24821

SHA1
1f0cdd3864814a44143ad7fda60c034b40b45529

SHA256
903f672105ede75b92c8e896edd19edb3757157976a23f0ffe4ab9d09a161ea9

SHA512
9aeba0a04e71e58fc344e962de35e3fcc028ff30846f3b91c80127459c4eb18e90f7bfe99c1f8eb2ddb378c83ea46ea04b0efaa1f85de830c0d0926d2d886f75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fcd6ba38b6964679f785d19cde042faf

SHA1
baf5993ae8ca3e0d4fa37681127b2db58dda70e6

SHA256
94eb6393622ab9bb8caf1c67ad7030586662a2ed88b921d1a83935d484961b50

SHA512
ce33f7824d0d976904c6073b4a1859513723cca1190a1fb03baee2824dafe91b8c8e30ef3f65d97ed191937115576ab34a4c0714625492b4404f5aba784a2651

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
65647eb850fdfdca37e472df73a00eeb

SHA1
2063fcdfdbb9c44ac30026c8b41bbf09cb2b035b

SHA256
25ebe2ae99e21745b079e502ed8b499985997212e46f728055bdda646846d4b2

SHA512
da20cc93c087bdaefb46d1a89e3db2b294ab0198dded4c4d832f7cc323338346c9c36e9d4a1e81d3a96166a80243f52a9c1b0fffad0fdb549573d46e93efc274

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
51abc9510b7c4e4f51f0d2bb2babc7ea

SHA1
3b86efe515018bb6dfe508bab502d4e4f76d879a

SHA256
98a6f8bc68de25602b26c20c9ead8acbc45782ea664331784c9f326beef0e59f

SHA512
af85643ad14edcdd74da76c3be57f24516ad374205a741404d3528f33138d828ef2412e3a389bf698eed8e6972096a2ccc31915fe2a630fed65399c63b87b699

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1e088c12aa05f8722fb73cbf374d5951

SHA1
0178691230ec8d990636481b8ad1be3e9b5a9698

SHA256
11b33d81aec9ba73e4da45769f262c06709604badde293d5b832db54bcceb499

SHA512
868090b268d4140e500ba7020ea4a43094183107665b1c975b88b65db0713c5bc00872b2ad3773dee0395559c8cee830f623a93781068a3ea639c54195d30f37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
02f2d2d71ceae7181812af48936622f7

SHA1
247f8fe67a86bfbfe7a814f67d89a0770112dcb1

SHA256
ae7760bb447c6aad6e25298896dad6281541be5a817e4891f508b8bea835a59b

SHA512
b38494970afbae3e9a32bfcdbf25bf1cf002ff2c9ab656c9145c37d9402c7e9674ba20f2aee0527683fd794c92f8bc0a0e0b63552bdbca323b30efe21add6db6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8a3dce776609ab0382e8647b53e2837e

SHA1
76bb523fd3e4b6e31226b53f322a983979770dff

SHA256
6fd2c6dfd1c1f876755d058539efd12bd949e6fe5f1d89a17158d32bedf48410

SHA512
62b4e72ec303aed218971e97f3ccad5402af12e9bfce131e16e7a118f706934fa6b0cc2c8ad3d541a96a00a5b676fc20fb33affd6ac42541bec90dfabfc6315f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
583308d9bfb9aba98123eb1fb4a57efa

SHA1
799a90323f9606bac9acc08be0485a98f21b33c7

SHA256
7c11170b8ba3e6f7b4d69c9dc659c6079dcf32043d00e0b3882484070b8990df

SHA512
ee8e5d7eebc00b842259a32b1f16ddded20366cea95542bfee5d5d9f4dd918bc82b277f86b98a8ab305aecff7303d9e0b019a114733e05c0ac8c1643c00a51a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
dbc8f0db9f40910f3c85191504f8770d

SHA1
226dfabec68f8fdf97327792e8cab7ebc139b652

SHA256
05b4baf4ddc0340e29c05c29a6a43d0dd22aeaa60d3472bbb638175dee04a5af

SHA512
bc976375ba4539e591390e26b0901a1b3f21ceb38b18b277cd266107d1c567693ff5e82b9277e940941b51acc810a2b3431ce984dc88ed1798619f877bcd23f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3bbf42f249fd01a680b855739fe1538f

SHA1
508bd15328b1b8b64aaa51ededd5106b80e257b8

SHA256
a016ec4cf532ae7df14fe239b9cac9cdbf637b4d5798cb45ac1b3922fc33dd2f

SHA512
a4e15dcd222376841a81cc69847f551d7fc63ea423c652e35557f131a10699da2b3a25545d5776d5aa03541297427849074161400e3c8375f7d456e3715d7ab7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
770f1eb10a06570ad69c3c760b4064c7

SHA1
27928c8cca9cc03077faba36b28047414451a1d6

SHA256
c94eba165caf5c51dde3d6ed0c0d77cdf32e81bf272bcf10cefaccfcf789f666

SHA512
b3df3fae36bc620b05d26301bf16625cf710c0bb8a281031248c931f1faec33d50af73697efa0ff5fa7157f95571c8559e1fc9baebbf2072eb90b3e505b141a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
02ae3bf97b18c8ce1a8092c171417f7b

SHA1
8920f9aa2d06215719d4a60e3fa67f5070e2e022

SHA256
81b08c9164443d2eb79b1af71a6369eb6fc8f6ded42c5239979b9f14174dab93

SHA512
f664d4bfa39c5e3e20d15f4186f7a18e417e16c16c68fe85e228d429a764dbe29caee71e591d55878c22a9242c7a7f4e8453a75b10722ce1809134bede7b8fc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2d27b6ad2114b07d84425c6f0cad2122

SHA1
a924a93ee0805360935db9781683248b82cb4d9a

SHA256
0847a48462144b09abe4c31c74b132e103736050a9547290825df41bf45e2126

SHA512
6af2c2a2e5daa168df61dee7984281eaa3069c66f4d9a05f2ce2d9b988592acf5ffadbdcb787b3bbc7f220fb6461f37ca78d93507022085afd612e507544c7c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c4bf2810cf486c50bc19e55ee0f1c6e1

SHA1
e77faa5428095757f0565e1382c47e195257401f

SHA256
9a08c2226bd7424510f307afaf8300ba3a1c2dd04aed80250373823f226a07b4

SHA512
55b876e51ed1d0eb58b9c37957072194312cb3dbc44176b301b5ee748b0e3307b159389766bc48ca415740e0528396f8cdbbc2c7d75177b36d009ea8e031a3f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
39caa262a973f541630571e9ba69700e

SHA1
c1fb05c73f18a72ca4c6f5b76e1c6bc882efbadf

SHA256
921aeb2993da7faa5376a1e0c53aba79a92d96c9b2720d8a6b0d0221bf162a18

SHA512
0e746a72c7ef95a3a4eab7b506568160581996ccb663b83a9435c46fc9c43164c69949fe4890de72c7d0890cd6e73981095825dead1de665b1390af3b8e0301c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b0afb815739185060400efc02c45bb91

SHA1
04d382e18f9ec65ce541e2ba4ef31df79a3f8267

SHA256
44ab6cf06b64f1451c21cf199f89a9053c8192f0633e1c70be8dbdd59b8cc531

SHA512
f258940e0829e3358da38b9e6eb76342cd35ff6dd9e5ad1bfb633509b1d8b205dd0b1a23fc8fcfb21c15d5f9eaa29056bd9158ca9903cc73e36363a4dec6e7bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f7004a779bba2e5e3a6785d042eee9eb

SHA1
a1fdcd5479469cfc1a6882de6838729dd62f9282

SHA256
fb76ef67815b75e97d5bcf798b3f6692baf8b53ffd9ab3caca87e223b5e6f3a0

SHA512
40372c4f89851443cc36d1261b46d42b8a4d02b8d440363247e8d113910e1e6e6bbc96ca9d67f470b7116b8e0fbebf0e4db8fdaab57ffe0948202d29b60fc000

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2cb8fd7882e5f0aeb201b107c4ad844a

SHA1
a815b331d20cc09b04da170b7fb2e85560155b6c

SHA256
bfc25af1a1679c41aa4bff7b3e28c3a09ba997f1b1042e26121fdbe992d72350

SHA512
d56034e22759f9a66caf0c67956d511acb8d681270fca66c706132785159c4641461b200f8aabbb162e9784fc0b772f06f4656e300ef3b7b564200c10fc1d237

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
08e83bc136d8cf51870b9e8583ade13e

SHA1
f5043a48bfbc7e5f7c663c0fc89f67b8bfe8155f

SHA256
64e13c70d5368367485f103809f140f06165c1a7397d647443e2f688297de34d

SHA512
be9a4cf71ad237b5e1e3f2fdc29dbebde1dc8408cc3a811a311616287fad1e65f7c3dc5770d05c19e6578d855266f28cf4bc53689abb530702b09326c10e95e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
aa450983802492d5a4c53cc12c93f968

SHA1
134b36dd9191dd1a671a473c69e538000c0cc317

SHA256
91fc00743e10a62e58f4eebd748ee9e5b1c6ff1814afd0102094177e2b1e0f73

SHA512
173f190ec8d28fcefab193791fc746be05a615fa6f0b04881168456761c108c4b823bb2c902c3f9b98122d5c54a1e5530722076117178bb7f8df8d6bfd48c2b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
09fd68a35501e8c5833b28c99ff2c672

SHA1
aa4ef1bcb0ba6ad3144a592753759984c0271d64

SHA256
7aaebf8ee9a2a516cb114f7caf85510887b9bceb24356b9930339c250907bc0d

SHA512
79cf12a0d841bf573671afb7ce463325cc6ae6c01903e06ce48c9183dac85f698ecc0eee740f33d0ed8a5a2826b7a46bf1a3177e3965a85f5e01d435d134d116

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d531dd42ea7b40702962ef5f58c90f32

SHA1
6994bee7c1670850ff642dc576429c6653a0e8de

SHA256
a7046f86328bfeaecf66341c4370dc695e4a18b0060002bf598138865bf5c517

SHA512
8091e09b864e3d5f669b10dc42866f2007f12a145eb11e328ad98f66435458f4bcf73b7ad2b1340d0e8f674deedf01e9687aba09b41771ea4b1e48cdd287a1dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d4a0c90bc5ddb23f80fefdccd789836a

SHA1
433d119afbef90dbe065871d875ce0fabfcb7c41

SHA256
ec79b6d2f9db6ad3df77dc036e94be86f2d4b5671430d614b2a848b2cbcdcb05

SHA512
f0778f09b06b162ef5af55dc1b48d6e4a2033540bb748c54b93ab4d51818171a6a86d6dbc7bb4616a8097a8fe3973d26ff17b69d784bd471081311a13ef6382a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
aa977ea080af5498d7e150b68699079b

SHA1
1196734369a0c612acba147ef7429d52df29e53b

SHA256
176984567fd46b9a1f4f92a0322a4bda4e251aee2e36361359ab27414520d830

SHA512
5efee4b1fa9c55ebcd048cc892c1ac7bf330fccc4a945fe707d24732c47c6486758f2eca99b8dfbde32fd4b61628cf3f4c63f272d032cd9b20192fd432bc48e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
37da36dc3eb82f38b3ce6fb987adc76d

SHA1
73aefe37a765e2b84090ec13ecf0e4546d16499e

SHA256
ce7224e8a28811abfffb47dc5a72aece59066554a2fd30e2f786a0907d5778f5

SHA512
70bb2e2df9c4fc469c86aa1e6830f353fc6938ec434ce9493e6a0ab4156d75ce33639d97cb7e80c32e1cedf911813ef258f7482aad7a65873a6de95369833c64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
055c5d2263aa1ab2ec3c16e5a7058365

SHA1
70c068f895accebc6396fea6e888eb1d3595c9f4

SHA256
2a36bc860eb1dd162362e5f42aafa3fbd36f367a89c2dbc3fca762c9e8a986ae

SHA512
43f9500db8f5444ce01dada84f7c10e5cf2b3765fb0be46c2c21e150a6aa5a71ab5050ceba3c9a5445129f5797139536fd3f213098660b27e62d5f3e070d6d86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5be91b2684855271e93ade624c454c33

SHA1
9de28aba5df3502c8d75f9b3d37f0a2a0bdac4ca

SHA256
a75bcd4137e66bdce479a2c859d603a8cc4a5924f605429afc965e3077b337c2

SHA512
a0807c9e40e9875af0f472ffa713ee9e113fa22981f4695be8d26ff0675e0592933177d049720bcafd7de00400f12a7cb5df5532d9b7c291749b9050def20767

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bf0693b6ccc7a4f4ec1d04e83af9fdfb

SHA1
ba90fa173573888015fbf3b320bcd7c900fdc92a

SHA256
b6842b0a9a054f03f70c1b533a116ff4b4436d5a3036bb74154cd3c02621a437

SHA512
1f84d8dc65669395e2d27389f045af57a71333b82f50732f7dcf15d378c833cd969f275e5032518c70481acfd91c6d5301cbf82ccc18dfa361853dfd37b0cca4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fdfef1ee5374f5d49c83112587508977

SHA1
25cecab58825b28687aaf746470282acba97e9ff

SHA256
c9cf299288f102edefa69189719c7618616577b02b382aea0ec2a8e0cbb2e2ba

SHA512
f9645485e7fa5cedd32f01b1a29b527c87cd46bcd419605e0865cae4af84608f3452a66885772aa3e3562425b8644b16e165ab59b942b21270a9ad0fca4b0a28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
dc13ab390e49ecda6b4a7b0b73907fdf

SHA1
7529ce2542a42bd902f02a2df7d004055f83a4cb

SHA256
87dd53bd4ad266efde3ca58765c97a646fd9c0c4aba80d3bf75c09e0d1709160

SHA512
e2fa21986322518ea497f682d00b5357a0fa94d7b64682a6f9b999429f8e3c649d5429bc370bc9a69bea1b78768fad1e8f914aaa3523e68103c3c25b274916ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
acc1cd70e05f671e3f883e4f204ddd0e

SHA1
9d7982f478e846254db0198b9674b58ff286c427

SHA256
00d415e0dd258924a3864296840f3bceda0a131af22890581bc59b3ec6351f3a

SHA512
59abdbf4cb787d121d3e1c5334b8bdfe3f5d8822356871db7c546eb07322aab798f2add7f7cbfe945cfb94c1e9de017c683053bfc20ceb0d44145c2bbbe8b24b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
21721abb5250ba71287d9d13122b5ba2

SHA1
37572e4402a81c6edf879c480996285d1f72e251

SHA256
740d8ea3900cb877e891658c830ac19b066aeec0666a0f4365e4daf4d160f8ae

SHA512
16f6682ba1df4c2cded60ecc884cfd241f60a53e5d87662f0fb30b17ef447e8ddf9b4c30f5e3cb37d44e157dbf0873e6b1a131d177e291ebe8b79683fa25fb3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b4f4904da80bfaaae4e5d1c47c8ed8e2

SHA1
0da049ee42a201fbee497e999c1d8f754bf2987d

SHA256
223652c82283342eb3cd3cdca1b852ad6901306aa37e265a27563ef26ab3d052

SHA512
64000bc614284334919f8e3b6b234529649ce72ecee8d5ef9d605289bb86ef97e70ecd0abe355e6a6aeffaa88a2725167f3fd0652e63c5ca5c42cacf2e0e6ba5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e06cffa48b3f5ac6ffd02d21a7c4ce67

SHA1
28982d44210fb697bb62b88ccbfd5f73ff3292b5

SHA256
e8d0dc37badf7b41ccc3d67c3078e7d8fa475973493d82d18dd05750cd5c7f27

SHA512
668297d454337670538eecc508ee94fa0e0379fe9f0886823a5edc0ccb6278d2e1f25da8fcbe8ce8ed0fc3e71340d2855b60d140700d084419eba272df6fc631

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b6d3514b50d69eaf06a230b51754451e

SHA1
1d8a6230487e46f9bbfa1f4758f2919fe7426cbc

SHA256
2609fd636b8b1a46d29edf4b242a347cb532d3abe42ac0f8587fe8227aafb7b5

SHA512
3888057e92f3c6d6ebd4345a36b0dc07086c4e40e913936cced7f78a0435dfe538eddcfeb3875ae7a815c8a8f8fa0ac5dc79dc30c8c7e06e6a750e38710795a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
866abdacb5b229636a72e6955087893e

SHA1
514503ca78201f85e24f53e199443f92c3aa1970

SHA256
727eb158b02dbedb6e94b472ec0ae937bacf0b8b001efaabe5c1c63c5607b39d

SHA512
28d29162853c56e82248539f800a296c3ec3f5be4ad7e37fdc6bb612aff197e5daa1e898b435cf62cdcadbd0b81372c00f205351549a36940f6ea28fd0961280

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a4baab526c922986e356124edf75ccbe

SHA1
77c543015c7fe7611cd170d9fd60312d40f23a97

SHA256
e752bcfc35e108ffa4f879b3eabe0c029a6573aefc553a5c4e44a826ddaa8360

SHA512
49f8d02e8a27273cf630d719eda97bf17245f71c88df5eb41e64d6a9575dce95fa93185b5e3f5ef81c5a44663e586afd085ab2ceaa013b3564bc6e59a3b6c3d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9bb5ae88e315206cd71937ac70f12367

SHA1
b6f279cd22088570646f462148f6e7edcad87f18

SHA256
576bdf20c7211e1383af4b06b16a6672f4285e920c966311ea162e61a245f81e

SHA512
f267b5c184714febd9a38f323165584bcb70c17de8278e3346757d27ea7b78f83636bd935b86079d13893ba43c13a245c8a7d2e70bc5625f1e73a63991291d58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
794a892bbd9c8a93c71819ca7bb9d1e1

SHA1
382f2badfdc9f060e54e5a2db81a6af30914f1ae

SHA256
811837917d8ced8ccdbb1a8989e7a2032b2d1c6ab80c802be257cfd9fc76f8af

SHA512
9617532a506d94c2e719e018fe2793859bce55171808c3a5346b1d039f9816a80726eb2102f3d57509573cfcdbbdd16467c4d34667d3cd999a49620837358bca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b5cae1f7b96b437ef29398519fa46742

SHA1
596f9efc0a2fc16dbcc5d64cf04e27ebd7354cec

SHA256
e8abd7d38f897b07fcb8c6543de1075a65b571ae9e461c03568fd8d4b765dc22

SHA512
d2cacc781a4af37b08eb44a1ab579609e2991574659a09916a80ee70f3822d1f8db50df2c76d32582a6764e0389bfe545952b6af77d45b2e0888626015337ce1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
449eca0576a7e410f46d9cd2d643609a

SHA1
51076b3bf37650444ae303cb2326c77a6bae9c4c

SHA256
6466e60f704cd0a40a773993807b0cc59499956cede98b614b946dfcd49ce34a

SHA512
caabbb190cb1168632c09466144dd9ad967d9ad2ba78fbcf75c7d1853c158a74af4a26d35a71b385709bc231a24258918c69983d805448bb9f9096a4eed9dcb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9b424ed93c9daa920daf28b368cf2635

SHA1
dc50f01686b4a4a12f1a9c854328508869102647

SHA256
2521129e64c8ceefc95f5bb648a3feadb071cd453ac92179ce8ecddc74fbb431

SHA512
e5e4cee6a3c2f4cd5aa6186b36627965ca3aa27a8a286bbbb9847a1460983ffd62660815ab37b1a0ad5aeab0d2ba9b49c4c597703c84b98f1bdc13791a92abc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b9238e1d0f34932c1e7bed2cc26de703

SHA1
f3760885dafe9a85d0013489682d29259d889227

SHA256
52a81d04d1d309cc7f3bc0ed1354acb4524274ab612cb2f754d8619ced023b9a

SHA512
90881bce2f1e7142bbe14c67edd1f04b2f7e8f2671dc24a82ee60395c2e138ea7fe3d742155b641f05496536c26641fc4293c174b31af1fe3f159a94f0bc56df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6f7fbfe190802104866c3b3adc9e7d83

SHA1
666f5eb94183b2ec7f5acf800d2a7c9cecf7aedf

SHA256
bc4dd1b592c04a3f7efd9e611b39e761ec62a1d1f438c62b2095b6c729cea77b

SHA512
10d5b68841c33ee192eb48a24da3dc6f2d9f471cd1b0115822bdd0bd47e1732794f29af040279b5847e27453f048a4af687fdeca4bce898cd464edee4b4ec56b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0af11db752879ed692d29459448157c2

SHA1
17ad9fe7a0c59c94ed03085fd9db22ec50640704

SHA256
1a1a8805eaf6b3c72c1d9e9c45b25fd89d5c2cfb083df40dfeaa99b07cd2cba5

SHA512
892a53234263903d290e731b873bc43cff304b97b20878d58172ea989a4993f01216628b5cc7a339e8800882337a10d568e7a63a9d49723ae827c755e3c95807

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
61ebaade2658397e6d9341c937e6ef87

SHA1
0a90c30c4fa686483fc7ea1776cecd3dd0ba061f

SHA256
bac60e24978c2803872cc8a8dd70fbc96a783b6273ff1fa4c194e7bef666d378

SHA512
7fc2ae413c3836d152bfe33fa112724ea46b7e362f225bf94aee76feabf215b08936b1a04ebc96650fccc2a66670a09696eba025dc2653e1ce9bdd652656db7d

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
608KB

MD5
f05b87ee7dc5b9732e0be6ae53600d52

SHA1
f0ac72d3d3d0f856ffea7dd86e1bc018a429bf11

SHA256
54948932968190d8a74e1042ba7656310b2e3d0f2122bccd98280501d121602b

SHA512
90a2d4ddd91e8ea79f04a447b491d5414edd1b081551a89e9bfc37a2872a540ee4e47e3f1085579593661a0ea0e1458e326c95aba0416b695f348c4283cd61d8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini.exe

Filesize
609KB

MD5
787c7432ac84924a68e8259fb8704563

SHA1
09ed661ca9f980ff35712cf1f79f44706d00bb51

SHA256
7fd3b50075940aa6d3245b06826b75da9aa335dd5c9bb7b45e3bb0ced52fb7f1

SHA512
6950e85b01862a2334eeba621c05958c45c3dd81374cbbcb660e665abc1c2e8e10ff703f5a1e9bb3f31675ddfd08fbf7094a8d6c589d68b96140615a7d0a3695

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/2680-6-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3004-103-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads