d9ee97ebfca901fc2296137e2219d4115a9b4a68799cbfcf7a09224b2addf481

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

398646f1bca7b2630599fe83a5e7501b.exe
Size

10.7MB
MD5

398646f1bca7b2630599fe83a5e7501b
SHA1

2de320aad4ac27e790cdc1eceeb5d60f51370b83
SHA256

d9ee97ebfca901fc2296137e2219d4115a9b4a68799cbfcf7a09224b2addf481
SHA512

7bdcb6c4fa70d09905fbf5b6696934f4a5adfc662cf606321d5f5a6fda0ae6383df937657fe7ff40f0eb9d884a79482fee646a168aedb1e8e1cf0f72099ea483
SSDEEP

98304:1i0li07IMzKpXOMGQKIMzKpXOMGQFIMzKpXOMGQJ:40I07I2lyKI2lyFI2lyJ

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	398646f1bca7b2630599fe83a5e7501b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (225) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023204-2.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-15.dat	aspack_v212_v242
behavioral2/files/0x000a00000002312d-33.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-50.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	398646f1bca7b2630599fe83a5e7501b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
3104	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\N:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\O:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\S:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\U:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\W:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\E:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\Q:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\Y:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\K:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\L:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\M:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\P:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\G:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\R:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\I:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\Z:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\B:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\V:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\X:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\H:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\J:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\T:	398646f1bca7b2630599fe83a5e7501b.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	398646f1bca7b2630599fe83a5e7501b.exe
File opened for modification	C:\AUTORUN.INF	398646f1bca7b2630599fe83a5e7501b.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\readme.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\7-zip.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.exe	398646f1bca7b2630599fe83a5e7501b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3104	2116	398646f1bca7b2630599fe83a5e7501b.exe	91
PID 2116 wrote to memory of 3104	2116	398646f1bca7b2630599fe83a5e7501b.exe	91
PID 2116 wrote to memory of 3104	2116	398646f1bca7b2630599fe83a5e7501b.exe	91

C:\Users\Admin\AppData\Local\Temp\398646f1bca7b2630599fe83a5e7501b.exe
"C:\Users\Admin\AppData\Local\Temp\398646f1bca7b2630599fe83a5e7501b.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2398549320-3657759451-817663969-1000\desktop.ini.exe

Filesize
10.7MB

MD5
6b7ceb3fcf8737059f1ac39430a4ffb8

SHA1
6c3bf09a7ec3d02007b9f169a1c2bc88a70dc935

SHA256
027889637839d3b40c995da10a4cd4f00c0d6f779f4618a49db628066b046e1b

SHA512
2e19634fea790245fea121d3fa19a80f98dd0650608e95e62a64128957115ced38b0b46689e8a1ae4e5fdbdeac6ba00c2198988581203c3bbc32472be28c25ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1023efdb485eec0bc80a0d6dff5df492

SHA1
5df702d3bd59f09b38080c8b3679f7c86a3f18d0

SHA256
4018285a8a134fbaeb3006c10b7447106cca158290ecdd225ff70c825ee10c20

SHA512
20a4399e4b3c176f8d2dcb54707f8dbf6a0ac9de2544deb0694b2b04e2b14439531c01cc4d97ec46aca750129d40e51a3b993d2a593466026e04f3ceacd1e988

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1ad868ebe4ebd8b2b78248bfb03c948b

SHA1
7cc30e49ee57e48dac7d6105f3f30dc4fc982d87

SHA256
3e858873a755857c6254638280f02d15751d930aea4b027ba2dc974cf5bc1ebb

SHA512
d35ce4e2037b5f2effd0472404d9cba1105e8013b253e6918d62504c27a58db4fd6f8e6492d88341c3c450559fa06ca23d0e8657158a1fe47c5f91a267545340

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
13dbbb6b5dfb6d0ade5257f1bc96be35

SHA1
6ec37697ba0fdbff6cd45ac47e4eb882f3ed2a0c

SHA256
7de6cb6c216fa8dbcbf9774f53dec24bdf17c37b9c1b98b39af86f1a0209630f

SHA512
f470a958abe70871941845862270f0c746afe6740b4302c9e92766ec5ef801456fa50da280a517e5a6b0002fb74deef66bc33371f034d50d26748e60350a641a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c1fe4682070fd04f8692f94313fbd883

SHA1
c6c5d327a35d8f2027f10bcd23cbd041cdc26764

SHA256
8f8faa2d8fde666aab20039d8e4cac0be665f889b83682800a81cabc0d1d6774

SHA512
222964c91476de605d13a51f9567c9062c230a614dd25d07357c9419aef116efc060d90c16fb2097f4e0878112bc238a16de7afc34ae87644df5f57061818fce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
373b918f14c2f77c228926f4eb09c57b

SHA1
584ffbed58a4379c1ba4ff9539bcf11ef806de4e

SHA256
b85945894cfa220e7904bd8d6c23c4b1ba240fb5d7d785ee86d0b3600fccc300

SHA512
2c75afd0d6bbe2acc971bf6d6c8fc3e4b291857ff4982162bdd253e949013ae025a0a23c35e27c54f622cc5408bc72b89540d6a54662dd4c8aebb0678d089054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
dd37fbd5671046f1a235f7bda119d880

SHA1
af7f55c29cdfda1a83d971aa87b1a4239dcad97d

SHA256
20ed521ed40b1da674437b662e10272e1d9694827dfbf3729d72d0658ffa255a

SHA512
4a296c732c058a428392f4abfcde2e39abcff9e3d5c5af5fe29ba1576b12a3da97bebfa91778fae2eda31af815fb29c8173aeefe187282970d0e7463a2ea1851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
aacd81df45e0765736a6a596b2bb2e93

SHA1
7a0b2bda673956d91dff580bf42f882db1b0e480

SHA256
698c2a96d63c001ef9f30c76681ca6f433306340e2f77ab0262c31aaadd55f72

SHA512
744d8efa9a0b2bc05e1d2a5494d99d81795876a50f040e7cbe33d0c7c859d054d30f63145f7eb821534aa05a2b7e1a3b913ca66402c5644665138e8a3d40eb1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
58f0ec4248febae09c1cf80afbc32572

SHA1
59936e08398a91094a9be614b83717abd14d2500

SHA256
b9ca5bfd453b0d70bb3fb20314524cd56da31980245ab5d04c28feabed54157e

SHA512
d41681d8ae857818c30b2bfca1859aaaaacae90a8b8a4cc51706d3094276272a33b8b8f23eeeeacbad0b9abb4b6035841bd51c7f69b8945b1c569a30a19c210e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b358cde745bbe87919dc37a965c47d08

SHA1
46fb1e1b381f5d84e0584b8ffd2c88162c9ac354

SHA256
29c2564f9a9f81fe5bbf1e4533ad82250fc802059f38323ee5a40495f837f303

SHA512
f0697ca9b2613a88d1a798cd89c60f7552900b63e8abffd270478bd2677727a4fcf841510dbaf700138d1127402f0f74cc98b1fa25f86855ba78fd4d62a9b67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4d4397f032a96af31f3dabdd96f910cf

SHA1
93380431d9908a68c0c97a315127ab51ad9841ff

SHA256
31eba9ce569c2591a6dd02071efbff5fe1a0542a7b5773538c1a4c835d80b53f

SHA512
de7f79f2128f3ac2131911f98c66a83eecc5272065577a1f82785f58641ec80edd95ca778883c7ad2488aeae59a1784d78f748feecdd846208b25d147aa52761

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
41216fa75fe77e87a482dd04c8a580ba

SHA1
88cc4092fe2d0cbc90f4fddc1ca87c4f2397ccc4

SHA256
64c4097e29fe8276aa0343c8dcc7022197310a459d9a06e876113c3338261921

SHA512
01dc787c809cd1ef4ede9c81689c4aecafbdf10de6e37e1475c7b9392b2074d955646c14ffb72f489297871d4cbab73ad56a4a3a9ecbd6f2771df09c745a0f77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
86fffac3f6da79b5d698a34819166ea2

SHA1
f8d725433b2c466558f0f81607c9c19112d42b7c

SHA256
f9817cc94835ac9d766260bf9375065b1ade4ece075d4710f70489248a306613

SHA512
b1bf8f8e4c4701c09f3aec04b1705157e65108aa4be07ec07a5ab9e4a2ab76ec3ec1e620bb618ba25e28aa83afd99282716fca4b3287712c3aea2374eefdebaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a880847ce6b21bd8e411dd5206dc0886

SHA1
43efb4fadf19bfd305e64a0f9db667110a301e5b

SHA256
e338da53c65686ba5954478d3076e88f49370b7fd87bf4e946b2473588d18f7d

SHA512
929137ae524e38193e156e593029c73bcc74e504f044cb25b17636e62b4757ff12f9dcee28601cb0f1d0ea63958983a84ab595c43adda8be4391c4ae8a6eed50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f7c9e12cef433214aef312ecc9ff5978

SHA1
e82d5bb14757bb7a0963b679cb824f93ab7f1b08

SHA256
115d5cb2dd8cc1e66ab533ddac98079ac0fc264967249f6fefe32cc8a10b07eb

SHA512
9f6b2c6439df3b559585137f5d35990863e6b7c06daf864e36ccf3c250b251fbb495509daab4db858f67bd27b08bbf36f80e1ca6ac6641a5b6769edd23175322

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5f8ee27691f88587cb93c5bb2c68e8c2

SHA1
8bb84fa503b3026036da1ef87f1f138051439060

SHA256
3a108529d5c1f50b729829dc46854565fae36bc7fcf31c78f14b938ff30c5367

SHA512
91191ac56af5c615c751350717ee6e772c59a57c15645d96a6c11da7fab5f4dfc50a60957a4978cc3e4dfefd07f511d67c6407f96e395bc9dd23fb2c838f710f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bb5657ca4ff5c76028cb2a036c652272

SHA1
ea4b6b320c640af85798292c43d30ee6ee17e1aa

SHA256
8e69069bb4dba45bfaa848359d5efd0453e4488a69872d1f27e42806d9487d06

SHA512
ee9f124c318e30322611c784c7132bcb971537a72c62c622c7041d943fd0cd6904d2ffbb1adcd0638155ec6c9ccbe58be5f7501b9d738c6a7335632eae20fc63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c493adc3050163414d67c2bbaaa959e8

SHA1
8ee6573bce955c75793a3364590873f143d83ef7

SHA256
e30c83b841924e693c67858705008c8d09d09f61e688db243231231a389ee8e3

SHA512
5f78597de885ac17f85327b5d24653cc886a6578418c4d128ff4f0d288e6fbaee08af9fae19b35be0d51aa61ec5b575d27dffa2f434bf6d95e42e20eb193f002

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bc709e087c6d56802d1baa61d39beb09

SHA1
38b9128d45661304e9d308c9d2231cb4d779dd87

SHA256
d0ed300c96b259ee7535b1ccd68e955b6094c4ced332e9aef2740fc3b7ec4a2c

SHA512
d5e22b78d8a45bc20c09ed68229a5a85241d40a25b636736fa56977c0c853d232de1866ec6a466750ee144c9da776581f075a5a7981375dfe7c5601511d66082

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
41c3c9f450c842676bf4a8c1098cc13f

SHA1
2f0400dd1de466771b36bc6e9d7315125410ba49

SHA256
bd21edcafae754930ef0d8960cd6d0ec0ea0a59a84a250025f945d0d616bdd45

SHA512
124f4143f35210c8c00b1f372e000b2d4ebd00f41d61b169d6c3367b99f5631e6727ab1dc1a9d568bfefbb6e50b8f5fb35f9bcb234a0347fff0706b7e72c8590

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f5440355a4218de913fc77ae25ece196

SHA1
9290e0f7b1bf6edf24afc2104803f7d3336fda20

SHA256
eb6fd91afdde96051cffd556f0d99c820ec92b5c9e1b628eee5c0821627150d5

SHA512
bdecf3aefb054cac7d2a8927e08b19531a091bddaafe629116465471d88efb11a6e2c028233bd48f860ee27f3e3333e1695af707aced4291536382abe2262326

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
180f5391d1c9657dc008ef6d5261bf7c

SHA1
8e6d825227e31b46d3bd22d23fae7b4bda535420

SHA256
3ec114b89e3ff3516deaee1917bd816e7e3d1e22230aa971b25f28c5bfa91cc2

SHA512
d2e743481ba240a7db033787030268846424a3180f7badbe25d438092abd533fdb29576813becb67a409899b319225574af379dbac9662754328b9a6762bdbc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
88c134febaf2440b6164aedef1c3d5a8

SHA1
2c00179d2c62dc39395f66ea9eed2a1bda9798ac

SHA256
3a0f524dd7e7f6a49c95d3b999721c7765e8d2138d45c1c625ef9a9018d8e0ab

SHA512
abe3c5164f282246a3614641710e3b00cbf104d74bea214f4f83a70e94d165c6371e71931d8e4028655f28258916ba014f83654a91af1c89edcc6a4e2e1baed4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1ac6baa3065454984c3d543f8eb7bda2

SHA1
bcd49ad9811ff28326e2a7ea93ef96dbb275e697

SHA256
6b7e42dcfa1c8b846b14d43a20de6caeb4d17698c258e2a3a941c58c069d4451

SHA512
c388b6387730a384319f44209fe496aba8676de680860df6d32c8452404a9dbbc4d880557b5b78b320cc0e882c52dd63cbb04072dee4cbc5b780563e83b70fc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fa692d795df27b8f5778277df80119c7

SHA1
e79d9a5e0b49d366eeae31ade38ac91bf562f0f1

SHA256
bc568fe876d823cacadacb70d257eb15349be60896d0a82296274beb98a1c379

SHA512
2d9cbdd0e06db7384843f3d3875f11f81ce7ffbf3afb2ee77b656faa57c4afc5aa4a0026d6cdff931c56df5243a0ce8085e79a57cce40994f85d03af48041500

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7e9106c59f5e1681d7ce49199b4760fe

SHA1
c117d2222504f8ad8dc2f5844ff75d71ff299aee

SHA256
62ef2306bf3a7ce752badc28d9a5a9479d932df8da4cbebab17956f35dee736b

SHA512
4f8939b21480424616c070d69d898078696dc02117af754107ae4ecbc1f22e6c58799e03934f24ab4290dd560aa6be7fadc1b35967a8b60289bae791af2eeba5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
160f3d639a11de9c9de27461ccca3bb6

SHA1
c28ebc89b569657c328e6b1ea3345ae0be64a3fe

SHA256
bc431a9deade2c0b0195392f439df908745e63fdc6407870326fb2b95b360de9

SHA512
0325d676a3d491a6fd29f438d36681d7061039dd8af253c5f6514472feee63866a770be93b9337c05267537edc7814bc07e395477f6e2fc963447a35370d3692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5881d5d0785e1d731ffefbea566079bb

SHA1
56cfb7b30b71a93007bedcb5c84f490103156c2e

SHA256
47ef6b116b2d60aae231e0f49de0ac906c6a787e87de47316ba8d70fe7a288db

SHA512
040f42f4f6be711b11bf23a36900b8b8f69ab0c72975694bda20145238d527cd771d3cfc48a097dd14a24ec8ff2609c8395c572ef178795bae6a62331f34531b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e1fb94a6e8a06f368e846fa960d575a3

SHA1
d26878febbcf23dae29838b3a3fe61d121efc11b

SHA256
17e3ab9e9548c243404d06795e36e6198d110d65bf0f40f6462dca3700fd80d4

SHA512
54a57c1dafebdc84ea74962239feb26c2acbff90a5de3f769efb9b5cd6dcdf7026fef1982e24292e40acc649d0c0eb9c45e9cbdf75930af2d918249f8b5c484b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fc72faae9cf07b481e211e14fd050f7f

SHA1
d2e46e2254de89a68a5fa177aba26882d32a99a0

SHA256
ca0c0ea0a0209ca1a79ec5f408f5a4b0310a3fa93830b752cdcdcd9490e86808

SHA512
bddf6f25f2bdd9c9a79e995b1943e4785367328bdf8b3fd40b5479a566532eaea06b6f19008c633334c63d75fbbf4701aa1b910292cdc3a021fc23c3ec5ff52b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f7bb4b0bbecb7fef99702df3a3d27cbc

SHA1
74cb0f0f39c3369f946762bdc3b9fd0c398ba1e9

SHA256
e993ce45d30c3517843052c551745b81626f046d3ef2fe856e337998353d6207

SHA512
03d6b2dc9ee41ea450e9739a0b7c8e71c895319177525912418ef85f7a99b7c4caca31485a0e69173a6685ac546ec204d4425b8a47021992e9fc282662000855

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5529e23a8c8c3a3ebd10c6c39e07988f

SHA1
966128b3be8890b12bc60e9a66772c7cb5c4a21a

SHA256
c5b50a68103a2ab77cb2403999c8e31e01117d27ce322ff3e15ab0de6ed9c053

SHA512
64fe2517889491304a9eb4d1198caeef90cd56eee5c9179e45337bcc0e8231e5dc99693b675a536a0c727afc76a8b461e785a50b50754841abc435bc72f7ec6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
80c8935f72b9dc7aebb007efbe0ca7f2

SHA1
8f55c1349cd78b7a3afceac94735bbb8d266fb13

SHA256
8b6ed20cc56558415ea819cc49b372d3a34b243e281bf5f3173ca85a44b59721

SHA512
abcc410a450d821107f0e3b61dba2bb095c7a791527b8edadbce9d74c430553ac51b4e1773c84b287a0cdcfb87c36e2a4429812ce336be8b6a36b08b067d41fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
38eb482c19008ac60aa3f97b708b60f8

SHA1
ef385da40fb686d300b5019ec33204a007204baa

SHA256
da0eb93cc42af858d059d5eae5789bdb7db408e966bdba801c7e4fef744a1eb6

SHA512
d6e4ad3b698dc691b93a551d187e11f0c4e4f1771ed2f48fbd88797dd01105cbd1ea5d5f27f581918ca992ebb0ca22527df7dbd3b5b5d2e905bbc3bc04baf6ce

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
e3e9192e9595b2626808e71d5173e993

SHA1
584380d93188c7f0a2482bc10c33b344326f0486

SHA256
86c62f85a28e939f6e2645287ed7952249211e798e44398c0bde742d307bda3e

SHA512
d03c1b0795d69c26543255ea7f56a9424296b824a53f0a55da35bb96e34cbc69d14386188d7adc918d30edf4a5fd7541a8b9ac1ae37ee841b4afb9681b8cfa63

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2398549320-3657759451-817663969-1000\desktop.ini.exe

Filesize
10.7MB

MD5
c968bd826df8b0eac086cfa1e1a3cb1d

SHA1
c712e5843333dc19543e3ca3a314cbbee5268aeb

SHA256
6f1276262010a4e1e043242ef6ef14bbe7e0c326af703b46856079bad1d6c179

SHA512
8ec1165ddc3c5eb8c5c0dad02a146600f6c19fe12b3e03cf4647d9be4b83fcc3f0ef130ca0e6624ed7ef6de1f4eef6ba94c61de36572e0b193b4d058bf53d621

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
10.7MB

MD5
398646f1bca7b2630599fe83a5e7501b

SHA1
2de320aad4ac27e790cdc1eceeb5d60f51370b83

SHA256
d9ee97ebfca901fc2296137e2219d4115a9b4a68799cbfcf7a09224b2addf481

SHA512
7bdcb6c4fa70d09905fbf5b6696934f4a5adfc662cf606321d5f5a6fda0ae6383df937657fe7ff40f0eb9d884a79482fee646a168aedb1e8e1cf0f72099ea483

Download Submit
memory/2116-127-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2116-0-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3104-5-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads