1f0425d4e2cb96585f371fb9a7a5d77be6b9faa70ed87c664e2752a241f52253

Analysis

max time kernel
159s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 22:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e2949a6ce0175827231ff85f5d4d8ab.exe
Size

859KB
MD5

7e2949a6ce0175827231ff85f5d4d8ab
SHA1

bff783704bb08f72c888bf6bcb81f7b431d59297
SHA256

1f0425d4e2cb96585f371fb9a7a5d77be6b9faa70ed87c664e2752a241f52253
SHA512

a901047bf96233a300c66d3703ce1167a4c8141a11c919cb19853a838da331d7bf7a0ddb921c32e7e516859b379527196931f4c5db7ec375d3ca457fcf135e93
SSDEEP

24576:8Etl9mRda1hSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvZ:PEs1cL

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	7e2949a6ce0175827231ff85f5d4d8ab.exe

Renames multiple (213) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	7e2949a6ce0175827231ff85f5d4d8ab.exe

Executes dropped EXE 1 IoCs

pid	Process
4160	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\G:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\N:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\R:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\U:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\K:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\M:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\P:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\Q:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\S:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\Y:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\B:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\T:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\V:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Z:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\J:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\L:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\H:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\I:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\E:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\O:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\W:	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	7e2949a6ce0175827231ff85f5d4d8ab.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	7e2949a6ce0175827231ff85f5d4d8ab.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\descript.ion.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 4160	3156	7e2949a6ce0175827231ff85f5d4d8ab.exe	83
PID 3156 wrote to memory of 4160	3156	7e2949a6ce0175827231ff85f5d4d8ab.exe	83
PID 3156 wrote to memory of 4160	3156	7e2949a6ce0175827231ff85f5d4d8ab.exe	83

C:\Users\Admin\AppData\Local\Temp\7e2949a6ce0175827231ff85f5d4d8ab.exe
"C:\Users\Admin\AppData\Local\Temp\7e2949a6ce0175827231ff85f5d4d8ab.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini.exe

Filesize
858KB

MD5
19a726a1c3d3e626b9ae28402e5b266e

SHA1
50022349d6939d082148ac907881542d0b34d0e9

SHA256
af7078fb600d510b6ad5b3f8c06c83be73b26b984245dcac26f382d553610c33

SHA512
ceed8b7b3605f945b31a462bbfb05de0c8ba840df4c3e134532e0116395a9918c258a7d257b8ddf529ed4c4cbe2b836f694b4bdb390f04185c715541bcd8565e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9e00afe4d4127c7044af6db6d05195f5

SHA1
de343d37474a690e75b938a02111a6e101e87870

SHA256
33bfa5fea4615b98102f64c378c805bd6715987135f8dab3106c900a7e08491b

SHA512
58fde3ddc5f68c8a9f4b57aea439ffe0daf690ae80417398ff52c9a5d251dda94a09ff9a6763a5354d7a57462a85ed44bd97fe307a73ba8abb1c9d8f916fa333

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
268dfb0da5669bf457bfdbbf2d964e24

SHA1
cb9a2dcc728465ad8f5cccceb4b64b5fb33d8151

SHA256
95e37b48ac8f3344706143341c0b6cf04e05ad35af37c0680d888d635b212351

SHA512
191a1cdd04b53b76dcb9c80a2d6189f667b66675eda0032dc459cb152b7a107ca7d10f5a7828d49eab0485feabb468d74bdf8dd55004295beef3741377be5781

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5a1560e406955be1505774eb7fb5a7b5

SHA1
e72e95e559e9f60fbf4535da7ce5abc0bd6fbf14

SHA256
6d7fb1d543b805c5c3c7725670196c5c6dede8f060330c1932f3706067871f57

SHA512
e243aa9d3ab4fde437b8d5399298750f88578e863248beff1ddcf3f9b4af91dbb534f3c8ee2a4d037fcf8547e1959729519c364de096d8e59458a8d7aa92104e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
97ced5b48dedc9deaaa1b163c0e76ab3

SHA1
79694becc3139fc9fafdc13fba799d936620ce16

SHA256
191c6868fd0959e6405b4b26024d67a8dd927c977f732cce2d669ea925721793

SHA512
d41b21f6cfe1f5771e5bfb9e424d6a6ad27125a068088d4b69e5e50f0455a0155756a1eb05607cc52fb3cb4187126179892d585e9f2165f134b559cd962c62f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
611c1ca9d30a1ca8484560d39920b51f

SHA1
0651b2b4f91273e3cc41c443880cb8c0bf7dea92

SHA256
87833473951bdb9e92cbfd43a653ed9a8f7025c0a63a18feb2e0bf8ab4617c20

SHA512
8ab1f3d90e730146a1f110f115c0443274d715233345d0d7318e6bc2e587c5a4ea74908e15f61a6f7432465fd5c3c0751e64f4d4a5954b7e89df8742efc944cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afdafcfded567e7e74c0624924430995

SHA1
21309927350d576eeb0cea2d4bbabd5e752fb957

SHA256
1bc11118f13e6afbeaeec143c2e289c231b2d9a00326b4d6443936aeb138d673

SHA512
e3663dfb8f359a6255be477d4d09b1f566846a32e3029b9aa656a297524e1a06ab4384a0a337e99273af5d14fd6dba658f277d7963e6c34164d3da8ed181f1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
912a9bbb3cac746a4f34ef8456dd5555

SHA1
7faaf976c3b4b00f4e59939b465fd927827d224f

SHA256
c3de220a2aec3b90413cde9df5180dc2811decdbf7a336f3363a3c4f176362cc

SHA512
048fa1ec6cca68780b02217ee2ecefc548c9f891c3bbd65ac868fc22b0dce3d4a4e7639f2a4042f65979591170350f850a5d015dbaed3d9728f5bae63203968b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8647dc51cc1b1a9e46c5dd518cc743da

SHA1
de537f6d30960cd8daca62179eb4d34129e379f3

SHA256
2a27f35b323e1a603cc3486ecafa5a1c9fa1fd8dbdf9199df548126697f09c43

SHA512
1495d6b5095e5b904ff9fd3511db76d20e5915d62998039f33148a29cbb7fa6b4df418a40f8ee5d6e5ed452ac4fa44e5602982d0ec974846ce8d010f7e706822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2782b08ea9c782411b162c81eb18d955

SHA1
280a21d34a27ef3675916bca015881e121584da2

SHA256
4e6060e29e2801919b9ee9c4e5acc3ea56eb0e4888d2926c22b83ca22062c6c1

SHA512
b43ca97c61ffcbfd924d6dfa938c321ada2e14d43f821ac7408c8777c9ca179bb86c775d97d1dde4fef0077b11059de4ca803e4321594a8e8ee5afbf580c110d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
37dfd4b0cfc04bd0949dc3e68f3aad55

SHA1
6b87898f6d2d42e658d5cd7fa7e97604ca52be2d

SHA256
595cabdbebbb036f1635634d2121be00ef79ec35e68fc2b2671152950076da36

SHA512
5842512e09684d3bb94b7eea62bde06a86f1b7091068216d753ebf46a4425baf967336537401f41a1b455f35a270c56c320e825a10f2306606f8c914bf9fb7f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c8ef1592c5682a299b2f7c6ba431de39

SHA1
b377cd3809a460fb7c6c13ee72766582988d5812

SHA256
f816975414aaa641a46f8062876c1439b1b82fff32259ca9bd52023effb8cccf

SHA512
ba3af9b2e48893679d512b18a3a551d893a509f86fee6cc5d995ab5aa72c9335c290a59a136d2cc4df081225ceff2207e19b314127e4d7a3dc41cf8e64432afa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bb5be598b04e469a59ec4abc987a753a

SHA1
8ee4485a9b31bd4f4fea62e732f87324bbee8813

SHA256
afc840f39aa6cb948acb87d2b09da3776868ac98a0b44d47964dfffe06ad2c50

SHA512
93ac47ca913fcc3960991cdab38864b532c0f949a8066a64eae5250c7b4e5e9f8fbd038198ae97f709fc40f720193506ca565da0258a06fdfbff6df0905c1069

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
531c6e34ccd28a971b52c5a721236776

SHA1
b0c169e4520718c68a8b6b99170149f9309dbf10

SHA256
d95b4e28004aae256074974317e55ce8d01c74293e329673fc1e09c9e8b8a0a2

SHA512
ec88ff2f96b2455fde6b191e8634e251872f449747b3322e05734c7bb6f078122e13f656b0f90817556af086d3e82407895aa4bc89a274c916e9dfd2ef57a068

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
db8b012f1f84210063dd95071a24f90b

SHA1
257ff8842a15ffd63d49e848f2db976629898bb6

SHA256
bfc0305e88e149f5be8674b117ac25e78ebbd82c734d98518bb65ee6ec3f8590

SHA512
6601802c38d2b172dc161b4bc7fc3261fa21305dd6b8e1b18b4e05438130dcc2b24c1282ab4d329155eb21618db1c146a88a664d49a6e8165494003023a5caa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a35214f6f1ec37f79902c35e87b979b8

SHA1
f0074aac03477fe70739330d4c31419007dce49a

SHA256
a20c01365dcc9037872e952f3940dc0d50c639d2378d29ff9b0763f38518b392

SHA512
654008dbaf83654cfe73674e599a3b638b718af6383f0c76fbee5127aec51a45a49b958b03a7168041a48035a83b9dfd52ec78ea7ec37ade85d6ce5ae41b170c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
41fe54d487ecc2f09fd20057ff906643

SHA1
162b0b930cc7e3b894f970cd14ab5948f4e612ab

SHA256
e947e096aafe4602d9a278a63738fb3d75e9c13bc470e15c4c85beca179d80ef

SHA512
3ffd97ce56d7b3e8ed271391a4a2d1cd74242130dbb553e16da56ccb59f02ce970c33f0556b273562229e7bf19747ef809a545f4bfb73012e872ca836c05ad1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9c28378e373438ffa1c4a3b3aa6ed613

SHA1
b0955a84f47f6b08841f894e38852051f878edf2

SHA256
fc531b024f6d1c4bd19fd44691a9c7320c5e6d99142f0c448f4108d94bc81676

SHA512
36284af231788217d40e9978c5b876e80e8da73bd05e214acf1691133f7f6e24d7c972786f5f1f0d167da3bf29e4c93c638a50c18fc1ba71a57841c6d125cd74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
868e479a5b8693df4f727ed0f73e9653

SHA1
5bab8b7ec5391ff71337149ff16234ce8da83530

SHA256
1aa52b4cec94b5e6a0d5903c2905962e10e245acbeee5db34e250358a478590d

SHA512
0b7256fa2063a23bc2d5eb68a83247632857d4c1b4cce9bd7b957b46fd2212a533d17d0186f47fb4a4ba306284d2621dd0dd93df7e4897ac12c58529b1382671

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a30d34ad46cd654269ddfc647b7e275f

SHA1
caf1d96e7a53cea32c4f0850f737d3c0ee6b01e1

SHA256
173f19ff7fc141a9d3392b185b89bfc0c641518d78f2f72f3dafe4353713f3b3

SHA512
915ecd00c29d8ce0e35e5d359ce8098b101a082fb522c44c6ea19517cd96f2552aaf0531cc69c4f983a946bfd818f3773aeb8a42fae630e08e7a5b216cdefc2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d22e08fe3c4b37e7bd00d82cf4fa4b42

SHA1
8daec210f3f42fd046bcdb0f9d96835b24d0d3fa

SHA256
c3fad70815ab8457a76d89d91fa04a723cd983917ff4d5b78c9c140b4bc7b561

SHA512
ed3b8e2c8116e796f784c62ac7ba356cf84d02d175ca099f0ecf342084d004133eaa66029011f62adc95f904e88e8a5e655a1ff6eb80967b18b5d37b341f1ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1fd18ac6be32f60f793ee976a113f90b

SHA1
76b547c9c870a1db536f1a7fde75a6b59570fdb8

SHA256
ccbe5015afcd82b31c9f797c07f98ae98e45b7f5db6c39fde44b024e1d354657

SHA512
7f03c962d508a28cfbec915f1be9cdba70c09bb875ba7a51828bf3766e226b3af64b6edb156050df6fdcc3257b1d47961f8f75dedb53f32ed818cb4d7d3f1eb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a6f1d52abba2adff0e850040fb7fa2f7

SHA1
333fe816996e2c9b1c534380afffc3b159d30228

SHA256
4bbb88ff7ffdd5d2a91c01bddfe912608013820313d563fac70f6ef70d334837

SHA512
26159b4a9f6b8a18b2ee8d837b890a9304b1e4c8cece1342dc6d719e0c5b59b4a2e4ceeecc400d49b85e01717debbb8b74fe35b7ce90e44e169ab7a0983b5259

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b01f567b0832a7a42b3acfa83a1a3bcc

SHA1
9b7b4a44bdf57da0a7795dadc7dbd2727629143c

SHA256
1ca1ccd651964c655a288cc1501f3b4f70b1f8e5437a60b7ec41d34edf84fe99

SHA512
c4fdb605c8c63398d2099c704170ba4db62318e04243ed0bd5556a04daeb9a6f3082ab9b2b04f49a61c03c07735bf5a2078ca9023b3ebd2222bd76f369a076d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
efe272718d264047350081947afad7db

SHA1
2cd03cf905882618d3229adbc06a057f3833b6d8

SHA256
a231376b615ec49735f0084a6622a7cf428a1e57b86c9b0a87779c30efe734bc

SHA512
ffd7a3fd1028847ba7e29c6f60ee70db4659073cedc01d6ce342429ad0b3ce4fee9ad854deab069fc57b46f978b2c34b425b061b78635a8afd9036b9ba1d86e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c9bc6634b4bf97d230c375d019daae54

SHA1
4f7fd61127b9498f654694bfa8c493609f1ddcbd

SHA256
f7a4c8699a38c3c1c65530e37724fd6e19cb2f04acb754e5f519cb042af09f04

SHA512
89e2cc05a0e6910e5f2ecc56f318add33b202daf3c2183596b2c9dee496a3923ce1ca3d4f3cb75d3d1ef8f6ece5962284b1a75e414ca14cdfcf9d9a02f676784

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d75380947d8a11fa9bb1c5f5a7bf996a

SHA1
eafad0ec9e5bc43306fdd52ee9770b8d0566a143

SHA256
0dca234d5820dca26c8ccfdd9614d91abfe7ddde0fc868ec4b1ea89ab61bbb63

SHA512
5ed6ffc0ed04b0d3224ad6600737ce68dd50a8f2582e0cc104c2917f6dddcadcde281081b646285782153125c0745377dd0028bc14dc7b9408a6076fba1b6e68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
78890f2d33effad7656e5da03bca4408

SHA1
6eb599c0ab34e6fe60bf90be3ccb867d0344b520

SHA256
1e19d9db9c05ec1ce60048757406efa5a33a3d5dd6ebdb92993cf559ad162197

SHA512
6b6186db6be3857f2c71637880fec4ee258fcdf9a488b1ec328031abd72fefb699b8f6ef9d2e89af935624b155823316fceb7b32f3c2f3ddfcbfc1ed73ba8e5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f8ab9747a2c9991fa52e95670ea99034

SHA1
79dafccd9d18a3154fe91928c57b9701feb5175e

SHA256
698ac2c91301189575b089e569c6581635a409de296e80ef95b656edf2b8733a

SHA512
830e16298cd67d634a0719b2a7a4d80181a270dfe7e4a24dff379843713329391651be02c4f92f3cbac3a8b8572d3ae6d1743c1f8c11a009bb932ea0e7aa16b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
123902ebcc428d5e74c58187999e3fda

SHA1
33c9bcdaa95b48ea498f591973e6ba877c739601

SHA256
5a3801c30fb5ee0e9c1a0dc68f6f1f1216f46faca398f954624fc3c8b4f9cb6d

SHA512
7de36ba690a24cb4551782ccc25b182f0936ae430439eb772d46a24fdd1bcea85a42fc3378bcd2bdefa0486593adb352833ea843cfcb136dce67e37f3494b122

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
39ad961e02a447159b62ce5a10d883cb

SHA1
9030506b2b38ebd09dc46ea097512f11a1a19b36

SHA256
3bb2b37a85fb7e88f94942aa801a8e615be2e3150f4a81ec815761128fa4aa90

SHA512
a8798de4ef7d3b1706341b4228258e20ad65c5ba215c92a81d0e56b1826a9b809c4770cc9bb06d3e520d48dcca8f0e7d352203f148cb2c697ec5e84d535872ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c36b4cf10cba34aec53a7370b250d0af

SHA1
c83a44790a2e4a2f8fa2eb4daccb52412672f8d8

SHA256
054ce75c3c0e2b9acdea163b8af535ed45623ca1f4fb2a80216557a1c26e0b12

SHA512
c867a85e07c27795abd68bdf8bde0fff9c4504d5472fa3a32dc4319288eb98e094390a5df4a61813476a7b1d0c13b2f88c9f162e79ced28eb6f151fdb30e4e6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ce3b4ccd1f5675bfec67cc17a267d21a

SHA1
5211f1f730256f774602dcf4e34cb596e678189f

SHA256
c25e88b762e0e66c3a7ae1ea559543c6ff89d3075f1ba889f418ce48c0f5e253

SHA512
deae69b5422628fb868ca78a5c7d6eaeca6d16a7337827a803ec580d0acb2b48d86397a90dbefe14dea46790309448d9455a85527a5e001dd768ba8379cbf7ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fcc7c6f7f40e8cf4255ecd06f4accf24

SHA1
efe006b31ec08d0bd17fb0526e481c67933aed88

SHA256
93ea5051e72b0839637ba38b50dda04b7b8133a527cee3a6137126ab61b58d51

SHA512
f51d737e41b448483bcc7a40703ce2ee7c4f4dfc464de54270b4b2ee6180d998dcf2f4b03d0e415d16af691d5603216488bf8369d3fe7d517a9f9c1389fd947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0b27425adcbb47a823c8f9441e4c1cd3

SHA1
cb6006665ef6d295d52f0257edc2993730ca64b5

SHA256
7a78ffa46b6cbffb43ec7e0e4987ff75d71b85407c59ad04ac6ec4182eba463a

SHA512
5726682898ccb6bc86274825a492129f56fb08567349a653b2df36d46b7f34f4f61fa9aec357efc6e34659abcedf5af26fd047f9269feb20797fd79c820304e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0b41009fe67f8b71519486b94d2c639c

SHA1
7aad62c673824df0cf2e0c867db60df42c0ef03a

SHA256
ac47c2d86df794cfec71662c40f7bf153da85f116f7c6065b839d5c1efcecf46

SHA512
634f7ac5b73fb7b0d17bb88ee61a446651d7b87b9d042884f45a6d2df5793e062916d01ae77613c70ca5f0bc110f414a0430ff43d59dc95cb377bd93e1d78d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
9d3641a6897eb44a62bc9a80ab8548ed

SHA1
6fab5a8a3a6ec53ffb632bc958bf536519fc21b5

SHA256
3d325fd8195394b018f9173f66f00e836dd07bf92e79519226b66ddfdb532991

SHA512
323d62c191d0fca709284947d64b2fec2a1d198752ccd7d63c68446a5196b5c6d01b0da81d0ebbf2a4ee7a8f7e78198a19d49b536eacb1b35ecc7191535c1af5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
dd5a52d1345317ac8f8809beaa2b67e2

SHA1
ae0f7409d06e33c2c1e205f23c456e702f1485b6

SHA256
7bf528fc78ba688ca78a576601b1d2c6f3fcb7cf7a232bd541a6abe0125d0c62

SHA512
1b4d454e2f42e3123136135fe60f60d86fa8f9d00aa919238fac35f0fead55c55dd2764d589d1fe7e93529f91787911269ffd8949ff5bac5647597d78e3dd483

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
250ea7ef10b9a6a8519cce7ce9c7970a

SHA1
f3b2417267a72d6d94674e6e1a85ba53031858e4

SHA256
df73633eae52b12a2b96d53d89806f589173df0b95466ec51e54468714d13e3b

SHA512
a670a1bc79ac30a1ccd50d2a24acf78c5b639c3663da50901eef1db40032fbf55a7b5d35126c682f69bf5d6bc4898b53b278c9fcdefab36664eabc6262ba87c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1c3779c640705395d584fede218a2c39

SHA1
9bf8ad92bff9f60625aa95c1af685362b139f0dc

SHA256
5dde7856a5aa81468257e3dc10bc9eac1a46a9780a9fedc7ea1f6dbb2529038c

SHA512
b38fec1647cd24e3e5b8ba567f5e163db01980f3c48b146d63f9ed011fed14d3db5a094f8d416da4836fe36b01c489130713222db46b167cefdf7c1c2aaa6979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a3f9d2d7396330f563541696ddae057c

SHA1
b1b2fe1c7cbfa1cc33a25857e38a3253277bb645

SHA256
eff628035629976c4246938fecc161bfc3ceae9225354b7a23b9d9474a5a9a9b

SHA512
ae0165ea946d31379259a5b19285eb99d89a2c9e3ca1cb7bdddb74db3b21ef15a8729f0fa5a945c5ffe45c94f7d49e59a4ecf3416144a879c808eb1f9387a2f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4c6e3b56e4f767a87ac14bcc217bb25a

SHA1
4f4fe02fa2a21850bd2bbb3ee0941ce5712105fa

SHA256
315b042dc1f555d39e4ffb9c9084858ea219e753658767dd0bc8829c3d5a43a9

SHA512
f195dbcde66cbd1401f69722df74917c2ae50e86ffea34a8e338d38037f0b3102f01892486fdc678fb3f3fae5402d54f2a129eef1687d33a19f886ff960deecf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
466d6ee473b4a8b69e7b4bb6e352daa5

SHA1
6eeaeb6d970271d073ef0593d7843711dd2b1a32

SHA256
1c2f286562488709777fe245dba446ba35fac40cb3a52dabb799576dab81499b

SHA512
a217e791eeaf2b407efa58276860e4102cca113462b972c8986622ec1a27dd378ca6bb2ddb7eea0bc6ea01dfcacdc7ade2a78634345adb22bb3d347b98ce31b6

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
857KB

MD5
57f6262ae236fa972fda76d80d73df38

SHA1
5c7e9689b14b0c7fbf714a55e61a5097f5410ec1

SHA256
8d8c21b5b298bac6ac4ed30278982608093cfeb3c3a042cdc88262791b8ecd6f

SHA512
b1a0c72b589c56959f8595a575866d257f3d2bdbbb741351a31c505973c4d9b890614676a9c5e22306fde423df0e96e25b1c1d748a9317d1de8d48cef797c8f4

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\desktop.ini.exe

Filesize
858KB

MD5
ac474d7f3150e10d11e5053f2974a637

SHA1
ecb3f7f8e98ed44d2f21ad90c1cdccfc29237846

SHA256
0b8e87e036bac8a37e0fdb7e6137b8341b1911e0e2a5b77e8e319c56424ed5dd

SHA512
fee2b23d2910341968f9e22d22ac8e61adc88519157d51084c456a79b515a64524f9f7911c0482e578fc1ae0b1556c9031980063264f0f92d1fdf4032af39235

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/3156-144-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3156-0-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/4160-146-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4160-5-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads