1c382b2800f2d57ebb19bffae03b8ed679838a22520a212c19f051a84a75e977

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b85f3acf2f180907172ef7619b86404.exe
Size

184KB
MD5

3b85f3acf2f180907172ef7619b86404
SHA1

a552fb20c05a44f3e01c32a1b6cee6e987c1634b
SHA256

1c382b2800f2d57ebb19bffae03b8ed679838a22520a212c19f051a84a75e977
SHA512

a7fb01bed6c5fa65868ec1e1ba6d2d5df8e6e71d727947ec45fc97c8d22a8a1aebcfef1cef15f03f5851b1b0be62da700a90645736602d5adf778628aa081906
SSDEEP

3072:rimsXXK9HRTOeriRfP6pXfSb0dspqc5oY0htVFAHT11Ual21Cxcs0HKAH057kyJu:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HWU

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3b85f3acf2f180907172ef7619b86404.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (5573) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000400000001e96f-4.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-15.dat	aspack_v212_v242
behavioral2/files/0x0006000000023204-33.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-73.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b85f3acf2f180907172ef7619b86404.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
2956	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\B:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\Y:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\I:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\N:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\Q:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\V:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\W:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\P:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\R:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\Z:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\A:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\E:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\O:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\S:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\U:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\X:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\J:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\K:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\L:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\G:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\M:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\T:	3b85f3acf2f180907172ef7619b86404.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	3b85f3acf2f180907172ef7619b86404.exe
File opened for modification	C:\AUTORUN.INF	3b85f3acf2f180907172ef7619b86404.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-console-l1-1-0.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\BillingStatement.xltx.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Private.Xml.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\vreg\onenote.x-none.msi.16.x-none.vreg.dat.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Security.Cryptography.Pkcs.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-profile-l1-1-0.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.ELM.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.INF.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Royale.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\SLINTL.DLL.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\Office Word 2003 Look.dotx.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\System.Windows.Forms.Primitives.resources.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ul-oob.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Requests.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Java\jdk-1.8\release.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-BOLD.TTF.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-process-l1-1-0.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-datetime-l1-1-0.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.exe	3b85f3acf2f180907172ef7619b86404.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALA.TTF.exe	3b85f3acf2f180907172ef7619b86404.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 2956	672	3b85f3acf2f180907172ef7619b86404.exe	19
PID 672 wrote to memory of 2956	672	3b85f3acf2f180907172ef7619b86404.exe	19
PID 672 wrote to memory of 2956	672	3b85f3acf2f180907172ef7619b86404.exe	19

C:\Users\Admin\AppData\Local\Temp\3b85f3acf2f180907172ef7619b86404.exe
"C:\Users\Admin\AppData\Local\Temp\3b85f3acf2f180907172ef7619b86404.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:672
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini.exe

Filesize
184KB

MD5
94c4bfb1055723c162a156251c36ebe7

SHA1
246ae55978e8daa6dad25d1c84d899687373fc0b

SHA256
1ec25cb47a1209ba689b38bd79d192a42f119e7848fbdf44332fec3945520f44

SHA512
b32541e6842eeec902ca670739f1b71f8938dd6cd5878b044dfa4efdef8ec187470002fb09f9f662dd96c55359a21e6dd0822df03a8a0832e1135c951108ce95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a6b96526e5cc6d24f78086fae528a315

SHA1
7d2780abf2e743c5c1ed44d979df09bcc9907234

SHA256
352d397113bcb923c9a58afe0708accac79f88d3cc60444bd65bf27e65e96429

SHA512
8adbc6b0ac6c20ffbee0eafc54bd659a952e81a5c15ec7f0e8df8f9e47992d026d396eaa29b93b999aa25bfee31b99b0846fc0ec64c089e77f39d5c319220e98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
95b62190b9f4ff8cab7b180ba79ba8d1

SHA1
e9989e31135f14749cbea6505ebc50c5a100e434

SHA256
dc68912213ab5e625ccd8086c1773a4039526f7b0b2a213b6d8daec86bf42841

SHA512
2fbb5c9a710ffabb5c05b000d6340593caa0c1651bc33beb825f29add1e117e3738694e1409f424447fa9d6aff3056436e2a29df055d938601a770e37330cacd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2b94a93d20eb83829c457c3bc97b77f7

SHA1
93d11aca880125b874f3d2eb72eb0332ee7ae002

SHA256
590d55dd47b33bd069b0589edce7f4e1b567320c9f406ff8ca6019d997d40126

SHA512
2049ed96360d51b3103743a9bde5f355c76a0c1bcb45c7bc62a1b12fe163075ddb953a159776562bbbba762e9b0cea0a44b8a6aad0fa50429e194a31167f8d75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6d3e2299761891212184e72701a8f698

SHA1
28aed118ebdc527f854c5df8476fbd7b5fd53124

SHA256
c5189dee4bfe638c53020b41aa5843f0819462f50295768bac676416db8b1025

SHA512
73315bc91ed99c00b93ae3e780615c8d8fb7799df5c4331ea27901558f6d8874f20b25e0c1b3ddc65809cb35f76566ed1b4ef0771f39e08cede05c483f3c6939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f11673e1db7a4692acb6e9f4c7bf1450

SHA1
6316b0ecccbb79542abfa5b69f6115a686081437

SHA256
038238b1c27d618b9e25397885d80aa8390467392f1652215d975d6339f36e63

SHA512
d08cf38ce2d3c225a1573c689e1c47fb7ee5a6a4cad0446e5a6949df9da216e605fdd11b905f0ac71c5bfe6fbd796cbf9a9cb92942ab054d68819ceaf1d364be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7011d1dfea9d9c30c0458b441eda127e

SHA1
8ebadec0a496ee2b38538bbb5225ff469c820a9c

SHA256
e4fca3d7e0b2156ac235a08630991454b04d96ecd946a4529a2cdb2799065767

SHA512
e31856d83ea7494284e11e719bca64d835a254911d18dea9bd313cdd34e70862c2ec2f7c529d6b3237845dd5094b9c43334580a0ee3087877a1bf8c11fc03ca1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3c37b9eaaed131cea33775fc2d30a63f

SHA1
5d1a04923e4a6382129ae2330c600e77f36e9de1

SHA256
c7d27b8b1317889667a38db512b4964ad40fc798f938ffb19932745c33cf94bc

SHA512
c4ee9b7305bd409166d9dc09ee913f8fd19750498663e57d7b39064e56437509a05ecc43fd7c771f5851748a14a3eea8c93dc495960dbeb26d0525fca4101ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
24fe451889a5ba3ed2f2f6869e198543

SHA1
67bd1d5fa2552ee2b156a6959d9d65f7b6f66030

SHA256
58571cb01d7992ead7beadcba282491f94e2740fff1aef37f9e2c4c703799d8c

SHA512
2ebbc7ca1c94a74c5293d424fc4555b8b384fa1ad5ce872f6706524af04f15e4ce5692f703f347cd9f70beb9220365a3df610f033350f0428c622dcd236476b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5976b60f379653710de18c78da97f992

SHA1
1f82e11bea82171e33ebe2696c1419ac7f33afcc

SHA256
066085475f77e619c3e4e7f6cdb4456f5d67190b43431fb4b5c1570f0daad645

SHA512
b115361f5f4a09268877a8fbba477a155bb71c7028d8cf2e4f23183c991aff4578054f7d3cc5f25e78b589695ac79ded019bc188e260f23364a166c369149638

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
758ddaaea1e65f1eb5da397889282fbb

SHA1
608a938c9c8a7ffccb4bf753d2e0e10cb06358e8

SHA256
edfc00f60d47df88f43a2e58e81a9e135da764ee612e482d31ac966054305b3d

SHA512
f402b81283bd1fd10b2fe957d4aa83fe0b62439740057021a5fcbacec87ff63e70f7971af50a0dcef553369afb9ec269b44d3ed439d69fa838a257839ee41d8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
34aaca287e838402327346f498995451

SHA1
e09ae4043e5d60de62156b11fe034ab89555451c

SHA256
f333531c276b0f719135d793447406a02358b2d4e6385188be98887faf978287

SHA512
d56dcad38c138831ec69e8e90af6617505b7ff0c984dd2a442ac85809494bd2dc2aff87ade55a1e24d1ddf587557dc7add002cef880202310eace942137b1452

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
99893a09ec5604adbd7cab72fc937c55

SHA1
f12e38a1bc82a953cdaac64f23b93f9a8e7c394d

SHA256
ee1823c8b5926de955f792024a70073de551b139038d3630d06264566323e4a8

SHA512
a62d24c6602701561e408d79f58025d4b6294e5b06a3086015401ace64dc94e40b5d312d20bdca36c03f08383b95148c349db7132036faecf70a53f4915c35b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f8af8f005023a7526f59519bf26d8fff

SHA1
d270d022fa1e1a418e95fd6168011d3a9982fdb1

SHA256
21a59751033dbdb8cbd9c3581bfd9fce4b6dca9f8955214fba840b12041be0f7

SHA512
5627cbdd36b7f19767ab3690d33a1c39bdc2d70788abb0e94971bc546dd794d39b0fd3d0bd914e78c733ade87b53772ed8c8233cb0b5c599615883014c300b77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8f715638f7d36564199115e5894af85c

SHA1
30f22bfdd21e104165d357648a9438b11d57828c

SHA256
b6c22b8946751fe324a5bbe22a94bc5ce4fef64ee2515f2627fa8dbb05ec2a7c

SHA512
4a3e0424b656986faea9356def1754a83ed2b214ab1268e603da9daf82f02f968de64619b62dbb90d54999d339d2d24574e8e8bcc75a01b7e6aeddab4303c97c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fe2d420343c1bbedd642aef0b78f1483

SHA1
76e114795b90c1ef2ccf838f76f9f1566224263a

SHA256
7c80b1cf6587c6de0806c5c654e143299a36968c6c2e1802cba4d0edb0c17401

SHA512
75e88c470afb9c68934974ad6c5ff94eb0dcc7f6f159e94094a273ed7205319d4667ce00c44021f0a620ec87d5445c9256a356c1ae9d5a1b20be0f0d9ee58d7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2766f40898df370b3d196feab0328753

SHA1
ae5f0fcaa8a2417076d072a70dbfaa66d3b140e8

SHA256
7a11258f6e300ef00c436421f869d848b4a515e58588dde4aeecd69e289af8c4

SHA512
b6ae7dff1fee64625e3c9a1c8b66748c26a16ed2697e12f0cccdbeee4733148cd124cf5e16b1688296d481aff3674911c981d828a558c08e469f9f7494f62865

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a7ec868bad96adb319495c60bf6cae6c

SHA1
00b4fc0d506ff9c4f6b9b01eb50d900fe294b1c0

SHA256
5695b6cbf9ab14254eb9a4ad26c80d389f7657eb7084c680f05c47f68d44d0e5

SHA512
d5addabef7bf024f4f139e7e8edab8a5cb79ce57ac21655d3d5dd48b22cf9a7e75935cc5bcb71be9933c08925241d6c57045621647fe842f9cf582fa13d03f83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a11908ea0c0ae18f489151d612214932

SHA1
60a9e9fff18bc539c1ad07fb16d73b57eedc80ac

SHA256
a1acaa43154fc6204fd0550020fc741b67ac860121612df5c1d7f2a6bc475def

SHA512
1b3c7d96944873a54140efb0690f2926d7e0f00ddc1d06913e753930d608f862861da4b516e3cd6720e63117ae6e64fd824e9525bbcd227c059721ab5eebdb32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d4ad6214a197684c432d2214ff0d156b

SHA1
f5625179786f3c8b508cf2bb1e79f3d375cbf8e6

SHA256
3f38c4d4aca78f1aaf301487165a5f8e32f86ddb92d296e6ba4912e406076763

SHA512
cdaed0c6b1b8b5910151befa623b20a144eac71a6e34986d3f4339acef593fb1701e4030c2eca77c996b2522df8f87b8d1ba34b1f2a8965bb5d83b90587ea9a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f70e01edd6eb706098aca96902b82c4c

SHA1
d9d6c77dbe3657abb135c9c778a63742519d404f

SHA256
35cb7ae79ae848a445810a8aefd64c5cc7c43d48f90789087e1cfb7d2bdd59a4

SHA512
c8939cf5f0a1abdc8e51ee687bdab28d48fe6981864b9fdc5e7c03875ca239dfdfa655bbf6862ff4fdb4fc8db1b1f49bcfb7a8f5389757fd7cdcef7e89615217

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c33df5071e2b7aa18323db33bf53bb0e

SHA1
9d222d26a999c5a92df4e021ca87d83261960fb8

SHA256
2d9c5af66bb9564244c623fba91bf386e6860a125784395c41e40dc039bfcbf1

SHA512
a61e93293e41bde3c2f0856c9e5ec2710d1e5b9e2a35f0518da2f17d039dde159fe2c5596799b53d7ab02ceaf1212cbae85a215fe7dbad9b68ec6c901c0de8f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69d571159e0911e996f3da4c7a233fec

SHA1
82bca41ebd537a1813b2c2d0861e102182736ca1

SHA256
adcf4aca3db0392169d5862a1940d0e9ace7a7786a6021a819aa4c1c79c62741

SHA512
24ad6c5f0fb342c6d7391517c2da552fad81ddfc4890a4da2f2331bd84e5254fc600e073eaf584a1baa62fed83783238deb7a0e46500d47c1600454d6e433d30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fe53241398bea27099945b2fce6c45f2

SHA1
d2fe91215d24f90b75e8bc55d5f0c3af34b82238

SHA256
ccaa9bdede01df012fdb37e33db49aa2d640d1e0dd903e717245c7be3a5954ee

SHA512
d6003f111b6314e128879ed011c9e6e889b2014522024e70ed222dd841877e421bf6f209c6ebf24932d7b8780df2849f66bddef66ccb3ed778dce3aa068750e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5bd9cc7e3a9cc6b9c0de4edca16f36d6

SHA1
b16646972d66a650778c9116794403c0f14892a7

SHA256
3b0440a85066654c69d2633f9830031cc042acbf896a24a696b040ba8b092aeb

SHA512
7da28a938c11a850abed2da98047d140f7fa9b3c8c96896b928ff369460f1f223e67eb4ee248db61b4c18729007fab2fec4a4fda463d337962ab0f8035c96353

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d4c1d1bac47ed25a0e53eb3e72180432

SHA1
c67a4cb4f8108ea897939990d2a35f2b1bddef81

SHA256
4c960de7f07184ca149a20c28daa3b82fe717cfb23404de8f9c9f4e92d0e862d

SHA512
36d3827d63230d28de043f952382f3d7d231a4da4fbb6da0252ae64c549a08b683ae0b1dc86fa59167bdebf3eb310d9a9a4a8e15d48fcbb61cd6869082d1a645

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6c2459a54f4e0cb58e5b1d90aae77446

SHA1
138639f42f42349443bd57d327035bf8da6df015

SHA256
85f139441fe776ad528c306502cf71873d2beea1043dbe96758621f7cde95b83

SHA512
6ea4395ee3301098c8e6a514d36ec43f7dbb148076e530a0872d1823503be9081eb557cd74e08cc8183cfe20b0e148e0c31fad91ff14a0aa6a5f6018a3993dad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
81232362079387fe3ba56229ef054bc0

SHA1
af273ff0cddaa2d17b7d57ad2551d67bfa3e3b54

SHA256
055569dabfd244c4b2610fb5bedc72026f5c03ccb4541e65186b69834e890465

SHA512
bc44f48f14a4e46972c38e496fa9de2e14effa6171d09c4d7c350491000933ead7454cdfb1bfa1c96d8ee6888e74366af03e5cdd602a6176e0711c8175d21df1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
da1e469e3810a5c4a7d25c81e0e87c1e

SHA1
8e13af99e5ee53803245d294a7f07cbc0715b6f6

SHA256
7dd3050d8b490f98d6473e503dcf81f4d31573fca9344b2757544b0752c85886

SHA512
7d5c881fbd8caec0fc0f63ffa553d809150b083daab0c0c8fd3b307ead3727cbd5b8cac8cfd2be059b42358e16632bee213c78505d3b0fe3746f3c22296f4640

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e5d48ffe793cfca02d0129e0d182d9f8

SHA1
43d790e85ca658ab4bdc045c6fc01166ba95b687

SHA256
e2ee241c971b7a8d9273d9341cf71313038d7d83ae4c6abfddc08e04a19fb04d

SHA512
dfbe83984491a821201d6c245480e9dc1f7eac8693fbab9a6b6e6177bb69464aadc5552098946a26212375b3bed08d8eee2ae92d1339391fb87a1c97919c1dd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
255de2771966e018a3eda4358a1494fd

SHA1
8961078e84ab434f3436a9117ba6ee3bf822af13

SHA256
1d38aaa9f1451d45bca0fd96daca2f68b5031754ca23ae14ce1d9d6104a6c45a

SHA512
36d14f0c3ad155fe0da788e25fb09f315a93e0a99538f924d00daee4d8212f0dab72ae6399c475ef622dea47b14188fd826a077100281f838171c5dee5448d67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
28b3b7baadd93a4477652ef2a3ac6d77

SHA1
6a479124fb7cfabdf69b76950384638886a1d57c

SHA256
2205237f13d4be9cce3e5c08a528dff425ab168864391360d4cff445776697ca

SHA512
c9e953c67214b645714e644048aece19a3deb0f1676d7cc2577f51a71f4d4db4c66bb72bcebf84f344c4942f0f7a008ec630f1245ab26889fb9fbd230210ac20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c79c787c8a75ffd7f0ab1dfb888249c8

SHA1
2105aa161f21f4ec6d5abd972d0b9fd49b37407a

SHA256
4f6c40d1fb4191be7a5a4ff976fa1d17003375576ae4849bab176791ea5c5f99

SHA512
0edaa523e56c50ef0e582aee9e3faded324eaee4d44a50189da4acc28318ba355f0d4ab8575d3526644210a632d8307df845243f279baa7dc52d555177999351

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b41eaf75f759188af4b8242359195afd

SHA1
f30f18fdbe694145987fb7ca517c9f8c46d4378b

SHA256
ff8e5e7b90c61605aab3444abc0c179d948e0a8ce83a6deec3d045c3ac728ba8

SHA512
4f3cf137fe73340b62dd0d6973d8f590b795dde9d8f75d834244f6ab89aaddeceda6b9aef1fcdc939ea43796888ea1c447456910763c6dc4db523dc4972b1561

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0f4295b58f8d695637fc445a4246e8cc

SHA1
bbba3f3bc816d2c4c8a88427352fdf6ae03f02f4

SHA256
ccd011a498804394b294ed906f6906640579a0906d72f5b99104a6419ccc6bcd

SHA512
405b58ddcdc1a29e56e5f7990df38288ef723e831ffcb35540eb02589b4403288500e6ea0f77ced4d59aaddcc84b00b66f6f8f77795768c405b3d0b8e8dd22a4

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
183KB

MD5
6a01f4cb70f7bf7af36dc6c1d6fc18a7

SHA1
bacffe880cfc15d39109f796391e262a680b3f1a

SHA256
9d1d5b811c4d5e45fc436f3e9d32774b6adbc2723a6393baa3cd84f1b24cf426

SHA512
74fa550ee17a5f26a6b52602c3059a9d131f1bd99fb00e160d6e1793d597b077e6acfb5580cb81e187675a24f66def1fd0b5c04bd4db74902c4b2235d616fdd9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini.exe

Filesize
184KB

MD5
6614921d93d13760a1d5e71c969f3c9e

SHA1
f224a293373342e30f5340fd0a2dc37b01b31f00

SHA256
12259c5f9b313f7ef2fe77cb63b75f968a836200e72b8132b02a14c71d36bf4d

SHA512
8bc813b84663fcc89ba27b76fd5ffafc73ea35e4c2ec0febb6a47add73e6bc8e52ac606a75935c2de634d35da62f6200854991642b58691c83c6e28e73694965

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
184KB

MD5
3b85f3acf2f180907172ef7619b86404

SHA1
a552fb20c05a44f3e01c32a1b6cee6e987c1634b

SHA256
1c382b2800f2d57ebb19bffae03b8ed679838a22520a212c19f051a84a75e977

SHA512
a7fb01bed6c5fa65868ec1e1ba6d2d5df8e6e71d727947ec45fc97c8d22a8a1aebcfef1cef15f03f5851b1b0be62da700a90645736602d5adf778628aa081906

Download Submit
memory/672-11760-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-11750-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-11842-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-3572-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-11820-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-11812-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-11778-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-0-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/672-11832-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-11770-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-11860-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-11792-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-9028-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-11802-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/672-11852-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-3583-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-11813-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-11751-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-11821-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-11761-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-11779-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-11853-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-11803-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-11793-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-9033-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-11863-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-11771-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-5-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2956-11833-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2956-11843-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads