108add0ebd32c694d4cccadac85aa0c19b70c36eb6c69a4002b9c3d4a5c208cf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 01:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54a2421684a8654ea923b803200ff0ab.exe
Size

292KB
MD5

54a2421684a8654ea923b803200ff0ab
SHA1

ca0aea6f09f91328ba44d68ac351babecb6f2686
SHA256

108add0ebd32c694d4cccadac85aa0c19b70c36eb6c69a4002b9c3d4a5c208cf
SHA512

19f6f6b9470f366029213aed261108efdaf030721d9f3a9e2d176ef8f93d9ddad663b4f36c35fb6043b1e9ac2b11102db04ff09ffd83789797a9c80ddb96f6e7
SSDEEP

6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvR7:5MMpXKb0hNGh1kG0HWnALb7

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	54a2421684a8654ea923b803200ff0ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (5582) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000800000002325a-4.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-15.dat	aspack_v212_v242
behavioral2/files/0x0006000000023271-33.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-45.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	54a2421684a8654ea923b803200ff0ab.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	54a2421684a8654ea923b803200ff0ab.exe

Executes dropped EXE 1 IoCs

pid	Process
5072	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\L:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\O:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\R:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\X:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\N:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\P:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\E:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\K:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\M:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\S:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\I:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\Q:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\T:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\G:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\V:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\J:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\Z:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\H:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\U:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\W:	54a2421684a8654ea923b803200ff0ab.exe
File opened (read-only)	\??\Y:	54a2421684a8654ea923b803200ff0ab.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	54a2421684a8654ea923b803200ff0ab.exe
File opened for modification	C:\AUTORUN.INF	54a2421684a8654ea923b803200ff0ab.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\UIAutomationTypes.resources.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\UIAutomationProvider.resources.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\npdeployJava1.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL121.XML.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\OriginReport.Dotx.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-heap-l1-1-0.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationProvider.resources.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\hprof.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.NameResolution.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\UIAutomationClient.resources.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ul-oob.xrm-ms.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Transactions.Local.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.ELM.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebHeaderCollection.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.WindowsDesktop.App.runtimeconfig.json.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONLNTCOMLIB.DLL.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.ELM.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Classic.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\System.Windows.Forms.Design.resources.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\WindowsFormsIntegration.resources.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Process.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\WindowsFormsIntegration.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.exe	54a2421684a8654ea923b803200ff0ab.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.exe	54a2421684a8654ea923b803200ff0ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 5072	2984	54a2421684a8654ea923b803200ff0ab.exe	85
PID 2984 wrote to memory of 5072	2984	54a2421684a8654ea923b803200ff0ab.exe	85
PID 2984 wrote to memory of 5072	2984	54a2421684a8654ea923b803200ff0ab.exe	85

C:\Users\Admin\AppData\Local\Temp\54a2421684a8654ea923b803200ff0ab.exe
"C:\Users\Admin\AppData\Local\Temp\54a2421684a8654ea923b803200ff0ab.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini.exe

Filesize
293KB

MD5
fd01fbc6eb9f1182bafdfd2cf9053855

SHA1
b98b312937b77bdedf18ef6fb7e7e5a4a407d8f1

SHA256
4c1104ccf07dd51ef57f219041107c883c026b9b748b4b53500a5dc251d26ed0

SHA512
84fa1539311e8a4893c6310a47e3101d757aaa005d0936a600b18e7186a584bbfe6ad3e070c7d1ecf4ef978d64cca67d143d43aa424b9020f831b0c7643df397

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
93c8fb07d1c9a1061305da9954a38f36

SHA1
d45ffbb5d3e4a35498b0072a147a3bf20e0ae114

SHA256
1b667dddf7f6039fe02cd8c4e7d738467c96a80c7c5848df70a8e09ffe6afd74

SHA512
cf56a57d9e7c4f69a18a879f0623b5f143a4604cd692e2088efa67c6c771380acfcc22db453cae9e3161f4da82d00a6115bdde31c9ae51d5ecd71ded5e057565

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
01957c7444a26f76fed6682a1b0d8e29

SHA1
ae2bb9fca324d2b1d4857ba939087beacfe041ca

SHA256
b11f0edfb1ded3eaa6c73bb1be881d1959a87f900d1bf9f98f5af39384404e96

SHA512
4f4ae94e1c86e9518deddb9182fc1cc52ba189474e0f0da8ff53e2ced3789fadc5be91da3ec4f19bb8abbc7a5cf4ab718b7c5b4dc14c045930a98aee64688771

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
790913bbc188c887f802d9417c5fdc67

SHA1
94aeccf06a505968694aad7602edafd15c493b78

SHA256
8dfa3df3a10223a26d9c950e4b5232f6dbf0ab615e65f9a2c5afbf20df667d36

SHA512
dbcb68e7ac4b36695314f9450baf1296a299cb6fdaa636b195f9c007f33722b235567dcfcdd39d5552062e66522d226aa4c823e9bba8afa84712c2837005a85d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
32eebc31afb39c11748c7a3d3988cc3f

SHA1
216fe4c60c542bf48fa7d650dc468bc40a211da7

SHA256
63fb3bc5888fd47448c314fba15c4f3335da59cead8f316807b78a5679912972

SHA512
9950fb5e7f6455fda1ba019e23917b9841cdaf561eca2a29b859a898498b8fbc3ee97e9eee41e8383fd8799521203c5a286835620829818b94c4d036da156763

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3f847a917bca68d5c5ea537b5c74d915

SHA1
d8ab4aad9d73344aae156a6a733a17b36807c2d0

SHA256
82050e5edf45aa9660f7e57273287637a0c15556b873aa9908ba8ef0c0edf6c1

SHA512
2f06d344626b32ecb019c04f797f88086c0881d923868265d88eeeafe3c593ec6b943be82a8177fa7bd6c25a85594765fa5d65435abd0605b088f1988f7d67af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
255e9374dc26a2c5adcfe826ace097c9

SHA1
8a3dca01508fcebd115e00b282acdc6941867642

SHA256
ce678cd2c08346d3a9f6314e6e4c089995268f9f7fe1759351fdae70bdd719f9

SHA512
41c30f15369e6154b76a7cc0275e78a859820f2d5e9fd65da61fb5dbd6ffdecfaa0e516ede4cbe888d06626d0d85bf287e9d56863376cde47d97057d78a9969a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0ac273659c565eacb988cebf83c4bf97

SHA1
244c938d41461956ab3cba9b6944779fe6b92965

SHA256
75eab9c0ce8dfef31dc07d00cb84071e78883f4adcab5beb4b6ea606c6952885

SHA512
9dc7c58978c14290623720434a9078192cfcb4723d997f4f0095d05090e7240375d8f2a5366fbb4c0278ea343847c2428bb5f2092c2a1e5c85d51cb8df0ad19a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6b59d6c0cf17f034b3fb5e4ae6293e6c

SHA1
15aaae251976f900c4d4b8001750ae2a4a55dedc

SHA256
c07c20e08c884a5e321795004ac0284d2d8fc6c6333f624952184de7c05ebcd7

SHA512
436a30cf99b7d00602fdc1519ee981bfe077a764036e934f0533765d25f40126793dea353fd6644c505eb10599ed82490bff8b0744a10c591192e60240bcc158

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
20ee0b3d86498ac99b79193ef70c265f

SHA1
80758a9b563fcd9152b7acd0bc35dbd86e3f96a1

SHA256
d2bb6f08db64c2162c21f3c83424f1740effc9b86a5499c1e8f4644ea3447297

SHA512
f13689c68ea06ecee7e85aaa8089f964eb4de5a9d369a8746a699dc9deec33fcdf8ac4ddeff8f535e04b8c732d4d8c19b69ea1a782b74e265f19df7f77456dca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
95bd84809c8912566930aece48b636fe

SHA1
2256af3c5a45e870ae34473cc3cc36423314c0e4

SHA256
93544de76e862f7a97a72c6d45b1ba3ab797402bb7c44cc93b0241d8c398dcf2

SHA512
58e5cbefe620d43d9c2cebc7785b595e9cdfb80536ff1c95f6a2dcdf2afec7d5618ea783607578ab0aa8be1a6bb5e662d4bb658393646825ea3973dd294f0b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2b672d484f113409808cdca407dd7d6f

SHA1
9ce1ac18ec314cb7628d3862f4b18299ec941388

SHA256
8551b08bb756890edf00f6a79530209106b04285a9dda48f5b7da4516f20ac86

SHA512
345bac6a069ab1c9376888b823463e98daa3c075d611f41f496a2a3a3cbc6c5de382c00e732080dc1abea95effa92320c173d6187609b29a41404aeb3c78e7b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b28907d52412d5d2359a9b15d54c225e

SHA1
09e07d2118dcae2e88ec2cffee27bdb0cd478ba9

SHA256
e0506f2d90c2855b267b17157fc99effe3dce9068613f7380a40d5387b5fd103

SHA512
61f9003b0c1efd335333d52045bb8e6adf70253486be39f35d134247e3024e8434a94505325a586cd02a9689a3f56c53aaa1508ec41d47b054972fe8af51b23e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f888c348df92977e7a97e62c63445060

SHA1
054af9d8e331c560600ad0deb5e6eca0f9fd33f8

SHA256
72a8033952cb4cedb428573a2aed4d35cbd6f354b280d40a331615d6a4a38655

SHA512
36cd2fc16d80efc86911011e14ecd7cb701e78e113303cedbc986030ff03bc656c97ac3c3ae984cfd8085654b4e1a03934fbe3cdd7b1cda94a1e4ee74e0b7c48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3dd601addd87fffe17722ea1acbe8c2a

SHA1
519a2a10ed6c9974f3f4f1e8dd50fe52a6da6d72

SHA256
1109410501ad3a502da290ebd1290e7f5e6ef58359b44940378733f923af8382

SHA512
18d19f1de9f5dcd25ed329e19b6dc731e935502503a9ca7e99dd60df4a330013b50af36e50147c894b95aae22612856187754417f25793ff6f27458fa1027d94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
dbf053f9693d64cfa7d6f1690075e9f5

SHA1
57153c1353400a31dfb128043b081fb873a25041

SHA256
9235fa0d3cfc1d7878ea6de8585371d06feb569578dba84ca46b92916101bb38

SHA512
4ccd25bdcf903c70353f1ca2d90de06d88e93839a31d477c5adb9ef6c304e019d45bb019ddc85f06ebc8deb10787f892ae291d8073cecda9477a9119c5c36c46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
495f352d0705d4a40c48f02914fcda83

SHA1
3dd576a89c8ea946dd4d010c28f601f50408a96a

SHA256
106effd0701c1ac82ac2e717f52f6fa2edd04713a2c9863bbba1ab52a35c48c2

SHA512
2bb46be86f714ff6bee9b1747bad98373e8b1ecb215d80fa044472768464e5a7adc4ec7742a92dd973cb1eb1ef20e8e316217657ee9e93927a896cd1bd9b2e26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f1be4a30621dc8bc0efdcb374cf10905

SHA1
9c63c7c3efcd7705b0f1e07b5c6b77b2269e58d3

SHA256
2f0680de7c895068ecea3274bea376254950e8a2703aa20c25a773e47e472830

SHA512
9d799690f34137651d8930d7fa7ed5385de492b908c7456471dc226a432a7bdbde53e3553ff8e87bdd6393fab628acacb0e328ec94b6319d71f28722843413de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
aa63a99bdc59d230f75ed2f8975f1ce0

SHA1
d72537c0b6fd81f5ab6224cea507376d497caa4f

SHA256
c7bebfc41b1c40f44595e687fba241a8c5a9254501c18aa918d819363d3077d7

SHA512
0351ddd76b74d571d9784a5cbed63a81703cc9e180a39a8568da36004f537a948d4226852ae04785e17f80f0bb963c70402bffcb176b7596b0baf95580cfe958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
301d314a6c59d7f297b7bc78a743e3a7

SHA1
2f238a4e6e8ddf1486ece7115c4c7e4071ee3ca1

SHA256
0bd34c53d694ee08ad4914a92956aa5c900debe9b7374f66d86386c2a7a357d2

SHA512
93879fb29e60cdf4ec90a8f1620891c70f0bb1baa5b90dc78251dec9984101a33977dc191eca65129978a6fab4ba0f5895175234d0fb132f82b35ab4a8252c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4d85f3e4f6e54cd2762e43c98afe4343

SHA1
aa2a0f25bd46048235d572377c8f432d3485cda7

SHA256
2a110ac2f0ca4634140c35918ad7393645523d04f8ce88b6978a395110234797

SHA512
545dc5ddf58875ea595f66174d2144fd23cc68e854f080805dd7c251d5593f82a607a49c5294d0a23b89b9ac139df041b0215e7623a5fde4e8cf09f0a84cf994

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3f4a7bc4f5074648c57c64defca1ad0e

SHA1
400b6af1f23a1588447fbd1bd8aa462c0387bd69

SHA256
3bf68d44b9dd79f6c2b3714b4d754be0a5fa94d07f2dc6a07e5d8fb0bce47cf0

SHA512
7a0cbb9fd55e5d02766a5919fc565b765bcb15bd5b6293a6b9f8b8a2c278f40ced2e4c34e64777a76f76b898c4e6c73e60dba43dc85da686a429fa5fd7d2e887

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
9dabde1d06e6987416b42c2a56bee5dc

SHA1
2a7a2d8e5e799beb5b025c3b116062e07da54ba6

SHA256
de8f671e94ab8b6ac4a1c8e4174fda55c154c3b6df716b3b5be8efd566b31ff8

SHA512
607362b741dc1179531a8d2a17aa815e4ad6d7712db0dd3a50f2d1935b1dbbdd9e33386c2d5874a494fd4a34b8bc0aa63092fce646ba3be490ddb4aa280bf598

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
22b93fd4050b1e6d494f0c8670069c87

SHA1
d3386cc3fe415e91ba0c99262b803582d55de49e

SHA256
d320c0681250bf47280eb41c0a284b31e169d222820726f4a0bb2f051e296cc7

SHA512
f7310de19c1b99990a2301ed7a5da4dfb744d33b5f5e6b200e43a4045ddeaaf5f6c7b13d89324bbbf8ab420ad8b3db1358aaa9ddb2cd26964dc75c55bd0f9668

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f4216f016d61d5a361da23f7e6988b44

SHA1
ae40b63e0ed62b0fbd7610afc501eb88d73363ae

SHA256
5b9769934b1f3319bafa35ec0658595acaaa62eddcddea506890b14ba73f94ef

SHA512
e313ff9d04098aa44645c5a86823a81f73933017158799cf205683284bd080b47fead29e6db97b9cfc1ab43b7a46a0cfbaaad875c6a8d1d532c263ab008527e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
86d76a0ce1f5066883b10e6413d4d266

SHA1
ed6e0dd5c372637a2adbd4bfe07735d9364461d2

SHA256
93168135f78818b123d67c0977c8ac0c3bb1810bae71b4812a3626ebb892a5b1

SHA512
198a51cbbd04ce35db05e7396d64b75aa0d1929a54a195261dfa79ea7c25a6eaccc397947c5714da2a846ea5ef93c470b33fb7e5910c5b94ef83307d3cae9c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f7c895e1bb56aae9447ced8eadf563d6

SHA1
1e5ea710c872e18f84cddb68f20eea1cd27f8e24

SHA256
ede3d3941c3038f8d05b47cee362dd1f7509792035e907af1dc1c2e2f6d2f9b9

SHA512
7fc967b4b01adea6e6bc20b4c1a4314dea28abd379e7419876e329b6898f41089705cc6568e148f22d940b8d541477279fc3ef81b15053f9e7bbef2a43f447f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
fe4df276bc2d3649127dd5a82a631b82

SHA1
d291481daf8b014d73e1f230a528cd8454263887

SHA256
cb2603550e16a848c331168d35b820081f3b872645f2da75dbda601eecb3161a

SHA512
51fc53c619cbe173d2c45c1348cd8b8bcff34d53748ec47a4fdcf46e04840e3279df5116b254610fb5c730f3300f8a8d1beac18fa00682e170c3984ae5119934

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9b200e97ff90ea86d8bf915287bbed23

SHA1
2d769311c79277ece985ca60d485e59d1acb16a5

SHA256
eb764ca5f5fc8c8cf5a3560801da9c3eae71c2d04433c1e02dda4a5645e405e3

SHA512
7a3f322cc6e9976ddc0f75918758a81a24d8ee9f10b4d853ff35f55eacbd778912b2089ee2fd3c5dd55114b08a75c14964ad3d5c46a80333959d0a297b5b0219

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
567d3318a0bbc341f6e7bf0ed8936c33

SHA1
3cde810efc2a81d7958d11a5e9fe86ca1c258109

SHA256
9da7026bca85d9a9b1356ce02b5771d0a3b6a6c360dc70e9697726d2e34a9210

SHA512
e595b027759a841ccfaeec891dd346f4cbae9e02e7b5855381330a1005171c5c25fc3283a0051762dcba07fe2a7a4df434c2f99ea2b30cb6f63988b701bf979c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
6699b341648872ee72776a8b5b4e97b9

SHA1
1b33d6b5792ee91f4f7b4d1563b6546022475299

SHA256
19bd960c3af13c160664eefded9542245b6e2b80141931f633b0905568336ee2

SHA512
4cd0a7ddad968d25c649500a5e80fc1823aea2d06ba0008e38f28657863cca174bc2d3dd9cf9d1858e97be7891059ca9174680336c16b57a578a65ce50eda904

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
59a521a0d54fe2dfd35daae057cc7fc4

SHA1
1d2325768dfcd59bae73f6ef085e28753d77f866

SHA256
bc7a463cbb6b0c429d31331202e7960ee3d006ae5628c5da3ead3ee3ca4dbb39

SHA512
7c7e6533351131ac03ece62f61200be93831f082d55876486e447cda240c5e94230941cc2901122ed5eeadcda086e6b04e3166a6d9078620ece1c2e60e3b1141

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
290KB

MD5
a19195bf4edc5139859d26792fdac06f

SHA1
64fa5ef40ff54fb07e88654a5e0f6e817fd04df0

SHA256
60c3e8d7f3c7afcd378524784b61f28c9611c02df14a4101f1a4c8d0265f3412

SHA512
e78e2b3d327081b47b90852c143f344ec9a0f738b5c9e7690f7a37b850aaa5c633c22ef2798f9fda86c9c70a4213611630ebbf2c29ac3f21e282c2f4273e4495

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini.exe

Filesize
293KB

MD5
ce0e1a7c6d4ae84af75007378b5c53db

SHA1
f865b971b5ebc4a23872e3b20c2fdb92464bb1e5

SHA256
765ae88612cdeceec6b13d2a2a618a9ea3e631b640f33300987105bf649e4828

SHA512
1aed78c94d400098899baf6b72af49787955d9e45678f1f8aded1d7bb9c4c646d123ff44f679744087c0f227da2b50bc38f822fcbb018e8fe0e5bb45b19fdb73

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
292KB

MD5
54a2421684a8654ea923b803200ff0ab

SHA1
ca0aea6f09f91328ba44d68ac351babecb6f2686

SHA256
108add0ebd32c694d4cccadac85aa0c19b70c36eb6c69a4002b9c3d4a5c208cf

SHA512
19f6f6b9470f366029213aed261108efdaf030721d9f3a9e2d176ef8f93d9ddad663b4f36c35fb6043b1e9ac2b11102db04ff09ffd83789797a9c80ddb96f6e7

Download Submit
memory/2984-0-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2984-8346-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/5072-5-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads