2d1724d6781e82c23ad2d7682c829096a0506c9ee3b39c1fcc3aab4bcae025e1

Analysis

max time kernel
188s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f6ddbf90cc4d040fa3fea7845629191.exe
Size

1.1MB
MD5

4f6ddbf90cc4d040fa3fea7845629191
SHA1

ef1ce2fe1672e478c5f43a0cac858312564e10b0
SHA256

2d1724d6781e82c23ad2d7682c829096a0506c9ee3b39c1fcc3aab4bcae025e1
SHA512

be2607da25d0402ecb57129c5d9e0968689f4790e837a7de8d13efca5ce6fd67cf6e7850b44694ad26ea506f4041161f5f2008e6076b25b9a0034bd7e07fd0cd
SSDEEP

12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KVQh9LGu77k:xEtl9mRda1EhhGSo

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	4f6ddbf90cc4d040fa3fea7845629191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (227) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
4680	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\B:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\M:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\T:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\X:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\V:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\I:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\K:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\O:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\A:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\G:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\H:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\Z:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\E:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\J:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\W:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\P:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\Q:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\L:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\N:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\R:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\S:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\Y:	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened (read-only)	\??\U:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	4f6ddbf90cc4d040fa3fea7845629191.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	4f6ddbf90cc4d040fa3fea7845629191.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\az.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.exe	4f6ddbf90cc4d040fa3fea7845629191.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 4680	840	4f6ddbf90cc4d040fa3fea7845629191.exe	91
PID 840 wrote to memory of 4680	840	4f6ddbf90cc4d040fa3fea7845629191.exe	91
PID 840 wrote to memory of 4680	840	4f6ddbf90cc4d040fa3fea7845629191.exe	91

C:\Users\Admin\AppData\Local\Temp\4f6ddbf90cc4d040fa3fea7845629191.exe
"C:\Users\Admin\AppData\Local\Temp\4f6ddbf90cc4d040fa3fea7845629191.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-635608581-3370340891-292606865-1000\desktop.ini.exe

Filesize
662KB

MD5
3210d75ef5948aeb191146405c0c27a5

SHA1
e046f26da3658b461e3cdcb9e6cb15e4488b1f6c

SHA256
618c7799aaeb4380c35a26735183c0ad3f300bcc200cf139197fc7ae6eb42ebb

SHA512
6fd67cfe1856776c84713ff985b50f36851f0d45f4cc1dbf3c78abaf31fa44e3a0f283dceebba0d41c078c4011435e7e61ebfd0ebb201989b4868ca8d27fbdab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5a8fa669e94e00608dc84cc80de678e1

SHA1
a1b6176f1f05b49fcac069d8ef6389e038e65984

SHA256
6370752479194faf53e01f9a8a6c4023c62f61c5c6379a49414193bdf27abd6e

SHA512
24abeaa1165546f4d9d95b0cda4faa5453740e6ad8700e2383306ca3149be01994f3b4e74e77396085479227ad925ca77ad227a27e112df7a39328250e095fe1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
410acb6755fc4afe10703b50248c9c71

SHA1
483d5927a9d1d365d1834809630179f1b0745f3d

SHA256
acbc827cdc33dc9c74f2f32c54ee3b1e12c30417df3b5ec5067eb9e3044d1d90

SHA512
59fc9cc8574ec4ea8f58b62f208877faa9d65b8a4d000e7aa299ebb283285175723e106142a8183e18047733ddb908810af389f2f242c827590741fe04a48c11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7c8181f6b496734d7841face8cb76c96

SHA1
3fa8b55f2b3168dff4677ea819db08bfa4c7a1b7

SHA256
54f596a44f1986d49a2c4e0536822d6c243afe816f528b1c7b466a48360f2162

SHA512
3fea3d8b13bca47ac42df9fe2ec84a5b61ebbeba4a19f6c1dfc7861e6c3b5d41043ff917b8cec562c83f8d67367c3d33e694681fef907111af980eb97ac4a50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3c03658ae41ab981af1ac12278b9c82c

SHA1
1cf465df11d1d4f6f44e7489e0bb5f4a8920a255

SHA256
14526dff142d170f25b2c9a1b504d088081f2088bb28ad1a2ec07a07fa5f6138

SHA512
57229bbd1edb47aeac05c5a778a2089bc895f8f9549231c63d81964d0b402e62d0ca7e150354174331fa5c60e220b83f528a081e005136770b6704f4464deb43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
aa38c754f505ed7c1df82221c9595de5

SHA1
6c40c611e68b1813a0b9f0db7d5d7980a523b16a

SHA256
b38cfcd36b49903cf0b813d084ebf654ee0ce3e593ebd1c34917d9e2f34272d8

SHA512
cec3de4027f4f75603e8c43e4553add5871c05cbc968dbbde22e9bb5ddf55b8eb1dbbdbad2a6a267973b46d45a2f3221d2191c58091941be66f748619d53a560

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0927f4cd192a80595a5e883b0428d812

SHA1
18963677fcb6d738815deb29dd4539ceedf3c6b8

SHA256
e05a2a8d0d8ae10b9f9c499bada263793e6b1c791c85f75dd8284c0e53ee5bbb

SHA512
9afff3f36777f54df3d18a0a3f776de174620ec308e641873b8aa9773732cb537106208b36d0555bd6d97af18038a0bfcb32bae2ca3d14f48410ee07a11049d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c201882342c12a832a21a2ff341012ed

SHA1
c6ad66eaeceb7f5c50d14d7bd51501e913491a8a

SHA256
baba75e3a4d57a266593b54072afb6fd27339e2ca57d5019ec9974defe45c888

SHA512
16168171604afa825ea3ce940a70fe3d0a25388e1aa0d8e7f3e8e3a4485bda18d8c4047bbacf8bf9ecaa6bbd531f9119efbc9395fd2b2a4b9c7774ec41a7c85a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
67bf9ff4c6fe1cc2b4b2a99d2f6dd1bf

SHA1
b2c4ed7c7478d1eed49197e690ee5b2afff6b1c7

SHA256
058c039c895473b68394a4486266086f4c4b4663bf0504916ec4ea6760e52c47

SHA512
d4032f267121c1cd309e2c9e9968aaef29e05b1a2a198151bc890928a622ed3804d8684661c42519c585a6e17ccb10ab5f8ef237668903363adae4c56d157f74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
92a4c9a21f9e63722d781acc28341e03

SHA1
0a4bb5b1518c1ff70458550b52d8f71f2f6baa7d

SHA256
45cbc4a8bf8e1b16773777d7e6870005ed877ecc2f84bbc1335ade9e7677ed91

SHA512
787773a3a0f9a69e476dd06b6e9dea19a010575610c9848311794db66dc1fcf4eb4f5edcbeb201b04e187a0b6a2c7a091cba2a2cd97be64aaa4762c91de08542

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7d24931b887c205efb00f4af5bcede6a

SHA1
c115dee99e7f6822820d36f927e4d4400dad50d1

SHA256
82d86ac6afa35546967663b33dcc9668f4920f20bfa9e9dabb9c8acdd73651a9

SHA512
4e75d694fbab6ede33bc199a723011c635de31d2871ff016e5d5039fc0ce8804a637180af9b70ef4feca80246df0be581b118de7ef3b1f879fcd861e0eea9ad8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
483f4aa2299f5d0952daab57d9f6aaa8

SHA1
b137a40736e3dc1fb8a73a59f2c8f35bed048d23

SHA256
7ef945c5cbaf30e281f4213d33f0c13d94123c35f3a4e89193dfbcd38c4b69ca

SHA512
1d69360dc391274ab71f597cf2f2d22faed456b8f259b70adea35f30afe234d2f1b656862df8cdc6a3a68ad5fc25dfddcbdba2d9b443a727cdddc6915478d461

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
702a66cfd9e6f2371ca5624680283814

SHA1
70bb439dac304c1f9709f65ab70362eed35b8fd0

SHA256
a2697685f59f07c47e1ead6af8ca51a6fa7087b8b589c84a9f0149854e11b3f0

SHA512
cd1c124eede41186a99e94dd9e7beb41d2cf59f2286e901dbc85d6a2ae69daf4344f7d46f7e20850634f513778933f72a34e0653b539bdddc9b832a3c495829a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ca9b85d0a39caa0023592cef647a0f0f

SHA1
6e960a7e0be5206ae615dab4c74b514db1d3dd08

SHA256
f36ff9f6c5c5380dc5213700a910ebcd17115f7e0149adfa6b11e4113671c55c

SHA512
56019b05243650a367e32f26063adf4e351b9980b571d33c0b55a8f9030c74da95ecbf3a2901b0aa41fffabc8f6056e75748555dccadf7530d4188136ddcce49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4980eef4cba33be4373d82df60ccd0e5

SHA1
ddf1745e6af033e5f7cabc7c326b981aaca7d482

SHA256
a87c73508a7e4080e5a7202d82eebe41c232f68ca7df24792010608523db6405

SHA512
652d362d87a420092f17bdc087b52a50190674fd53170324de29406d08f8cd44d11c1bd9de2162bae96631a8be03aa51637f6d95ae2ad60d6f8fe041d58f08cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0b26e463e812aeb34eea9572887aa16a

SHA1
6825648e6dde765a7b15f9993433e54c9dc2807c

SHA256
a18c27c7d5de464e08188be0f99dd99e8072fc292dd510cf34028cd721f0fb93

SHA512
bae5a4d2f97117251c8929b9285d815305b40925af94234800a8a1289c36151dc99ca4269de65c6903874a9f7d0d2e2e1aeb0428034419928011bf43a1a009ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3c460f949dfeaa08c234601d6de78ce

SHA1
8c6791b4909740b5889c42ce375c6d0350cc4d92

SHA256
6c5d7b838d7a7801910723dfb256194e8052239dac0e21434797b65a139562da

SHA512
48a57579aeb108a3a1833c23dd19ffce9bd80a80f35dddc0a404842da0b24f80d2b2ce716eaae96b1f41cfb960840391cfaced805821c3a55618dacef7980a45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4c6689daf16821be9ff248958ec23c81

SHA1
511efdd5778415cbff9bd5bb997853a5595fef8a

SHA256
f9d66a047ad70eaf7faa1c5306694742e96a115b5929c4167196379dddfd2547

SHA512
27593864fdb3448ff6933bb1fe3ff25492e16a95fdb3043963e007925b1deb570a3f708ac2146d8801dad8a3a1c66dd56efca92dc2f94eb310b0969e950a998e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c13951c734a2475a1b8360ae297aabeb

SHA1
f4106e1d79155bd3e2e4ffb9afd7f58ac1e8cbaa

SHA256
44ab95dc157672cfb62574fda2a9d53b01ff55487db4b43ab0c34925eb4c4e2b

SHA512
0b2ad1439bdde111b80559ce16bce5ffd0d1ff268f50a3a375129579ee82f8914f2ad2dae23370268eefa5d843390deac5531aaf8f48aac29a626a6361ae2882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0bac38e718471fa4a31815fed00bae18

SHA1
09afa53a6cb5edabc7934d347d8b4e367813612b

SHA256
e7ce70fe68536d328dc651ec27783f349bccccef8960ae87a7c00f3e7ba40f2a

SHA512
f764cdcf20530cace8776419cccf0ef94ede994a630abea1070dce612ef0c12a097d6ff2cf5a44ba5d5e1160a21753633b728237f6f6a69672f0fd1e4c31c87a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ca46e8d461d9abc8c191b7fedc0b4d00

SHA1
961f5f106c36da6396a6eed8dc01782d10eb6757

SHA256
346d3198dee6e603b86b7a15c4427aff89eae5da26e1f0693ba565c71889f2fb

SHA512
811180e49b211ae8ce92f3a76727c52211e0853c09836e4569ba58bc91dc8949924b875357bfe72549556b2c121e8953a057a9f8a51bccf76728dbbf658acf3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a3ce4022e2018af7f708231ea2728bbb

SHA1
c30fad65bfb6d615329105eca76c2c1067de20c1

SHA256
8efbf34cb286010ef7cce06e6ba21d45c4ab125d4cc3513078e2cfdca41bdbf9

SHA512
ed33101dbb714a052ec7c6f137bd0da161c0783a4c98ee2daac3447a9d79e396808b87146fd29a548380f5dec92c09f84f72bd5a1f206f4c59a34b6da308f214

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4c774bc1fe5f5e44461f62e341095444

SHA1
e9481dec192ec167d3d8d510cc6cbb423d97c88e

SHA256
d9aacebadbaf7357f9af5072cdcc1a8172fb56ac3edeba78e35662fc815a3ab1

SHA512
a91d008bf7a155b7ad11af3f92357b1b406a8dfe22a9517d11c1edbfaa19069a9a32d5fdd5feec2b2251bbd7de539434729e1b30795b3e26986031aba9726d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
21d06e3c7202bfd69b6208f2ae28a136

SHA1
cc144af07235aeaa8e24426e915d947953785962

SHA256
b1485c2f009cac2cf0d43141139e55165d64df729bbf92419a5c22bcf8c4cae9

SHA512
c9b0258e8e9c4140c464a444b1fca1f059f80db317a15887fa65a59b2064e5d491e1109d4e0ee78ea609c5fd035f1f63e5a84302a2fe771df03a983ee170888d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a5b62027b9cfad307869596ff58992f6

SHA1
acc84f94bb7b3d10004510ad6f71d0e6712ef57b

SHA256
37aa4ac86fcfd177a9434fd81406195f4e11a8eebbb4ca835fb9d81943a72f88

SHA512
f24d0cf9bd82155b5ac0c5fab693ab68d9980815f8ea1c085813ed993d97fed0b4d434d92b7277f9290e36f6adcf0734563920e8c3755372e15dd0e5f03cd6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d081b963fabddfb2abbd60a562e67957

SHA1
82eb923d51ea8ce691f213ee3300a1d539c05321

SHA256
ea45e2ef60ca624f941b29cd3c4db2897143af663e33b9e6fd165914be93bcaf

SHA512
51ecfb3d7686537b38c369b83137c10307a9467711d2d6b897ef5c3d59d5ed9123241d9d20572b9e25d4d31a8ff5800958a84cfd22fd1e058cf26cedde8cd00a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f6f98b2e6376c364b6468db3ee23c34f

SHA1
609dbc194e28e602f48b600ecf0b2a3b2d210c19

SHA256
b984352324493fa39447500cf4845e376226ec28fef830d919e85efb01bf85cc

SHA512
7d1b34d046b92eb626888fbc0c2fb86a429bafd8ebbabf9d528f7c09d0890ebbdf7c7f7fbe1bb713acf43a24deb9267fe34b1a8ba5869737a92f16b55e8ba73f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
50b934e8c8bf50411abfabdc76ab6c86

SHA1
ad81916f58c9341f1f6ad33ee21ee313fab63a42

SHA256
d750d6e5e4a2942d3752da245a10cec7405800237ab46803bd506db12545b926

SHA512
3db2763fb156e0e4051a971d9b40c5c2c21f125078c4572644625bfbd948d9505488e836927b6706b625a48b2caacc014a90e52b2657bcebe68635104be096a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
496f34bab760dbc509dc99348334c860

SHA1
4bde2d60b017ba8a684ab4f0d9bb855532734025

SHA256
1dc987d34a8482e193b59b9737f239c1851e2c55da31044e27866d88822d9298

SHA512
e2608725fff125edeb76d658ff782ca6d2b6502336f0cd4470d7050d4e96c063143c12ceb42f277223c6c3c525bf8ad1f1c1f0f4eb68b92c4f683c755007898f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
75f3acffa255b26748112dc253f72e6c

SHA1
ef6873f2984fce2a32eea5aff832697963fb12d3

SHA256
bccdc74bc47cb8d5898528668fe340e856e14c26278aff236afb87241d6d07f1

SHA512
e17bfb8b427fffdb3b10372ab37f83de6c28f3c2a5c529fd6cbac7115cee3ba87d1ef60c31990fdcba48afb3e22aa7162c0ada3e8ad12ccfd9122cd0814c0c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
19f007e48d575dd87549ad6be5f49598

SHA1
ccc6a34e96f19bc965e9819959f0259a74b92439

SHA256
141960288a64ab8eff4f3036e35dff26e665caf20e5cf58b5c00571591be395e

SHA512
60a466679fb1b232a31167b041650dbdc0421224c340ac3e9f353c15dbc81c8900ef702dd2e9d43588a6988586fcc17cd94a2d8c5b2edb5ba2179961856f5a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4d85c6724f166102147d459b832d8d93

SHA1
026f68d5e96ac2f7f48cc351e77ddad1a9e82b09

SHA256
d5be198fc8dd30d855b0c454001929f8616c7af6802ac4df8bb5b030faa363c2

SHA512
0491df47a30918967e42cee2c464337d6f0e17eb6baed017f8b57a2fc1693e527a84864ebc9484cfe73074d5635402a1e6231020dea3dd77846123a1f0f50d6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
48e981cb4c0e021cf442cbc7c59bea96

SHA1
f51c478a7023a1359ef43a465eb08272d380a4b3

SHA256
186b9fea10925e1174785992d67e7cee3b54aa473abce7afe6f540fdcff89a2e

SHA512
c89ad354ffb9f5a835258700ca9a400a5352ab892206703afa3fffcefa1336317da2f4709ae7481c0997e864216fa91f2cbdd695b26d98a0d18cceee970855ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
758c20126d6fa090690593f42ffa270d

SHA1
ea86b4de329adf6bf52245e097a8f0a2efc82cbd

SHA256
337ed7ae17acaffe34da850ac60cb938bf76b1e65707112cc28c43fc130e4087

SHA512
10091b48c20d8ee2ae8652c946ebfa8c2c772590d576ea96641d4de5f112a2869706adc10fa48304169d0668580972e3897c556f660b82c6167c99de83ffca5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
08b2c948c76c121dc52205bdbfcf2c8c

SHA1
70b39979bddbb5cd95599b7272c91df9257c0f6e

SHA256
98da2abb374d9eca3567297475968187c7831884bd7bbc07470ef81c5ba4c20a

SHA512
74c7654098e9f4948252e17cfd7c7bb689bfed71dfc75f6d3488c6fa6e1563867dcddc8eeec0651f3b6bec15e8340b02c3460dcf445195945e60ffebe8ab9a82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
485e6da8fcdfb030b63aa6d03ba9d154

SHA1
530c2d3c0339736820cdb539ea5bd5a72a836660

SHA256
7c7387f0467a2c8379805d7218ca0286e28b263a02d5f3684515680c7736c608

SHA512
4c86cd10c126e1fcb8ede360321b4ab0024189d6f7964fb5ecf3805a0fd03a404f05449ebdd563f76356bd2c400c0be71507acc3876e4799f39c157c4642b0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
334d7ab84fede0f4e8b3e5953fea015c

SHA1
17230c6d410d15a828e5fe3ab0e4718eeaeb1169

SHA256
c369ee666bb2cbe57d80b5694ffb7cc410acce2616613c9435d8a099b237f14b

SHA512
677ee3908ff9b417f9d41b26417866da8b5ac070a049d02f6268198271eb09c6f1003c5606aec0ce581180016d2b0ff4459ded0fb0846da1293c0d43a325b632

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ad297191f221f4cd396a3e1ffe2698ea

SHA1
3c8b444e8a7ce4e1a7772bbdc4b33e678a3e0a9d

SHA256
a5847e797894339592cebc51d9780157057b3c63f3bc94dccefb683c20a130e8

SHA512
a1876139a170047c2c0853176844df22c79f324f4cbe799f2ce6b1e5e55651ceeffb344c2b32277d71fb535f300acc277947fa7c70e9909d1c370a40b96cfcce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1ff063c258e43ff61da8a20952878553

SHA1
48f73577c01e9ddfeee2c2025f4ef2cd89ade708

SHA256
552b22c6836dc729a4b2dcd3d3b4fcb481766e38dc7610bc6da101c827f87610

SHA512
7013f857db505cf64d1afe0bb46dfba084b416842476aad41e9494dcfef37948d1dece17ac1ae67a8d6c07e2093c0333ee64f85a22948bd998ac18671237ab50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
16e9de2a0fbcc2a04d79de64c3496581

SHA1
fdd340972c8d3ee9d4b99f00042408829285e2e8

SHA256
8b6c73c98605205f39064cd5a6a913e585cedf4434915d532d1711343580b6a3

SHA512
7ac0789091410e1bbaece2c11b7251122eccc1a2f80036fa17db3887eb20f0f4bc36e15ddb15d1611029909861bb90f60da7bbb5b02238b109a0e54de1287222

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7dbfd560ff8927586b3805861d0c2dbe

SHA1
04c5257babb02944a4cd58a89949274573bbf0d1

SHA256
ea4a3c3fd0aa0e49a9559b6cf5423bf38ccb3a911c2b1fd987c97457b3429eb5

SHA512
82a89be65b00a3c84ee59603e98e0f73d9eb08ef8fccac07cd057247b9e8aaea38930edfa2ae029ba97d5a3707441b177b0c9d3f3e34ed9499319252729badc2

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
975KB

MD5
44d9bd2a7c63d0dc4c969cb4a3047708

SHA1
1b8ccff95f18e20d1317b4cb31c02179ae4088b1

SHA256
52a08bfac0b03432c0b81a002468adaccd6ca6feb4fd1fc8713ca8d33dc1c47e

SHA512
98661ea28b9bd9418e7db23afddcbeddc0cab91e0454b4e8707bbd7060dbd29f949578578d1f1d749b572cf29611eb5585913d3d7d1349310e40516a646d24e4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-635608581-3370340891-292606865-1000\desktop.ini.exe

Filesize
1.1MB

MD5
7d72bf2d1788bbe5f88d99086342d281

SHA1
eb6ad44ea5b461baaa5b1f413353b637f72c5353

SHA256
0ce3ce122d2715a22b3553b4c97dd210eb05c1f21c47752c44dc43e4032bc05a

SHA512
d536cac2aac7938adcecf1e33929a2941d909748003e23cf94292a0128287db117adcb336305fe303c4cc3f1d8a9c25105460419e7cb2a45cb3201e623d7fea1

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
1.1MB

MD5
4f6ddbf90cc4d040fa3fea7845629191

SHA1
ef1ce2fe1672e478c5f43a0cac858312564e10b0

SHA256
2d1724d6781e82c23ad2d7682c829096a0506c9ee3b39c1fcc3aab4bcae025e1

SHA512
be2607da25d0402ecb57129c5d9e0968689f4790e837a7de8d13efca5ce6fd67cf6e7850b44694ad26ea506f4041161f5f2008e6076b25b9a0034bd7e07fd0cd

Download Submit
memory/840-481-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/840-0-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4680-5-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads