f9eddbec28abb6045d512234b1183f0908b762cbbbe5258202aa998cf68d52ac

Analysis

max time kernel
145s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 11:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7d0066d1248453650af590d7dea1f565.exe
Size

577KB
MD5

7d0066d1248453650af590d7dea1f565
SHA1

71dda73ce9eb575da0cdb511b5f4bb445991839b
SHA256

f9eddbec28abb6045d512234b1183f0908b762cbbbe5258202aa998cf68d52ac
SHA512

8a5ad343c7df2797e6c7a506d896cfd8e87e880aa797cac221ecfda8394427fe3b564289924052b3db965d4295ad495636eefcaa608334ec568eab9afe61b437
SSDEEP

6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRAjmDtDqKmk3O2OGLZJT:5MMpXKb0hNGh1kG0HWnALb1BuKmX

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	7d0066d1248453650af590d7dea1f565.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (5576) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000c000000023140-3.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-15.dat	aspack_v212_v242
behavioral2/files/0x00080000000231f5-33.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-47.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	7d0066d1248453650af590d7dea1f565.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
2444	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\U:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\G:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\I:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\M:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\R:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\X:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\E:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\K:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\L:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\S:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\Y:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\J:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\N:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\O:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\W:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\P:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\Q:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\V:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\Z:	7d0066d1248453650af590d7dea1f565.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\H:	7d0066d1248453650af590d7dea1f565.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	7d0066d1248453650af590d7dea1f565.exe
File opened for modification	C:\AUTORUN.INF	7d0066d1248453650af590d7dea1f565.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Text.Encoding.CodePages.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationClient.resources.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\optimization_guide_internal.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial-ul-oob.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Java\jdk-1.8\lib\jawt.lib.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\vfs\SystemX86\vccorlib140.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\THMBNAIL.PNG.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.Xml.Linq.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework-SystemXml.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Office.Excel.DataModel.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INF.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\System.Windows.Input.Manipulations.resources.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACECORE.DLL.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\[email protected]	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-synch-l1-1-0.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Transactions.Local.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\System.Windows.Forms.Primitives.resources.dll.exe	7d0066d1248453650af590d7dea1f565.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.exe	7d0066d1248453650af590d7dea1f565.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2444	212	7d0066d1248453650af590d7dea1f565.exe	85
PID 212 wrote to memory of 2444	212	7d0066d1248453650af590d7dea1f565.exe	85
PID 212 wrote to memory of 2444	212	7d0066d1248453650af590d7dea1f565.exe	85

C:\Users\Admin\AppData\Local\Temp\7d0066d1248453650af590d7dea1f565.exe
"C:\Users\Admin\AppData\Local\Temp\7d0066d1248453650af590d7dea1f565.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3791175113-1062217823-1177695025-1000\desktop.ini.exe

Filesize
578KB

MD5
d416c1456be0712212b24e0903091a16

SHA1
c82b17e88bc1e1141644c8cef9ccac14609e3a98

SHA256
523bc44e22823d25261c9d870acc6a2a13902639bdc603758c2bcaad300f6c31

SHA512
a5ef8f18e0998c870004f08a20ee465f3ba96bb0011982a0d49a5ea31a88c656587d0664476a1a61b0a75831455c81f3f8cb0246ac32204efa7b22471ac10399

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1d3420e56ec90fce7cdba83915ddde7e

SHA1
edc34a731858c9c23a3094567effa299fb082712

SHA256
6638f860be8f3be9c6c699eff1269209228961e6823cb91cebccb21b0192e4b6

SHA512
878da0a01896442eec43f1026cc574bdefae7d88ec4688c339280d2107d2a326f7aed41a25c1da70c7e90672b5019c5e67de14ec851f2a92f37c1b90202283fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
37dd7487ae91023b706461480fa09d21

SHA1
f975487b9b20c92faab29da70c6f8a6f13b36620

SHA256
f14cf200bd6b30e4e6db736bc592d1ef5b5055e51a04e419aae1a720ba34bfef

SHA512
94e2940ef09556f74a59104b8709859a5e9ecca3c89115e2b680e1ea96b7ffa6b8b0e3a4fe3f3499c86e13c473964dc97eac3761bb3fa44e110da6dfb0af7fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c63d2fddb3cc75b1df8d7a554b8e1fbb

SHA1
208771e757ad503f09445423c5471c266bce6e91

SHA256
39282b10b446c51f2b93dde5ae0cc71755a1269fd9bb51400ecc4c6e02ea8df9

SHA512
3b77bb36a094223cb7ee450a627fd240dc0ef3a348571e61dc397ea05cec1e20a149a93ea2f8d12dd637737b365a31679ed40a5b55eb9c042c418887ece0ed37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
aff1b47b6de552aa19294d7abddf3da2

SHA1
75107e1c370f97268ca34afd9f64bf11e221a813

SHA256
6cbc02973435ee02f95e85589e99ea9e05ec800b42cc25867eaae0cabe92e459

SHA512
2719240d43c2ed82503edf2bb03ce8168311025e98d643946e3471a0a104eee4c2635e118a47fb958f558110fb61f101d734ab1892346fb9c59c44147cb8d83d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b999887ce3094972fc0e652602c7617e

SHA1
1c11a36f8486863c45f1e433e62b754525bb7b1c

SHA256
c91033e05bbcd94dfa42508ea58a3f16d769cffb382b2d159051acd284e01dab

SHA512
bd701398aa7b8074cb09f5259128501669de5206e3ebb81be5473e8e920a6259e7a700e152269bccbcfb7f7818a9de8d6dc6ff3a9f6905ab408210b711171996

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
06af43414a0826c0544223e58c7d3f59

SHA1
b245398bfb64a1e3f5987c13a335708f54fe4fbc

SHA256
1c21cba4cffebcf7ef9c7fdef43ac41e49e62aa11661fee3b6f4f38bf006d903

SHA512
cf8b8f168e20b89d21290ad8bf8d030e35f053b8f6c472af71729947d4511549598d63ec5eefba6005f1fdf98bc741e2c2af92eccb97fbb5d371411a11c8b721

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
79aa56eb27a6dceb3073d30e5864deae

SHA1
988b2133928a6fca114fcb66f721d815572c9ab4

SHA256
adb203fa37f9ccf23857a27dafc74abe38707650e551d1070b3bc2a399cff484

SHA512
8b864f11b02533ca44b2afd2872813fbc38e3122457d9ec16a21336afd7072a485e8b8ad58d65993f62cba6aea4eaa54ed1a1191da30ea700dda78bb012027d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a74ec19a7f8c958a91e87d40fe3d8d91

SHA1
1454aa579d9e424ce52cf832b235e5a1f59fa961

SHA256
17c7c090ffeae04eedbb0734effe7519e173df3f08108ba6607c8e9761ba7bf5

SHA512
fb8d8fff47c67fd53f1f708283cc2da5c8c8c94287d19453b37835de388b51af15e270d07e17f9694259042e0cead355042d63f2793c890513d167fdb27c76d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8858fb1cf730c5e209fa10cf7177e456

SHA1
71ff8559eadcaf46e946029c11f8c36bcb73b2c7

SHA256
9d3de2aaf1b68baf5a2cfa16dcae1d0c33f52b18c7bc9570ee3781e3fcf24ebb

SHA512
4b3846045f7ab157f325a9eb8a19d14acc6f3264bfeea3d1b9037f2311fb6b84112b4496f4558cf60f143218e0b2070f476810eef506b2e657fce4654776b548

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
de0e3f1cd31a7fd60d86747b9d303d5d

SHA1
24da47abeb36b51607c84c8197c607f8c973a775

SHA256
696ed124defe30b035c5d8cd01b4bf9bf6a546d2b08fc60ba5709f1f13b63f50

SHA512
2c2bbfe2e43eac8d759951073f998ec79078c9b7f49637a236a19f5d1062f6fd3c3e878e97914d0ed89ca1c3892a36f736c0ac7cd321b02023c64d7132334789

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
581f84d3201e862ebe02367897f8e734

SHA1
d2d8c765b42094b8b4c5c8b7f5ff1ae8365d02cb

SHA256
a90f22075baae3f70177963b37bc5acd402a63bb736201ddbd267740fd517a96

SHA512
f2b23737807d6ac07a517569f8c4c6cf32d19ab8948864a4ffe7aadcf276ff03e04acf455e18d0a9a54597bf9eb6aee26c12b5a598fe25a219a14480f186b826

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
25f142a85ab62de820a2b0811f2ea266

SHA1
97b9f44936fb42fbd3c19a72e76e42b66686c229

SHA256
62d1c452f79add9aadadeb45a55c00119e86298a87d326068e71bdb147ea5c88

SHA512
ca1dbffbde8886de1d17494b6188129781a9879fdb0f79359967ddcab723f94dce97214cafa912a362ea8e900f527f72d3f1b14f870c5c66570eab5f34664448

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d1e7f06e6aafa04a0df523130d6840cb

SHA1
86f5dd35224c22577045c34f2aeecb1945e84fc3

SHA256
dde4380afcb721dcfab597515cbc478f565ffe1624764de2fa4d17481a69b415

SHA512
6386f6ecdd8374927053aec602c6b9d59a6a7f8e86a7f841bddc02126adc24ecc4692b7de7a20b9ae3863398afea357cfe146e6fbf17e38c994d1388f4fce7c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f6165e31bbbf2432c3d4d397dc8b297b

SHA1
2fbb5128447fefaeae47d86111a239488ccb5b54

SHA256
a60c90435be3d6bc4db89daacb85cead0583d10d928974aac77345bd9fb575af

SHA512
cccf4db61c9ca79762f3fd8d1105917941597d6f8f8df0f79fc9a32a140c9bf0360aa381b143c3dd2d68774d81de75159eca36f2c898f40cf0ddd39aec4039e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7089ffd4debf839ccaaf89dea2483091

SHA1
d0fb936ad8a61514fb16c628807b4d0a22764331

SHA256
f6810d4d321be7dbada1915e7aeb6c6d56f588e20fb4ca714463ac1692cd6805

SHA512
3bc76b87c3c8b8c905a323b52b3de64f7e62a02055914ae5ae6744a96a75690ff4a819269007b71a1b6c67be6f53647ac8d92853d1bb73dd47833cfc595d8b54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d8b36618a65388f2d6c0488072f2640d

SHA1
4ec4c6c15631951f25d75068eef5e26d0ba05148

SHA256
ab9c1b4c11a1ac78533a21911c691e86671ee9fbcd00e34d2a4fd0286c1567f2

SHA512
5e98420ce29341944f709115f009ae8aa9f009f70f41eb0b7781451b1d91ff8157499497a09e9a68e9e16d0a6cca99c60b17fbcd87a86fac37dc9a456192b7ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0c9e4a6ae1ddc6b5b890d2e996b15aaf

SHA1
45cf58d8170ed08644c3d46a409fa0e716a42da5

SHA256
e084fb2e1f352a82a18702b54e24d0eaae7734bf8dde72bfc00a442c2d0fdcb0

SHA512
969ee17661cc6300c230faa30b2eb9f54d61c096ba933c8d47cca03b7d8649beb28fec5728184fc68da62396eb26f78a487047425de69d20c6180226a24e473a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
89339d884eef90b87ddff90ca374d003

SHA1
5b1c2bbab225393c75bd8d38d695a09d8d3d039f

SHA256
c4d86455df1e56eb18fee2511ef47882f535b8bb3d6ce6e75d0d16dc2a3c30a0

SHA512
c64c1fe5e2eae2d8556ff97459eb99afe1fb4b9878e8ab9f7a7e9273e120424099fe7320e8cee08c9dcc0ccc8e12f04e3eb1f6ecdccefcea7292c6b0b088680b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a9bb7ca3179ab9df659746150fe29d2a

SHA1
994a20d9e0e1abf3d54300e7aeeabc594d201788

SHA256
b2e745a9f58c0ee56efe6e6645b7b24a242e3501695db46ca25a01310abc9af6

SHA512
5dc080cf72851162cb91f6bf3528573fbf6643f42a3bd2593fdcf0d62a2995878d5980880c646b7fdc9d6235568c9d76bbe2eca3a27950dbcd4a322df2968102

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0420ba9d6a18889c7d54ef89e0145086

SHA1
827d5858034c949e9b04c1070227b7c5c0079b88

SHA256
9ca1b5dac5c0343fd98cd6db2f381a2c5cb7c22708372af094308a8327ffdea3

SHA512
5abae9e0ee5e507d50027becae87db0a0ae527be238599f64baafd5723b9f0e3d0ea41f1eb726bd64a4642dd12a9690642a90499893cbe9bb2cc3e1dcd778b79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
93be657327dedc74afd3be090f87bdfa

SHA1
550f1a1c63ca943e26f06cb775bfac4878c6572c

SHA256
d8681b83b3a41b0108a06877b7dabdcfdc23c0487d1b3cf571d2c0fd0893d0af

SHA512
aa64c791d5d6fa3e71bc722b2757dadf1bab21015189e1473e94429de21d0ca1f23932aac2665e2d7e00a5cdf053663bd4dc2b4d4203f7d3b95749400faa2738

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
61c79a6a53f42671b436a6e10ad9d29e

SHA1
7963a185f85df17fed6f02812fea02c573114639

SHA256
c529c6cf0f367d10ac00e5c4daea9171e2a70a0f10e9179617c5fdec92945138

SHA512
078c8f02e48b3e6eaf0d11c8d75da0d41a4679e32af4af6652256bab3b402159e3e2349473f08ba7f1d0ebb1a762e2ad7b20d6b652b204f57f6857b1b0a3c67c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9641abf18c582c77dc0a838c2078c4c

SHA1
b61ebb03e763aec0cc5f716febf04d835c3b981d

SHA256
1cc941ecfbdcb77d678d459e4ed56651ff50fc6a2b8a97b415cf89ab26f8b19c

SHA512
284f81dd07ac57edc2988a3439219a7558fa3faf0ca3c9eaa13d51fb650ae4f51d416652d7a5541f2f7ec097f6f05190f7e1ee87b81964cf00666755a2dba12a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8e0dd9630dc42228af0d3f53185e4435

SHA1
9f0cd05c985d3cce66ecc20f716c9884aa7cadb0

SHA256
49e99e68cde1492732b0c18b6b5c77b2f2f329c34e7a37547860123fc20f7fb2

SHA512
be106548b9465efa626a650d7f5f3bcb608b2cd010a258d7bdf4eeca18c8200373b3fd970e7bcb9db5028ba0ad9ec19a84dfb0e4a53ac6e3bd67d799f5911812

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8835917a21bd78a94f174ba98626f66d

SHA1
83657d46d1ab51730ca5223eb5a3e1ae364140eb

SHA256
be2a7666867fda855bb8e24fa798612221d0b1425eb63e06744d73f35c98874b

SHA512
183531df8a7bf19d0c65c15e67301a2b23d3d0e67bc2e8f5ec74431ee2856ecb34fcffefcb6e1edf2eb9f0bb2931cf81a3203aea0cd471ad88945c95815a01a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f5d106aba6ef68de373aedff4dff571c

SHA1
8e5133b79a219c8461976e8a96ad5931c3ac2f6e

SHA256
58bfccb1d7e5e4f8fad17dcf2c456c653ce3cb53dbb4b40a9ae9da8569efc10f

SHA512
39bdcc081668cda5045eed350147d8152b44c9ed04e51e9b6c838319c8ffd8d3c3f9f7f826f80deba15466af60de4bfa93453f399c75ee7a1a8a76c22a49d509

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
15ee0a26702aa8201b2ba1a7dca9bf5f

SHA1
4816486ccc11ff565fa3494339bc8ebf53e6c992

SHA256
a90cbdf20d10452b1c48109c2f3ab52b60e7418e06ecfca78213261fcf865986

SHA512
2f27c499808ae49f92a5c4c96951a4a8091834fac6045350da574fbe3a3bccdcd73bc7ccddacfa37addf32fef1f228bacf1a4d45238c1e1868a11cacb1541f47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bd02c7619423436fe1d65b24642876c7

SHA1
c39558164b4c779c23573e4f6f21c283723f4bf0

SHA256
aaaf706508fa8523a365b670556a26d68a0bc50a520dc1e3e5a433e51b2b9e5c

SHA512
bcf1ad1a5835d4e88563b18c8ba7136866d91347038d447c63fd3873b984aa0a8e994964a6dd488a141c135a073ddc81bbdaad5ad48c52f2a9ead62eb138d077

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ac1de2853fab11f58ab7ef05fbf15bfe

SHA1
8598ce4269376ba7c39b40872c6b2e5f2cebaa01

SHA256
f92b72c5d464abf6533c49180c24948603e435c371723528381caa965007289a

SHA512
70c6a6651ac4b5e17a84f3f6e64cc966ce2b892b551a78dfe250b3fe52cf99cd6723b7b539547b04bf5122c3ce1d03f91f566af3f8ae7a04051ff059cb29642e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fa9e2cbfd61a8716b4fc9e5c11add17b

SHA1
9d8c1173da02dabc78a0b579752fc560b6426cc4

SHA256
164867c25d15481da35b1576f1b53bdc903e20081bb176989938321ee6b17c9d

SHA512
fbf0da5b281fd7b362430c41aa434d920c913811d3ff31f9206cbbb3e88fa7422aa2d0bef40a8298dcc8c8148430632a3fc9953eff8dbb5e67403fa73848587f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
bb6afd1b39b47910fccaea59986c2de0

SHA1
664a926a82a80fdd278debb1d33e88bd553bd4f0

SHA256
3d93759cc482fc3217a5a8598bb9cc498d72d2371ba0065b5e590e46bc795bcf

SHA512
d231531da039886ed09f3a8a82bd179f9726720673d1a469aaa666eec97b5cd43bb73d03376a934d8fb6e59da57abfb2f77c22805f91dcc29ff0a72e2a75c59d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
128703f9d4f26b937129a3cafe15fb7a

SHA1
28e210e0077a076476ee629206ea3d3aa9bfc9ba

SHA256
0f7b939cc64f8905ba13b6604ca5eb601d4546d709d105e292d29f61b1498164

SHA512
eb641da208d6130aa1ac1362c84b4b633e9305e46ddc012323e758dd01a81502f1259624735e335cfa9c880140500c2f14c395d0afc9512d41095298f869bbef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8f611a0e6bf679a26eec933bc4c01d9b

SHA1
58e6613461870e1417d49832cc8624fa6608b00c

SHA256
55d7955586f59d3f1ff2eac73eca9306b1ddc89f9f166f741858a83e66122532

SHA512
cedc87af77322a00cdf3864427a1656797b992b45dfdbf83a919e4d275f5b1fc5aa6a510419fcb80e4295806a6ff10c3cc9987f2be52ea1a655f88e478fb9458

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c8b0ae621573074ebdf77d9e5392a03b

SHA1
fd1e3f1209df4a5fb8922a1a17e6d1d4e95d07c1

SHA256
cf9b94310444bca1e3add7545331b9245b00482b6a94a493ecbb897c6cc98924

SHA512
2d0db111d16b1b9530342dd94cc74d95a8c55041d50c4a5ac66bc187365ec9131bd3638bb7aa9a00316be4249cf58bf8a901760329780703d603740bad8120d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d96c069fdb8c070fe0c391b2663351dc

SHA1
5f7e1a633de1ef09b890ffddf378dceebab4757a

SHA256
3c9e3f7245e8a49ad502b563a470b64114b752368493627881ccc3d937435808

SHA512
2de1ac98b24cba9118c1cfe1ef6bed5bf25eb41ee13db9164ce316bd29e630510fabf933cc12bc0e3b1f92ceb889401212281f915782d085334643652890dc8a

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
576KB

MD5
05a23d4d5fa9276e1946c4afe5f100d0

SHA1
fcd0c5b9e67be8a5e56d74ed67d024f81f5c5598

SHA256
1b6bc74898f655c841a4b839e680da588e2fb0471c0058706bce2498fd93dbe6

SHA512
096477576146e8e100bb95e2d83473e70faa4e6339b27772c46a42c563d56e417183c3dd02bc323e6edf74537efcc675d92354331b490febf4ea2080bc0530ed

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3791175113-1062217823-1177695025-1000\desktop.ini.exe

Filesize
578KB

MD5
94fb0e054c898f8a4bb1634a020928cb

SHA1
4bdf04b3ddd99b695b542f62f5f7ce775663e2d1

SHA256
8e49de34298807ee696eb8b6ce29e59802ad08416e71a39b12f29c4a494f02b6

SHA512
4717b53dc3d11640accd215f06ce77861e81f68a87ff8fc4d2d3de6c1c2e50496d697611fdf08d0a56294e2d764483830131b43afba91f311f0b7ed79d33364a

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
577KB

MD5
7d0066d1248453650af590d7dea1f565

SHA1
71dda73ce9eb575da0cdb511b5f4bb445991839b

SHA256
f9eddbec28abb6045d512234b1183f0908b762cbbbe5258202aa998cf68d52ac

SHA512
8a5ad343c7df2797e6c7a506d896cfd8e87e880aa797cac221ecfda8394427fe3b564289924052b3db965d4295ad495636eefcaa608334ec568eab9afe61b437

Download Submit
memory/212-0-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/212-7919-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2444-5-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads