345efb6e2d178dc9c57c9959d005a1f709340cc1e00a80960483ffbca6c4954d

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96dfcbc0a357630ce67db6083cf5bf3d.exe
Size

6.3MB
MD5

96dfcbc0a357630ce67db6083cf5bf3d
SHA1

e5c9b296e5d09e340f394a7ad751b7a71368823d
SHA256

345efb6e2d178dc9c57c9959d005a1f709340cc1e00a80960483ffbca6c4954d
SHA512

ac3a99dd49796883eccae155bda30c28dbdc0b4c637b6cbf0a99c23cd68d9112a687b65b494305e3327038f852bc9e4de4a9025974f183e9522b12d007d7b016
SSDEEP

49152:NEs1qB8NIMI8Sfpwotkzaxc1OGz8iB8NIMI8Sfpwotkzaxc1OGz8j:NE2HIMzKpXOMGQvIMzKpXOMGQj

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	96dfcbc0a357630ce67db6083cf5bf3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (2953) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	96dfcbc0a357630ce67db6083cf5bf3d.exe

Executes dropped EXE 1 IoCs

pid	Process
3344	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\H:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\O:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\R:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\Y:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\P:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\V:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\M:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\Q:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\Z:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\I:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\N:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\B:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\E:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\J:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\K:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\U:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\G:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\W:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\L:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\S:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\T:	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	96dfcbc0a357630ce67db6083cf5bf3d.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	96dfcbc0a357630ce67db6083cf5bf3d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Numerics.Vectors.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.INF.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.SqlDatabase.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.CompilerServices.VisualC.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationProvider.resources.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPERSON.DLL.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-xstate-l2-1-0.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\ReachFramework.resources.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Input.Manipulations.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_sv.properties.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WordInterProviderRanker.bin.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\TextIntelligence.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-localization-l1-2-0.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolui.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ppd.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\PREVIEW.GIF.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.WINWORD.16.1033.hxn.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationClient.resources.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Globalization.Calendars.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\msquic.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\WindowsFormsIntegration.resources.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.tree.dat.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.boot.tree.dat.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.ELM.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Http.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\PresentationCore.resources.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\UIAutomationProvider.resources.dll.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar.exe	96dfcbc0a357630ce67db6083cf5bf3d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 3344	4880	96dfcbc0a357630ce67db6083cf5bf3d.exe	83
PID 4880 wrote to memory of 3344	4880	96dfcbc0a357630ce67db6083cf5bf3d.exe	83
PID 4880 wrote to memory of 3344	4880	96dfcbc0a357630ce67db6083cf5bf3d.exe	83

C:\Users\Admin\AppData\Local\Temp\96dfcbc0a357630ce67db6083cf5bf3d.exe
"C:\Users\Admin\AppData\Local\Temp\96dfcbc0a357630ce67db6083cf5bf3d.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini.exe

Filesize
6.3MB

MD5
2ab7dadcb62ae1c3587c28117bb4cba0

SHA1
a995ad1d6c1bf6d354ee714788ddacf9f56570d6

SHA256
6e1c67fe00a8af3bfc9844befe792f3712288c48b511ff41c2329cacf370bf8f

SHA512
892f34ff7e764b90359c10850f139d2ad99761163a2efbef9b9a0953d897d6f321261b93dcb1d46a2be81bb8b539aed02a2ac8f0bc0ab308b2c2250023a40497

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b2540a2b75c16a4bbfab08c0a1960cbc

SHA1
d44126681b91047916f91ee2706618d3dbbfbcd0

SHA256
98a5fdda523888e7be3df2ab0cf67fe65a9d3f263c00e79c9e6cd0e2335c1c53

SHA512
9869cc29232e15f7572a2c7e0c2596eb06d05498518cfe73c502ef4a20b8d2919098d60424791304b7ecc87845c9d6a0089cffeb63155c0c3bee6884ed9b1366

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5a64e94d15cd44ac5e26eca0c0573ca8

SHA1
688860d9395dff650d48f72432093d7c6ec444b5

SHA256
f5763da823881e26a7f13bb331767aea6c94801008cfe1c97d42ba2c197328ce

SHA512
34d7339d49d52dbcdd36ec597d9174b401d37376bacf3d512d5aabc418b4ab59ad0a02a2efd612bc0e07f32d6bbe40aa8776962cafd73aa66da1e588f81b585e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0b114b7794d337db86ef0c9a109b9e8c

SHA1
b7ab81a6b6371188fea3a271a31e7eba3c7ed497

SHA256
94aec7d63db1e74c5bf3e50d94ea876777f6cb10e90ba0c38b917f67ec48aa5a

SHA512
d4dae5bdd4ceddaf0b9100e82ae99dd4152d668df8f93b817266e001360d635a86d3a3b0c646394ef46cd973c00bde3da90942270d9765f87e257d8f9467b375

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c1f478d170563f2b76d1856f171d1ef7

SHA1
5b5d6670ccb8bfca9eac4c9cd08b71167f7b8639

SHA256
5f11ac55a1aa534981bd44c0b8c273457967eb99d25764ad117f446dc6a40022

SHA512
290f2646c7c8aaec3d173f2ae95c5d7dda5f634cae69f7c73d422e97beba966932b08e2ca5845d5459752fcf8e53b85f6aede779f2a7e1075d0161ec4c933466

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e1fc3d97bfd65aa4985490e41cbd3f6f

SHA1
c1f7fd12da204083436b8d9103b38bceaba4bf90

SHA256
c68f91102f8d1623c8b4d049ccb4dd4701ab842730d3653d2a2ac4a8098ac681

SHA512
d67e1dbd49dbd1725bab8a311a11f05e67aaaee67ea0781dc362cab88500a194600a0f5ac1ae04251db24945ee46b0ec0ab37bfb222221fa7e93eeb3e501f42d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a0e44081411a71be9ee34566209cd692

SHA1
880fc8e855a964e05c7beb7081c0f9ef70876cd1

SHA256
034fd9faeedbd8efcb99467bf739d4cc2f92368541d43f51975c0ca37ca9afd1

SHA512
38c22e2dc17b67b8ee3489af2c986864e3e493b99dc63c4a4898a287625ee5d5a95506cfcf7543a348af33f3fab6935fd37cb6bd578c5ea4690a43d2f8a50ef7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
429f31e938f3c7721872114ed0989bca

SHA1
3002b2ecbce2d0298bc0d5ee5d0d547da9c3995d

SHA256
816efa82badf5bb67b0d9a287502b374ac85a6d1307d4acb85869235b7ef86a7

SHA512
d0989c4902d4ab57575f318c9266c7ceef0f7698d315379464fcc529a1e28f0f6830b4e0a7fc9f9a9bfb183175e4c22a2f7e4753ac01cb91f97a166219a6cd36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d1c5606a2f0d24657b72a98a728f9839

SHA1
8bbc50385b085455d279fea545be62bc084cb504

SHA256
7d2edd6f8bb4d84ad34ded0e78bc9105994e70e77f15b9a234e0dd4fef06d6c9

SHA512
51165246693e040292b128e732749c8ae1a6936ceac1b72abde5bcdcc38212f80db1d592151f054e729a66b0b6da66aed9f778bac5e164ccab18efe63f3c3529

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
31eca553b07470f17ed113683518f3c9

SHA1
8b82e214894dcdefa6713b0ea80ec388f4ec8338

SHA256
341124a4920ad9d49eade7ccf80539c52e6ad36a8d6f62703a19b57f365e706a

SHA512
1d16cf85c74f6f30b9d80d783560876111aeb238d77f25565d622440bbbc0b4606bcaf49066571101d18dc63e88531ba38c034b9246f2fc77fa7d1758842d346

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
901c48a78a5e89b01a85f56efa12af9f

SHA1
27a58c6415a00b7a483b8ee43e1ed4c2b6c7cef0

SHA256
569da5c5a456b8c7ffb34b322e699da4ab14f1e895ca51eb756262ba16018ae5

SHA512
1380e536b677987a512f251affe2c2dfad89ed435c19822f33b49ffcd0f0d58a22c570d59b121a58b07927f70b9be11596d13fbc0b1c6bc44ae6c6fb99c67022

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
cd5d8f3950fbe207f9302223bacc92d4

SHA1
ede4d6c9a0c2f6021df5c1b98c122c83b4d5e40b

SHA256
97899b9a5e417f536b2d9cdcc803e55376aa465ac6e9f69a746b26bd15bfcc92

SHA512
ba958f7843650adba579d9b60e73e37f79f0056aae023f74f6c62347608eb92db760a53c3ff083ef13247c12d05471b7fd1683abf0fcbfe612a5b2f534e57e5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b70d7c34d1fe05c782d26a2446aad61c

SHA1
7acb4a97d21e750d8f5ef6eac07c0499d830f524

SHA256
ba9e836b358a47f7850f8e5497289b297262b0ada0e5def902a2f943cadb0ba1

SHA512
5c1351faf5cf571a582ef1e61575f198f8cbd14b20202c18efa1bac44baff048b5d8006d8021ca88870d56ca783952fa710780ecfd7c015a2bd47361689d242f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c0a25bb50db9e8c6ea50913c652902da

SHA1
e42e0c18c82c8e7331857750a3c790018ec58e17

SHA256
1b98f53e4518b50b8b05c879d9f3e4b1e8abe67a8a8b0678d438ef68b8f9723b

SHA512
d65ef6eb3da4f0872589bc5c5a1babdb34fcaaa500d4879b8f0744c4208c085ecb9fbc453303fa6c22f470ebbfe9ebda92387955060cd4b8113964c77b1e8477

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0f0b3073f4fb094d85278100f968d412

SHA1
357cbef23791a9623cfe5cbece3464e2ad59bc5b

SHA256
a906e078845362cf73221c28b5ff5d51e932a49bf8d58ae31097fd66eaaab6eb

SHA512
853b72f5a3d12ba4c423ff6e0d25fe00ef2881b1e91560a6befaf8891a5ddbba4b6ae6fe65c22be4a46aec32f75fa5c577e4d4e7b5434efc0e3d2905bbc8b04c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7846a866ee4e47c1a3d10d834e048044

SHA1
07b3e50627c474910b11aa2a85a8ab9aba15c50d

SHA256
6affa761a715c8d68f88ed0eb395d85f855845446e81c6b2e49ee52f2b075039

SHA512
ef25f6461b4791d442407a6d7c4f01169783788b17d95c1479cd720cd32623c0fb64dda447d8b570ff84bdc34dbe9ff31939503fcc07adf052a503e2aa5e4b9b

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
1.9MB

MD5
52af0ac6d97115d22994c8085ab683a2

SHA1
83915de1d5fe15840975dfe2b1e4ac527a555415

SHA256
a9073dbe61dba4c0948c1599feada74cc75ca5e78d5c670d119be34cb6672c02

SHA512
b76c4a121dbfc7a3238ee3a1ffb18b07dc7cf46cbe687203bcca7d2e82a163b52bff8888abb284a71f67323ec71ee32a2f7aa86bdf2a0ac4de21c92acdc7315e

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
1.3MB

MD5
11d4cabfcc81ffdedce4f262e488aea0

SHA1
d456fe01aebf13b4e13a8b5549113556c37b48df

SHA256
8a7db868c219f3b227b588fbc2a33ed86de0d7c41aea50d885a219f8df4db628

SHA512
4790cdf7e8963897b910df5c91650bcc5cd6ca46c424a28a50397ba2b134ac3f45ecdef4db171970fce9ca73adf43146bc1bf0c529eb3ef77348453e58e44189

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini.exe

Filesize
6.0MB

MD5
72f70efab82456a85eb677b02352cbe5

SHA1
6da6b7173a4f8c9ec917d28dd40fa3440d65d570

SHA256
c2de7ecf90fb38f015a479ca7ade5c1daf9ea20d2d8f7c2b00a1ec88af058bf9

SHA512
751389eb36e666b15df5b756e1bef2bbf9d0a0990eab074f310c881d8bcf2a9d5e1e76683b9b9ce6d86191597babe30cc3c52e0aa7934be0780929d72cedfedd

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
6.3MB

MD5
96dfcbc0a357630ce67db6083cf5bf3d

SHA1
e5c9b296e5d09e340f394a7ad751b7a71368823d

SHA256
345efb6e2d178dc9c57c9959d005a1f709340cc1e00a80960483ffbca6c4954d

SHA512
ac3a99dd49796883eccae155bda30c28dbdc0b4c637b6cbf0a99c23cd68d9112a687b65b494305e3327038f852bc9e4de4a9025974f183e9522b12d007d7b016

Download Submit
memory/3344-3043-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3344-7-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/3344-5-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4880-2023-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4880-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4880-1-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4880-2563-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads