bcfb667a2c45940ad4674f23e10f3fcf5af3708ff78b64d180cf6d8e1f512ef2

Analysis

max time kernel
5s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36ee0e6caffac0e32220a3f949a8caba.exe
Size

921KB
MD5

36ee0e6caffac0e32220a3f949a8caba
SHA1

5947cd25fe9fad2e94d67ed0a4bc2e08914b9ae0
SHA256

bcfb667a2c45940ad4674f23e10f3fcf5af3708ff78b64d180cf6d8e1f512ef2
SHA512

b7c763b6fe82eef18d408d16c9bb03c488929b6756ab97682f980eec684fabcb821fb75cd5dba253764185c1b7bfd02c969b900f86ab60cf8dc1d73582af69f3
SSDEEP

6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRGDWd4oTqW+lowK42euE:5MMpXKb0hNGh1kG0HWnALbp4os31BKDY

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	36ee0e6caffac0e32220a3f949a8caba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000300000001f45f-4.dat	aspack_v212_v242
behavioral2/files/0x000300000001f45f-3.dat	aspack_v212_v242
behavioral2/files/0x000b00000002312c-33.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-47.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-15.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
692	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\E:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\N:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\G:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\H:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\U:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\X:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\Y:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\I:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\K:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\Q:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\S:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\Z:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\B:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\J:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\M:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\O:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\T:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\L:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\P:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\V:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\W:	36ee0e6caffac0e32220a3f949a8caba.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	36ee0e6caffac0e32220a3f949a8caba.exe
File opened for modification	C:\AUTORUN.INF	36ee0e6caffac0e32220a3f949a8caba.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\an.txt.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\descript.ion.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\History.txt.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\7-zip.dll.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.exe	36ee0e6caffac0e32220a3f949a8caba.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	36ee0e6caffac0e32220a3f949a8caba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 692	4968	36ee0e6caffac0e32220a3f949a8caba.exe	17
PID 4968 wrote to memory of 692	4968	36ee0e6caffac0e32220a3f949a8caba.exe	17
PID 4968 wrote to memory of 692	4968	36ee0e6caffac0e32220a3f949a8caba.exe	17

C:\Users\Admin\AppData\Local\Temp\36ee0e6caffac0e32220a3f949a8caba.exe
"C:\Users\Admin\AppData\Local\Temp\36ee0e6caffac0e32220a3f949a8caba.exe"
1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1232405761-1209240240-3206092754-1000\desktop.ini.exe

Filesize
56KB

MD5
0d9823f0ed10c62acb7909090d562478

SHA1
2ece0afd5a937b8f5eb49de4a89071490431539e

SHA256
200987aecbe50acebab60912e6188098fe908a71a70b514868697af42ff27fb8

SHA512
b2fd85d899dafd8b0e0ba8ce789cc5592043839bf10f1fefcf85cf9263fd311980d60cb5705847cea5c7d9120752db6ad0c01098d373ad67f890d46fd719fe31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
81d76c237f540879965875833cc86b36

SHA1
56fa6bb4da3594d947d3d2abcb7ac6ddee2850b0

SHA256
e4afa3af8581a78a07cca96038a3f8bdebb5fae84e92e92b109cb409ed645339

SHA512
62886fb372a4efdf90baa4c2ecd6095c14c5c5f5e78d1b0fbea7a3a3e8d8f49e069e1985bae89c4bfdb2d8b50cc1f729dd97f1c2fcd66302d96d115449ef3f6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
9d4b72ebf4dabedea4be648636ba1c0e

SHA1
26bcbb46d54e9350aaff36ff4e8bd336c6494562

SHA256
bd737cb50a96d8c10dec261faf7b64dc15d67c9c270742572312be5854b0f94b

SHA512
662566630280a8dd55ac58ed1be5f5b18f01f5f22a966a4f04ef8300145d3c95c4012de087bffe99abb37891581937b8b9e9570416bff55f2189bbb363d17dd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
41fb63b437639443877c5d5912bd6f26

SHA1
273c6e11a896f5fd6b47f372d2485bbf593c504f

SHA256
b3e690fb3e02a597c4ae1ce7c8398f1e71ae264a42f3833c2dafbc0c9c35b9e6

SHA512
6e0c5d6a54676940897e0028df2d31e9009f24cd630d53e2bfcf05323b749a324347d92121c5d0e0fb9dcc551b72fba785991f4b11610826d4a7f9e77d9f4f38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5903436137d76f6fcfc6e21db7d7a97f

SHA1
c565dbcb73d9391680670b6e6318db87265ae351

SHA256
ea31cb628bceb6f64882408481fd4620415215e6751b47e8652ae8b6b9df5407

SHA512
9a4cf0f956c109fee60b38f9c0170329c2ee87012e7a075f49f186fdbcc8e091deea90ab0dd5a3b186386e4401184f2dcd99d48be4e3c2845562059a79d22821

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a2bcb0010777132f5758da57aa1db05b

SHA1
c2b3e8a3e0835fe61fd63220e811a0c29da74fc2

SHA256
a1d28a52008913a236bc8e154a6caea954a119eec8bf4432eef9b3f7b67f45f2

SHA512
e70e6752f940c278b44f9c85087dadb50e88080d23e32986a057fe2f902e967905f4459fee8e15c4f2b74214c82f4709dc2034fe115eec86644547272eb6b8a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
1dad836eef63719ec6bfd78933e246a2

SHA1
877205cb4db9341cbae4df098bd634d315c2a6d7

SHA256
eb24b3c175fdb7d8ead65d635b6e037dae40f66d92cfc91099c69e328cfb1047

SHA512
1f2fd0369929b89151c41316c0e9d41b501dc37100f27c734773d85e15b2ed7843264f4262e9a2087f5c3947ae4b8be00fe44275b9e686b14da413516f2f52ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8b6e576ff1e7376b941c8ba7f07e979c

SHA1
ebab4c2c3d67308b49da516ae604c4364b40e505

SHA256
380710b00725aa9a0e5f8e02b1840cbd5e03d160a2cf70c88277f0b4fa972923

SHA512
bcde23baef924ab6ed37e2eeb24fce2dfbe087f590e8d7f503815410fab56d234cbf1424e3318675049a5c5f3d6315a25cd2d268a1aad7281ed65e07090ea6c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
abedf14b4242327b1af7f6ed78473f8c

SHA1
fee5fa90d8069a15006328c992dc61ae7e0b0685

SHA256
2c3cf6f6d5285521c406918388e80cdc3094a7a076cd6472b88dc2c0aa635cd0

SHA512
c29ba820eadb1dd9734910f130acaefac347963f3aed5559255f5e16dc3c4719572d1d468cfabd9f0704ea9cf7da97f71dba12b2f9e41b9606e5c6fbde406137

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
dcd31b2795be439b564e55e896cf18c8

SHA1
bb9e53e771125dc74987f9abc5eadd4f32b85661

SHA256
0f8ca627968aaf62370df9bb45d07771cd6033476d0d333da65481d4b9c8c7b3

SHA512
1677fc44d47e3fef707e422d3f7ffe5372eb83dd2ecdaac1977177bd07a2c7544f60b5df71f25ec5711ff7ca375988ff2a514d723ffbac2edea754ddac3c84a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
267ba7f0f14e01eb5e3af842f4a8ddd0

SHA1
dc4bfe3bd6734d370cc5367aa187d23d8c2f8a84

SHA256
24049ab107eae45187a433570ef80db36dfb655a22e12f3b54517a54f2567369

SHA512
597dc81028b65f4b383a620351a13c0701c6b3a3052f24042caf3711c6ec441f373d5ffc0d40858dcff4ed21cdcfec521587dfe7146a0838c52beeee965f738c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
dc13cce7a062a35e97ce918144dad384

SHA1
265ef2fd25daffd4e31826ee5929d3d2c003a28e

SHA256
4460719e462bde69a3518b01a7ef5ff8a1df909c6e23779f86d330daca0d9e78

SHA512
b7bb5159ce91f75d83301d9988a73725218339b6cc82b2e74c98559b03cced96be7e2e1af814ca7e4d819fa84a9017389f2b7cc9f1b5d6658591a47a5c04eb27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
70e66ebb59695a014a7a9764afdfccd7

SHA1
27c56ac730aa104157b83593dea24fb9cf97671f

SHA256
356f9d4c35db9cc8866e08f1be007020227cc520bd3bc0617f9119069fe96c67

SHA512
92acd5371c56edc9a20557b6dc0b329330ed1f6c330194033269dc398b27729d13a7d2b758f889764e1535d40b20dd5393f604946d3cf424d3736d704b89ed1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a15f647135a46e60cc113d62f63eb001

SHA1
5cf4f977f7a5a2f9ba366b0e7676d04cf9139880

SHA256
4dcc2f036d91734418338daeb65b88d0d4b01f0b79d543f6ed343745be8d3d5d

SHA512
44c6140983dc33e7369ec6eb0117820c9c0d5b47b3d547664635c08e89a43dc9d0548c185b4b4265ccd10510907b8951182652e7149b37301e70d22c542d7ffb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
037cd4b1487c1c4cda1c4d0969235ca7

SHA1
c13c0fbbcad5fae7cc05b6b7e8c0d320a1377658

SHA256
a2b6b29fecf7b1f6fbfa0afa942adfddda57bc3aae5d5adbdf540075e9ec4eb6

SHA512
3875a2da0c596f0fd448c0fcd492842aff5ef6c30fc831024a8dc348ac09d2bee2da79bd4e14dff14a3f7abca7c4d9c34154bca60477ec0b62b1ba475b449f32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
304b1b65a72044e504fc2a5db1c151f1

SHA1
ef3dd6b7f89a67f73acce16624ab2d7bd21c978c

SHA256
f9170be7c8cca884944b07ea2b52ba7532bf452df5e7c97b88245a3b9f82b29e

SHA512
14bff84c32b480526305aef3280dcff5e34cd1c9700cb3e650c302b21b40d39d6e5658b58cd23f54bc9d7a346e0de73bf5f21b0676ed5666ab23173f76e400d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1f8c167aeb11b86681f8d3aacceac0ff

SHA1
032725cc6d656275f3ffab6f6e0433fda7850c33

SHA256
aa2991ebafe54e86d4389bd0ba0e73ddfd6fac0fefc910ea1c3e82dad4330959

SHA512
0a64be04b5f30aa39d17037066a4b46c3191e5596b39796c8c3011c671da1098d1ad363eefdca33fc5b83a9c3445d20ab17c67d3619e34407708d5ec5b7ebabf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
4f35d7ca3f6a3191faf2963ae1d83be5

SHA1
2c1a18a91b5048e58a833cb6cdef246c4e2510a9

SHA256
9250842d31f1acb8f8a6898877facba3cf88f7af93efe44139d59a4707b1bfd6

SHA512
b41fd2cb68937928bbf3ce1b19ef6da065da37ba8283f0a250f31985532d84898b9ebf7ea8c0b833785cc58da351aa92dd134af5a0bd3fec8662d33549b2f216

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c79dacaeb3d215787d0758b9a2626f3d

SHA1
5eef0d204f02fcb227baf89425bea980df2b138b

SHA256
ffcb3bd100a363555d086db77b3fada12ae6b11587bb89c263c0066b19abf7a4

SHA512
7e682c64834e52fa3f928a194846c1fa8006a756702b4d5d535d1c354c0fbaf8809f8d1f5dfbe66d2dbfc04982e6889964fdefb779705f066d7b317ac4be9638

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
1ec2507fd2206732db7cce30416cad23

SHA1
11fd5432f45cb0b29fd415e99468e08f3e30c7db

SHA256
ba513fb28ee7f1a9a4cbe60b3bc203e91dd16dd631c20460640924feb58d79d4

SHA512
51ed54a933938c608da7d4e708b97c3ef97fc6223e05b35a18e312033a36802d696bab9ed5ccbd3fd5966a4ff88ed660fe4aa5b79dcc428ab1c9f2a20ff1a4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
76a7164853a2d58889dabd07e5ac0bc9

SHA1
0f238f4d76ef15700406e083f6ab1fd34fb5e12b

SHA256
eb252f62474a99178f9ad5c30c6e4d097c83899b289ed6f5176fba77815ae518

SHA512
a9a996a0062cd9a9dfebaf8b37fc7378feff8374f52b0b68bd1d0cd0af5148fa0832068fd26b5add08a0c580ad0cee26451ec0a8ab21b5847f4f201debfef6a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
256a58a1a29b72a2db91c804a02c84c9

SHA1
124c4b5643628094703c23d8ff3ac077fc03d0a8

SHA256
96214f87b2194796e895865539e8c2359f19ae7c783ca98ac300760aea555612

SHA512
93a2aab299a31e90f3610d16abbff548c0a9ad1837e8c8cb9ae54a4489158a2b19afa47ed2f71075696d1164ac0cb81a68a8f11596b55b35de8766c771b9f785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c579e870d36f520d05133bf9948eb17f

SHA1
a195608a7ce285afebc034ca20cb97b9e456fa5d

SHA256
8102d1579eea3428f43ca13fc9039e81ab0817b687e5377b893a3cbf8ce1f196

SHA512
5f6b89c1d0d2ca7980d0a76c62541958b9d0fbae4c828ce293fd0b0a035c6669480aebfcd1a4f2dc83466ed3f1202b84aae87f5289d7491e608bdf94d4f5377d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a905206a8874c11d4cc120d49ba277a6

SHA1
cd22c72085230f438eaa1a6ac27017854105f922

SHA256
af4920a49256d75e962c3f16dc26541aa050b9a8ceb291476922973b16aed974

SHA512
1adea3f39d67d9bc19e42011a8c28a2f70734a43c48380fdee5d147e4a5aaec5ac0d01573d5859f786f93984d9691c01f6a711e1e7a92cba0577f136365e723b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d5bb577c8bbd9069ef90d738297eaeaa

SHA1
3aba503793a02525b68f4bd906ccbfaa85cc7cf8

SHA256
3425c27509b6cb8d1981d8dfd871fd415f521c7f345c96d6862c12c2576e17d9

SHA512
6e411f03090446ac3c815368a06cc604c205928aef88832e86c129b02a0c55b756ee26492c1331475ae106ebc18968bef3e591916b2d18d92e33c60d8323d2e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c132322c7892d0b7787c9ffe5f886f2a

SHA1
3058fe9397bdcc5b3f2ddc85cebcd74bba593d61

SHA256
6ccacd040b6a8df02b981604b698852f8fae7e18fc4414d6426368661c207443

SHA512
985b27800db63e423e10a3b7ef5836e17ddfcbd645e4bef29c7303e3c7701dbede5e8aa6b0e5794bfc1812e64e65121bdf10497bcbb6925e20bfd6e2d88c5231

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ba5c0e8cfe36831b186111f25c0ce902

SHA1
07ca9b9652860ca30c52a6808eddef3f49fe4213

SHA256
5a41037ff4656ef2d46764f03095389a1d365ce87a71085c5ea7bc20d66d4b51

SHA512
b7508add2f8c8dd9639d768a29d58917df39cd01087066159455ca022b219a7ebb7dad7d7f6db54d1febedbbb280b1b58e99d1ea002b93157d56800e4f38537a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
117b9df762583672372fc23a7bfd68e5

SHA1
1d4ef3f32a879cf48c4c8a69287e7c56c12b055a

SHA256
54937deb35fd9d46c576deb864d01effac36a68a12b1e347c50b2a2beef1970d

SHA512
c78d00da3d051d9a46eea9119861f6f7eaacb1421cd122753838e482560d13b3b0f2f5ac2b95badbe4923712a431e342fd298b3aaee4d91a5c7fac1fca1578c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3b7f3bd90071939bca869f504868059e

SHA1
307ebf08bc02fa542582fbefd313535e8ee243ef

SHA256
6c59467736c24566b6f7dd02b2411a580656ac222a31ac301d1d853d2fbaf3e7

SHA512
05fcb74fd7da9c463015fbdb72af614b73bb5835e50d5dd9bec42c6c23f5adf302edc54744b310d5fab752f560106acd105958ae843df96b1626ce299c8ef938

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bd4d289488e559198baf6942a9f233c7

SHA1
479085c4ce3fa20c25cc232e46c1aabbc57d2240

SHA256
af81b3680458f59e4eb7c4208bf81dee327088336ee5dec5e42d0a0c9b17f772

SHA512
c45a92bd0c67e5dae609c3531f1befc035ed1fc2243a7e8025d782f31f1c859fc44ee1f0b4afc6814d07587043665fb93cceaafb57b39388a65e80bce157619a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0a7d323bfcb41d50d661490ad8f5715c

SHA1
6d29f65a161e8097d4bec241583a1bcb313ffb07

SHA256
d9980aed6380cfa4a42e49ccd6bdfce6cf1276f78e9d446a3b656c51de0d2411

SHA512
dafbf679019d5dee40ddebe60754195fcd469f3d427f2c8176e38fbe9b6d29e1eedbf098a97550143e8576bb4d59f16cce48ce03040a3ff100303ad2b528555e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2697b212da01b6a35de6268971d3566f

SHA1
be971af164ec86fc1dccdbeef4e31d28c73aad42

SHA256
8d9a6ba68ee73f35441ed19f5c9156ce92c04010c95d943026d56561729d0be6

SHA512
495f41a0fc8f9de0963516d6acbf1231450c27f5899ae9fe96dde171e82134045dd0550b724b92537f8d55ad29ffe48eb66d259003d35f66f36aa0b650e3cb1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b2ce0aef62b192340e43de877cbcfdc3

SHA1
141a33787a17e68fb3b09c4f8eddd3ffa82f7b2f

SHA256
ad245c4889bc6f83c5bf37fc8ea10d6d458ee4b1916c4740e3b602e84d024228

SHA512
0bad467388d41f42dd6dec4195aaf6fe08a7a0f431c8e51a037be029ec6f772199a98c336f555f09d02be74d4e1b0a9f03925492116aed03a86b5fba07c629f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
14266729e551883a90854c4945d9dbb7

SHA1
fa71f1185a533d4655fca3172f6568214f3a0a9d

SHA256
371372d94759920fb508f3c6bd838fe19c0c80ba8c116e7a74e22c2bcf6f4720

SHA512
211f0f51300cb2de27e674155ef3dc6ea33cb4ea7a1b357aa2d4356d8ef8379b1fb6775be5a712006a5d8f1b9d99a30d321a04b6733abc95d5fdc443f6a12d8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
761fa9da3d24251242f92d6514869ddb

SHA1
948936110be88656c463b45a33bac4f464306802

SHA256
d5a418396d196cc0c2f8deefb1181799b3c125daf4e611124c80c0b70559869e

SHA512
a44b1069473841101bbd72c16890c9713f891c685adc665b202027387657baa381e10830651942fcbdf62c8da7911ed14dfd56caffcbc8b28716cab735ef8822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3bbe2b22741ff49fdd6cb64c78b26bd

SHA1
538ada1f63a2c64bd12f02944d85aab87a6cf115

SHA256
2285920a312125cac42d2d093dabc5a3f23fac8ca23e9e31d2e9d80d665ab485

SHA512
a5612ea4259f2df5dd44d0a6bf28fdb1ac3b1d5d74a71a7dfa29e729d5333c4a4f1f8bf38613792226d9ab7926ed2718f9e793e2522291b4785ed2996e6d5427

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
33c6d650209ac1ab8e52bee575798a03

SHA1
37cf86e9802f109946888beecc3a60cd9fca8f67

SHA256
c1e5cb994a610a794e7f2ea632540b9b442429e3d8f568c497b3c311b4e2e008

SHA512
9e1871c986b076e6da1216f63a283572bba7b9ef0ab7bc6a0db40bc3612ea6021f14b6a40d397d94b0aafdaa5ba574ebca169136c055aa41968c220334145303

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a05c08ef3f0eb819f044e55751023e70

SHA1
e970d69a1de925b8fd610bab259a94d38a8d8a97

SHA256
d0c8f6a34309761ee79550a43eb545d8a0a08c0e5c149118e0070e414928d7fc

SHA512
c1958f18e111f13d08a634a0bdd846b704f92667b23b2110b644d8482cf81c0aa423d466a435c7bdbbe574d85ca34e008840bece27e89931f639415dfea35da4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2ecf63512b75fcb110e78f4bbbac489d

SHA1
9ece78a61aaba8b379d0a0686376f8413840b22b

SHA256
db04cc124e4ed9bb2eb30582ec19c13ca848dd81de8b45277ec20cf374a98d41

SHA512
239eba468a59c18696cd15a0f777026559e170acf6098988e408e349728a7f98ff136857204bdd63844c107758ed203f12aef419ca6cdbcc22ce07e6fda97978

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7bd7dfa24dc571be41d4e33c34168364

SHA1
72f0e8b1496faee927fcb89c9fe02c1edb19a4c9

SHA256
7649f977ea9d4cc5ccb041b28268cf851ae1ba43c5c7fd7af95fe6cda30bb274

SHA512
7b808eaca7996d8493a8e26bee5a5f8f11895037f57d7107fe24a15ba535ce0f8bf4d6f5186d36c86a37e26819ee7f2f1a59687c8ef4e51d8a044e1f3fb09cab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e12b29b086b86406e93f20a9fd0f78d5

SHA1
80ce41c016eef47ed3b228276a41d02334dcf42a

SHA256
26e72b0c394ae25508aea5e2848fb65f09cac4ea5109fdbb3d4995542100f41f

SHA512
72e50050e3dd219ec02d83d7818b7bee13724d5410d68c46a901ec256924399883ac8794078368d4a20ac30590c4ec9b6c0961f75b75ad1d12352d452d9ab358

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
9d4abb0f2bcc6ae96b01d6948992f400

SHA1
3f1010bb84c43d97be8510494998ad7c34a3c0b7

SHA256
8f3b39f5d6c7b120734d54e73f71166fac318066c9dff5dc271d40b80e0cb574

SHA512
cd488df2f11fafc11e36b38d2bb180cb6d2bc84387b4c466c8c7e0cdcdbac40c3006f0320b4388d7752788e49c54859bee3f73a196633ae6bc2dcd3c7a9c30c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
087f3af59a858b86d17b247be3a32b63

SHA1
bf300f837aca10f711d0e8caa641be7004bc3cf6

SHA256
4b7b0072b8848fb633abb17329f6007cc93b7127102bbb4ee378ca1edc6bd8f1

SHA512
1b89f01f9155dd3a6ad91219a20cb55f88d2c2877f72d06c0cdb98901597d86ba8f10b9b5c4137579039cc5800937f258ca163ddb954976ca974f0bd11bf2475

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
20bae63b5dc7e7fe2a80a96e748986ea

SHA1
3078c745fa1bb26f710aab00568f009414d1ddc6

SHA256
f7b936bee0ac1b779692e243a9a1747cff35e4a03dac76bd33a623fd1fb7d385

SHA512
3dea87640868781297445bc148020d13aa634629b8efcd1b7db2501a30dba78fe1fc2da1f2b0e17f455a841e199a99a52a9d62595fa0e254f5d51769c480c7dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
9eb9e2b0a6889f33515c5665b4442c80

SHA1
8b8e7e1f5754116705097b70be8ac7a0f92654d4

SHA256
6f7eaa40db8542907e1cbb1382b3bdbf262adf1a4b95d3ff4debaf08f1ec427b

SHA512
ad5fe8dcb079548cdd2af23e14caf7793f6b7d313eb82ce0f87b2fe7b8b271168a40d9031578ab856ce5a33eac91cacda4a1c665c4edd0d9c86b256722d8243a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
198b0eda9f8f291c24d02a96dffc2b32

SHA1
23c4afe7e69dcf9cc568efa51a2bda24cff9f8be

SHA256
f236a8f9dc5cba3e1cb55baf87ab28a7838e8b006dc987ffbb9624f9de3a2d93

SHA512
d234f1a5355e22e3bdd7c2f87da60e5fc2a8b47745c84cdf5e6a80ba6acc8e1050a82f193375a78815020ef1715f63beb8e1f84ab0330738b978d55ebaaabd7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e33c159d42c21e632774bf0295c53c3f

SHA1
9ebc6c6de75150620285aab86ad9a9248c1bcb41

SHA256
0fbda54e66c42c6744b3eebfbbe2a029c850e5196dc9f95c1e0401d4b375469f

SHA512
3d1bd9d48983dd0ff82f9246f82bce9314e61dffda26e016549c2e808ab39151eb2963ab7c938df1dd48db990ff80edde5ddd2d5b02929c6bb7289e9f8db9828

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
17d1b64a638fc6e343a63e7d52f2ef37

SHA1
735c2560f60b30d6530a6804114ef29d3df52d53

SHA256
b75c73520b649ec56984df5ecab6e8fbd0975dfd0f1022c479632f2b2bd366e6

SHA512
ee78f6e3a4338e91aeb929aaaa0e5359f0822a20ec319468de39e5f2789df62594efb97b81e10c281f7cc16c3de64266961901f4620649f3ccd5e6d4b1084528

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5a3d456d422230022f50c62a1a154217

SHA1
b32fbedcab3e1c7394b14aa440222f1855451c7a

SHA256
f4bcbd643eed477bed6802541676342a878b096679132bb5dab3f0933cb85b72

SHA512
a1ca0b68c59738336fc989a3a1c2cfc6757e564e4fa7bcd014de30c855f38e6f17094f852bf9c818476796568e6f7cf2adb70a892c00ff87075985fe46d1e02b

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
52KB

MD5
2885ce8a5028783e1d612401f85cdbc8

SHA1
868024b54feccbc1aa44182a35ca7f487f5489f8

SHA256
3c96f814990e26bd41a7520267590c4fd7ee095ddcc5be46a06eed62c29b5abe

SHA512
99717dc77f2e3f8b7d9d635c3eea503e60d70675e7812ad773ff2fe76124e1964bafd7012ccf3f1c92d2045338b5ed6ef4cb70717386c681559e7c2a81e8d8b4

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
10KB

MD5
b5c0f4ff76e3dbbd8cc807f1b5d8bda9

SHA1
7233d633c4459ea95b90f490f987bd753b4c2ea7

SHA256
1c81222a6ca2aff7a33253ce3b62f660e2672ecb58cc7659b9872854acb2d7c9

SHA512
f824291f466a7616c9f9d3f1452210889ca5adef43411f2044744025b71019748d168d3225ca8cde0e709ca892ff3fc9ca529435c026da3a8191a3af6b5de3cb

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1232405761-1209240240-3206092754-1000\desktop.ini.exe

Filesize
80KB

MD5
16df3cfd57365047b4fdb872a941e581

SHA1
dc74826af6b3a8fcb8f02ebbf44af018d6e14e15

SHA256
a8454bdc80a3ac1a3f8f3316915a47c1043cb361072d70ee9e50f7bb69ea5014

SHA512
4e459b3e416dc1c7c9a2353a3406dbcc3084d4969021fac5f11a05156eab0f85d8f5ae65658983049ae260206eb48e7df997e4dbb3698802aa1c3f8cc3792dae

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
115KB

MD5
c25906a866d35472104a51cde2816c24

SHA1
fd8e4feb8824243bfffd3eb90a3e7cbc1a8b0a70

SHA256
35cfef032063670abb72bd9d268c01d120d765697a8623bdcb90068b299fb20b

SHA512
f1276f2e805527a4b6520a0c59d52cb2191f00a6a230247e62a95935a0ad73e998a858e0d5d709e7134c37fa14bb9006b5a7faadd2cfc04adc80901636b07616

Download Submit
memory/692-5-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4968-0-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4968-7899-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads