f381cac6aec8c9365777c77eeef32e57c7164edc501d48255c5ce916ede2a30d

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
Size

953KB
MD5

7d2dbe2bfa63d8f4cf15f5c6b513f92d
SHA1

c6253a829aeec1c638b978798baa2810dda429bf
SHA256

f381cac6aec8c9365777c77eeef32e57c7164edc501d48255c5ce916ede2a30d
SHA512

417631eccfc259280675ac661eca4f7f814c5943ee51a36cadaac9c991442702e0bb28296e08f71029b7402367ee86271f3deb259ada8860cd7099526f4c1a48
SSDEEP

6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRqxwjRjB+O+/Q:5MMpXKb0hNGh1kG0HWnALbqC9B+V/Q

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (5572) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023106-3.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-15.dat	aspack_v212_v242
behavioral2/files/0x000200000001e6ca-33.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-45.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe

Executes dropped EXE 1 IoCs

pid	Process
3168	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\G:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\P:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\H:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\U:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\W:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\I:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\K:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\M:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\X:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\Y:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\R:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\T:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\E:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\S:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\V:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\Z:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\N:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\J:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\L:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\O:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened (read-only)	\??\Q:	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File opened for modification	C:\AUTORUN.INF	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.png.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\classlist.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordcnv.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.DataFeedClient.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcr120.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationClient.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Formats.Asn1.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Xaml.resources.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\PREVIEW.GIF.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp32.msi.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jre-1.8\bin\npt.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jre-1.8\lib\meta-index.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxslt.md.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\LASER.WAV.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHSAPIFE.DLL.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.exe	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 3168	460	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe	88
PID 460 wrote to memory of 3168	460	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe	88
PID 460 wrote to memory of 3168	460	7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe	88

C:\Users\Admin\AppData\Local\Temp\7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe
"C:\Users\Admin\AppData\Local\Temp\7d2dbe2bfa63d8f4cf15f5c6b513f92d.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:460
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1168293393-3419776239-306423207-1000\desktop.ini.exe

Filesize
954KB

MD5
16780790c162186f3f240abbb2d5f8bd

SHA1
02a4fac7370c56f2fcb8c6a7fff5c2299f6414c1

SHA256
9051861786765abb01ac1864219972e34ceedfb7d1eb9be942d652f67defbb32

SHA512
e84a19ae5e6483306e2b3fac9bccbde32aebe8698eb68508e4c5c1bf00b83ad6e9d99b2e4eaedf86c286d0d84477449e941b48fcc80d63b0b127df496fd49c19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bc65313e06f10662de26ecbba3f670ce

SHA1
c583cac5274fb3ce8b3e89ff589f88555085327e

SHA256
0d5033e38c67b94d5418c92c432984d6188d6d3ab70af921e7c6dada0eabdfdb

SHA512
d73b6b06fde9e47929b83190ad2ed4485896e0098ca78bc8eb9ca8c9638d5178fa768989bcf0210ae084f20aa655ecd8183352a0f8e40d7e02bfd9a9d51d58a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fd7ec5ae21b9f49f2bb37c1429101c5b

SHA1
cfc35a27408b17132b10bdd7fddfc819f5b76fac

SHA256
2263e49b4ff46bf1564a4c05fb0fd3dbd25aa834862cb6363a001ed45abee6f5

SHA512
587e647950caba74332e7e3270dde7b1847c685bc7e5fd1fd46c87422bed345290d7162319668e76d198866981e5749037a0a1ff44a7c8c491d4a2eae1b99a4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77b1eed55373d076c23869a54d955d58

SHA1
4834fe918e150688e88d99e24f78dc4663fe23bb

SHA256
ee7ed5e925a1372b0d00a6fe0ac9f2b820f09d40782f181cb1f9cb63870c6e0b

SHA512
60f0f19becceb4c343ff05082bebf9ab03fd50f4c3725af7f1f6e91171a9d40cbf429317574b492717f6e351afb65650245b5a131fd3505bccc4f824c605fbe8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
72ada0fed9479d547ebae3d1d083a7d1

SHA1
658e7cd600c0ee08792b45caa6eda1807be78c34

SHA256
5c16634363485ee484abe6f595014edbcd36b1d51e895c0716d0dd0e040e5a4e

SHA512
69cf0c3cfdd39430073b4983630a44fbed487cb49d63db3e43e97a0bd42a0b777bef07d0bd35395c402c725c13c12a85ef3581bb4b0abfbc770960f56ed9a8f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
756cafacb82986b2e350453901b1a50b

SHA1
2d3afd218a4e9239cd5f54ea02bc605f3ac2c927

SHA256
9e848cff7497b2d1a4f490aa7ff5aae3717be5a9c3809ef61007b26707770e0d

SHA512
07a7dbe0c740dc6d0372508e4169242f2ccc627aed5ebe21807ba8475bbed56adb9f6bef7d0abd6127f7aee0e9bcc314c128ed06d00c8002eded2479360e1617

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8cad49f3b708f7a035d9451041ec7490

SHA1
7dbaf170cc954249cea1f0b0470687196957b017

SHA256
6d44e8031cea2f02b58f0488a73920d7b127677795fdc426084b9f8cc16e30a2

SHA512
0b7fd1dee0ae016979d6abbe03b1798b7a032a14eca0db530639b89509c95bdc8674b656e5c29e30ba1f4162b6ca71d104528850171ef5c1c26b06276ecae8d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f35fb4e35ae1c1a42307b4a9b41c8f8e

SHA1
cc3b2af5ae85feb38d7755534e691522f7c5ad40

SHA256
ec3cbc38bbbb9638861107e6cda65cf12534f45fb328aad49f3c143622591569

SHA512
bb8b0c8a6d1c340348d5dde0fd30c042126aa7301b80811941523afc21a4b7478838679f6fb584d47dfbea69eefe1ade0ef6bba93f0f99bd466c766dd83bc660

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6f44ba1c2a3430ed039ca395f4c5a187

SHA1
331e865e256dfb013487501029c82aaef6a4740f

SHA256
e2719efb19a35075249928c1f21c6d5f1eb751d9e0ccf0ce498ca743519ff59e

SHA512
2b08da6c7933e00d053d207ddad31bface9d6ab2f3ac7956e87fcefd0ccc9b895287b47248cce17c228b8a08e46a7438ca99e06b9cbf3fafdcbb7c765dd7178b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a62e6b99c0ed0a3c68860e3661f98a74

SHA1
0782388c8cb798527a75966500b784bfdb7771aa

SHA256
3a04e78b305aefecc8805b067f7c5b4813cf832069695f8f08f3dc969282c015

SHA512
5b18698f8a7cbafd4d8f665d150bf32e0d5c9e041ed141405accccb923ee3108bfcbf10b6d7e59e8c39d736a87f9464b8a4f91549c34edb6f5bd4bd1514ec03c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ea14554052f5155c8f5ff76fdac75e7e

SHA1
31b0ab7924e1e32ba6a146affc550fd44e646a37

SHA256
40b9bde7d305ad70ed1c09254d9fc6f0049b370f50c3f5676918f1d0c52c14aa

SHA512
e06902a75d102b4a407084905d9cd29dd18e87a056d6f7ae40ae48b64c90a22e8f5b8ed089dcf8646cc100ef7d406dfc748f8f41b9b76ea83bf0a94682936cf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
db97ab40bd9c6b494759a540ca248e77

SHA1
92e6ea08694043ea8b6fc6723681c60b0dc88a30

SHA256
3fc9a6a924dda0aa276f100dfd6dd696ab63840cc8a9bedc8135a33645f7e10a

SHA512
59a06201948abfc15e8bfd4b8b989c5998c50823556f49a7c0cd3e5808068e023eddd5b5bdd29645f2e8c8e95036b469c8fd15a0e0e260d98c959b798afe436d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ba53987fd04ec7179cf1a17c74bf0f8f

SHA1
833d180be89e7a6aee8eda5800caf9945f642dc0

SHA256
35e723ddf692370b4de817fd52df5ace2b447e049dad0c3f8d09e168a754ae39

SHA512
5efedc210457923507e9438c4571a19c8a39937b8e8d82a4fa6462e6ab16487d65b13393be9eededfe6d7f5785faa217809c2191655585147d69def195c14dec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1c54fd736c4f632a5480034d4e08ad4b

SHA1
e02ac0e01f6cbb7bd547d156d88363df2a502ae1

SHA256
f168c2e2c7ddce5de8e23a64db5d9761a776a3cce65d6c929181236a69f75fa9

SHA512
78f1f34259c67198db3aaecfc24adec4ea19048b1cce46464eaccf4e77cc8bb07fd35993c22b111837c348e196f7e8f00af44be1d1f937bc84e4f40523470812

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8d0f5e1556b59916df63acff534a98c0

SHA1
c7a9968b74a3fce385c0f31f34480e99d7f395f1

SHA256
203f01d9c1a6ffba317c1016f3fd6e2d53b994a46a490d751ba20f1dd46a2e2d

SHA512
0371f9c8cd303e3e6e16fd9fa2b2e549b97267b46534df6cd1d136375f8ef471ca28c8d3503fa5b1f07705660a6f50f2e39f68041adc0292309f207876fc36fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fd50b69758c45c97f70823f4eae07810

SHA1
ea99e8255081b884da1e47ac06a71825546eea3c

SHA256
d8ff029395e07f85c375364ea34d6554ea4583539e919b6a15e37293cf4bb0e0

SHA512
a0af7628b1ff2b5db9eded1be86603495af763119c496b9a587290850dcaf48fe3a42953e2081ee70a56e1d97113ec4fd2167ffb0c84354294b6aeb41b921c60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8285cefed6cb8ea2ff43bc856daeb550

SHA1
60ac09f03ead78d5ad6e70b1e958cc5ca46f5bf2

SHA256
56fe3cc7133fbccc02acda0d372866762b36d66be2d989f3412e91266d0f0a1c

SHA512
86f04e54a45146d1ef3fd18027ae1abca1836e5801b8e848eca0483d8b07041eb403d90a5e52f4be5865b0269b9a1cb8fdc2354a12ed9b11132f442e3943099f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3d42a77d64f3abbd8484368c33920967

SHA1
3d23cade0218069174bb8da5c2c8ba280dcc9147

SHA256
f0925158a56faea4d71126a38f01d3eac8f0658585926fedce6ca7e1e65a71ea

SHA512
2b08ff1005415c98b137b68e5425f51276ba78aae57cfa450537cbfedc49d3038dbcdcf1d590158a85d11666bfe5b5c083607b6cb5e7814e39978290d5a6e6ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d24739dbbf96f2149c27d2446de1cbf7

SHA1
97307d6b772127324517d85ece310024eb21f74e

SHA256
60d44e8dbe0bbb350bad0551e16fd4e48d6d3f13f3eee4e3f5ae17d513ddb501

SHA512
b2bef8d5fd906facaa885cdfee454784e76535b56d4a849c0c9e3ce612c2c29c08ca41724d5c0c1399d2be3064e1257c29ab3d10b78dfa9a5f152e65714080a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
10d0b2dce0c8124eb9f03110c9b6571a

SHA1
dd54c051589261bbd8738b99b17c0e8a8e42a562

SHA256
278779a5034ec722b72802b1d2088ebd28a03036a012b54b00317fbbb18cabac

SHA512
12742c3efaac58c917bf2ebd914d362321e06a6bd37c2356e224b535339dc02b72686ffd4f98bd0ca0237ad44c1c96071eddf81f06f6d3a8aeb8ec35d6c9be44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f528a27f94264a6fd0cda74d36c63833

SHA1
f97e7c093f0e1f07971c8b5e66bff0f1ea6175fa

SHA256
3f9701e07e4081626c0c465fa7ff6f6cfa9a1279b0488891e02169b932d783e3

SHA512
39d974d9b3dc84172f1a9da256c1248d2a9e67b00761dbba024e5b819c1011756462e1301ab4004c2a04559de90c1819dbb9523cd0cc3166fc028fa1a2d11f62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d1cba18447a8995532fe69d704cdf8a7

SHA1
c3ec0d89cf9635502cf29d783cd4f857af19d71e

SHA256
15803614d3935fd31c215a522749200bc86d66c934bc08b83d87310909d8124a

SHA512
4c200b9402a2d81254531ffc61809bc90a5834ed383d6cf09352c6f82bdee8a08ddca818993e5d0537605e0750086afebf19a5eea6809cc0449aac6c34a833db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cc544befa59e02c424e8b271789ed43e

SHA1
45f8008cfbc715eba0667e2da0b1a743b12b45de

SHA256
411bb970d6d13fae762ed19a547d471c43f12aab1ea923026c4430098b6933d3

SHA512
b344ce2d8b7bb0de0c5e2a0366cee9de1cca0d6837229d297b2574b63e773ca835e6afe6908840bd088d2a998156e4f6ea105f488a5126c4ade4293fcda5e75d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
df841d473deeb8cd2983163d0cf2110a

SHA1
a5d710b778e02a29b3cbf1c9dbf2138342d4c57c

SHA256
6cfa6c11f35e69ec0d215358d149254f46c4029e14ca71fd75da524b830ae801

SHA512
d52a4182ac3ac0334071e12509149b3a3880ad73e392e716c2b08bb2a7e6d463749401813ca378f82190b4b5bac57055b46985ad70887b214f8534b36d4b153c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fe8eca95f3a09a46bbd2cc4519840077

SHA1
f6850be299a79be2897596a13ac1f8c8253c77c0

SHA256
13c626ab6759b2da78c4a3c5c452cba87f21a650ae43ef17a4f17170a6c2c182

SHA512
fff9c0364e512c06bd861f01dfca0e8b9a342e7ad5794c169fbedde1d3d43eb0e065fdd9a8fd2365dd1047da6e985d7e42c9742b3e2564ec4f3ab13d397c5996

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7bad25b953f17c6f8b18b5ea6ffc149f

SHA1
b25515db941e18310c661160d0c022639678fa06

SHA256
a5293991ec0a7b4fa06d72bea761762ff4ef7e64d5f3a75be0ac77c0df309c48

SHA512
33b2a14daf797694a9b1380ba224d3af7b6826f4f83c747eff14be24d713ca5e1198230bd094871f6a9e4c67e7deda59dbce83bf2aaa2c1c64e0002139e9c62c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
73938aed9bb398ac934a32287e5c75ee

SHA1
8abbcf70b5095f4dd4b69d249fab3cd70c4b68eb

SHA256
1a89c43c7ed711233e6d1c0771d3343650967fb461fde2271f43730df3f7ff79

SHA512
3e6f78bf1e8825e0b5acaec8f9fda2463e42578ea1195dde7273d8e30f62f4ae62dbe3a5dccbfb3243eb981db7be651453593e0b4fff098875df438fee7f118f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a1fb322746dd52b0635f5dd3401f050

SHA1
86ac0f435c1d56adf3c4b5a00c9a5bfb9a1ab826

SHA256
baee3d08b0497fc8bb636162f1f7ca2aee2d5d53029bd5b4f3192399b53cdabe

SHA512
65d44de7147d4098a72e51e838f789e2c3aa5387aa37812f4db6de4c09acf170819d42adea96535e0457652d15d9a922a60419302dac8063bbfaa47cd605982a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a851b315ebd094981a2e774cad9662c2

SHA1
80cabd057877be041048d93276bed9a172e7d198

SHA256
8ca3ca63686e13e98c9d02e3f1b449be5ded03afa79437a4e52cebd2593080a8

SHA512
f1dcbeef9b0bb57808314fcb45de1073102568bcbb2211ddbc499b7cc629e41e6529442f7e55b66e7799d29397457c6d52daa675b05060212e34f4eacb246d93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
65144b258f69bc05ac341dac7673d086

SHA1
2d870f7b747a14863e02ad76b7dd645702ad0a98

SHA256
09c63abc5c600013a69c13909546cbdcea643bb65e1c407c2f0af9769b75f820

SHA512
beafeb95c1b51baba8857c69256358d5093ea4c740612cbc7dc2bb2f163d65f7f74d78577fcbf5cbd1c2607189c16a88ae8c0a72408134b0e88e11e96ec5ebfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c4dc61197dce71b4c8ed73df2387741f

SHA1
a70c248ff1ee5ea15f4da0bf936bd01433ec8395

SHA256
7d6f6e079157aeb011114eccc23cf62b1f461ce4c02e60812eb7d79c3faf27f6

SHA512
2b57d1bd8690f720ab0d5ed0d508668a2bbc23ef7e6fe70d11dc62b9a01750f48950eb368a57aad4747a5be31b72de412e8ce59ff4807e124cc86873053b8aa1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a7983cbc0b77988fef4fccae8ea2d3d0

SHA1
a2b27e3a3565115ffaf843af00e3f2a51736b7d9

SHA256
871af22410d64db1a8bd591871bf00c26ae16162128adf406f35e25a37d9e037

SHA512
cfedcdaa3514f833b1db711d524c3633294cc6f0fefa08ee6970c4ddc421cf710733eb0734205edc0130a0883f4935b7dfa579215945587e6ebd124ab0fe5acc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
10e28dbd8f755424922ba17e24567f0b

SHA1
aba7c842ba3d8ad7700905608d6b21306d8bd877

SHA256
00828778236834f63b018cf403e415b03e0fc11646dc06d610037dfa79a6fbfc

SHA512
2552be4aef354179aa4bc0f5b4298c02568ff3786e4e65363bdd15870c68286b96c1c2c301d6bc50b74d562d8e409310d45bb5bee85db2161652c9580128aa68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0b5622d04bdaac39a06a9e7299c678d8

SHA1
718e4fd1c336daf62284521baddeead177a2f5b9

SHA256
851aabc16bbce1a0379463cf4d7f4d7ecce9436ee142709547975c5e0c7105c3

SHA512
c0f1a624b17c7e4dc1080dcdc9076fc1c514663e42d13c6ecad3219b03eae1eae7d43dc8347a17c60d20746bce30223d2aab48496e0652553c5ad203cfbaeb89

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
440KB

MD5
2d20ec8782128fc03b0d309e1aa29dbe

SHA1
0b7abcd306834e05ada8be269340e338d2798c6d

SHA256
91548b797881ad34cecb17b8a856a50cb3ecd6d56f623ab4fe2c08a08d847e9f

SHA512
9da2b77eb227fa006e06b797ce1c90b26b3312e7e8ac4960ce4bccbef3e4c0f396d9bbc1e140c7e77ecc74b19fa464809d09ba6067ba597434785073267e3e54

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1168293393-3419776239-306423207-1000\desktop.ini.exe

Filesize
954KB

MD5
541e1be4d6b5f490a42290eeec479d92

SHA1
abeec19679cda669e8a0e857c1c24673f7bc4c14

SHA256
ab8ba33ad15dbe9ffacfdd561c8345e33b0cbe03e70614688eb9022f33147e23

SHA512
59e9cf27769965901dd887fb1af5cb279f2b7f339ecb8ab070c875ebc7fef84111b5471ee4eaa8d5024f503d309449d3d58f84c09876b5d81b9ceff3d4401dd4

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
953KB

MD5
7d2dbe2bfa63d8f4cf15f5c6b513f92d

SHA1
c6253a829aeec1c638b978798baa2810dda429bf

SHA256
f381cac6aec8c9365777c77eeef32e57c7164edc501d48255c5ce916ede2a30d

SHA512
417631eccfc259280675ac661eca4f7f814c5943ee51a36cadaac9c991442702e0bb28296e08f71029b7402367ee86271f3deb259ada8860cd7099526f4c1a48

Download Submit
memory/460-0-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3168-5-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3168-8242-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads