3d0c7b6dac64f9556777ce69cecf748fc962bee297194a2e58291ad10725d9cf

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb6d3d33e4019bda4c89599f9eaeff42.exe
Size

958KB
MD5

cb6d3d33e4019bda4c89599f9eaeff42
SHA1

5df35c25236224ae136d212dbc5e9a6d21fa6ef3
SHA256

3d0c7b6dac64f9556777ce69cecf748fc962bee297194a2e58291ad10725d9cf
SHA512

4fca6c823f62353625a2a5de63e3c2f2dad1e4441c128ed62d7d46c55ae8c7460866d617c976e71184656dbf9f95289dff2d1bb8728fd795f365eddc17adc0de
SSDEEP

12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltHP:xEtl9mRda1MIHP

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	cb6d3d33e4019bda4c89599f9eaeff42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (4446) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	cb6d3d33e4019bda4c89599f9eaeff42.exe

Executes dropped EXE 1 IoCs

pid	Process
976	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\Y:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\B:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\I:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\R:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\T:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Q:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\Z:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\E:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\J:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\L:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\M:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\N:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\U:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\V:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\H:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\S:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\X:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\K:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\O:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened for modification	C:\AUTORUN.INF	cb6d3d33e4019bda4c89599f9eaeff42.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Text.Encoding.Extensions.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\WindowsBase.resources.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuuc53_64.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteFilter.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\UIAutomationClient.resources.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.OpenSsl.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jsoundds.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\GRAY.pf.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Ping.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\ReachFramework.resources.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.Primitives.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\UIAutomationTypes.resources.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.SapBwProvider.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-process-l1-1-0.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\hostpolicy.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmti.h.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Forms.Design.resources.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Diagnostics.PerformanceCounter.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 976	632	cb6d3d33e4019bda4c89599f9eaeff42.exe	86
PID 632 wrote to memory of 976	632	cb6d3d33e4019bda4c89599f9eaeff42.exe	86
PID 632 wrote to memory of 976	632	cb6d3d33e4019bda4c89599f9eaeff42.exe	86

C:\Users\Admin\AppData\Local\Temp\cb6d3d33e4019bda4c89599f9eaeff42.exe
"C:\Users\Admin\AppData\Local\Temp\cb6d3d33e4019bda4c89599f9eaeff42.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini.exe

Filesize
959KB

MD5
32c46e9d9a3d4353ebf2078ce49a7080

SHA1
06f546a88411b9925482b7e12010f748b18607cd

SHA256
20fcda5326e28e45d94dc45eaf01f1283d873837b8b192dcf08ef85a6fef5ece

SHA512
9dc7605f6418793494f1144732e79ed3143d3995e7aa7df353e6c3d871a863779d0bed8e483e86503ef1ae3352005aca1c9cc3730c62503ba8df334ecedd121c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bb19ba860ea799368b3002a4f706fc19

SHA1
855fa519316d73872da2d07057b4a9a5e178a386

SHA256
2c045eee88aa050889a0afc9685da906b8afe603ac9d2f427c8bcb0a8bf0357e

SHA512
87990563cdeb6d7f46d334aa926301abc8c89bcbb0a08c0839bb702f5f0c284eff9a91bae1b8186505d520d7b0d92ab984d333e0b8d7eadc1f9a30019f120849

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ff6cbdfaeacf8b2b845f142324b8ef80

SHA1
1fd0a461934cc37a464a14d4bfe779bbbb780a21

SHA256
168acce62f9f918ac59512362b3a33471d3b530b4542e6decc9a311f0ea16856

SHA512
5566c1f7dd7a617200885b9a01e885fe774f999511756c5c6cd95b837f9c6039bc3897985e922d941dfeff39033f50249880ddd1bc33f7fe6fbefc2a3f4bba08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2cddd59e63b1f61de476659f4276a8d5

SHA1
76cfe44ef3cd064fa2da2849266168b72b123acb

SHA256
faa923bf19ef906cfc0dae3e239232d637769fe148a5747721ea8b0a2c1b9285

SHA512
3e3ce54f296b3c6edfbcd71611f1a7ade8bf0ccfa53bfa365ce6f88b0f41c90395cc4719b3d0f5d6e34ab1e126cf9ebdf6eac7c184937ac022626d18da21a5f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2dc73cb3fcd6645fae6cfdfe5a5100ab

SHA1
f278d47a9913dad4ac7bbabea9876fa4d4088b8b

SHA256
29530581c99bf14fb8023919d68d3929efca7f055f0d417a3a9d3b0808218524

SHA512
9877e9b1e8d0b5d9a029d43e056b7500cf453f69b6d30fd807e0881c0d2a31443f1ad62ffa62176ced945912826cc37b686263ccba76e75b73a82574be1922c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5f55d1df63d11b11c827e90be482c283

SHA1
6b365725b22582e495e51b3c28b566b45d9e60e0

SHA256
dc1ff1b3793454591afbc13732291f7f83146534423316da679946285165106a

SHA512
60b46bda0d8ad9acb4b1e0baed5d63b1eaf75fcaf5bb6867785037bfbe19036598cfe89e8272e7da4c45e1e37a345a62f2971ccea53ba7cbeb9b75e4a47bb925

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0d1356a5fd10b6dfa1a0336a556de77e

SHA1
0e131f6c1d5ba0766d81e2632acba3140db04aee

SHA256
bd064702d99386d8db936c714955839d07041f5bfc0606a074ff33e17c04bff4

SHA512
3e4db443f0e9f6d9618260a2a2697e047b2181d49ae70960ba0021914d966c734ebb062c1860f6be6155e47dcb0c8c36e3a386cc3951eb04fa6cbaa472e705eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
858c7b00810dc4d9810507c4f59242d5

SHA1
68915858d69fbb975c2c84ca6c47ae0d89505661

SHA256
eb50c07ea99dc1606daae7c2f83f57407d0be7a9ac25a60a195b1a81e8ce7da8

SHA512
5191c418096b4f0bed2befb60505c471c91484360764ad259db01f298efcb751a03d74b04314e2e917c2b1d68d483eb6bfcd1fa5234dedbac86e68e01c5de453

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
24940d7b4cc420064c9c1df3aa020722

SHA1
06b1d15483aadcf3bc03f349257160dc803f31e5

SHA256
0f5c36fe173af1f4e2439a9b797535bd43a7618b3b1205259838b3d1f26d2e2f

SHA512
15ce011c450db62728f402b6ba34e0c016368d6370b15b6fbf82cb58273bb1df9eb9cfa38fa77cca607f74c9e700ce9a7477bcfec319857e46e4234452ee41cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f6e637c9012ba38e4c2c4c9071ba347f

SHA1
0670d2a57f20bfb168a9033437a9068065e4cf17

SHA256
3a16b69ba088f69023b312055fb414b3f176fb764294d402d9286ccbd51563b4

SHA512
f9d895cf450aab7685d63e7df236b51aa2ca94368b07b9d14a3cc193650e2921e17ca213c01d3c16b928d35248303dded416c378540295e2ef9836ad03138d32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
efcf84d859d612bae065b889e9da8a4a

SHA1
8335b1b57d6b1cc8a31cbbe4b9f1ec9333f1c245

SHA256
f16ced1cbf4812dd942897a0de22fa17ccfab796839dd108aa49f10285a8816f

SHA512
aa1adea9e8af6f5d87c05355a3f740afc084ad489cae837a2e75809ad34a1074a29ae1666f00555b51ec6c17a23f27c3146141b883ff1b2fe3309371c59cf18f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
baed788d26a77639b8ece797121752b8

SHA1
c53ce025915d2e00279502c2f1e1931faec47197

SHA256
c6f9cf0f8ca6113d6e93eb092b4aadd639a0f2fe55695e0434161b4e00f67175

SHA512
497d37bbf8e7a470e1bffa441bd23a6d4849bccdf985ce802f2bbb647dc86fcf4fdd80012fe16f50aa62beaa00d33d26f91d776780b154a8a2822b42fbdc26b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0b33fb021d60713a401244dc1e8d78f6

SHA1
edab00e000f70e64bf9815b28051153bb75552cc

SHA256
1271eb1844c86f146c3faf4ddcca52ef0ec0be9668d467b5cdb12ffe5aa81f2c

SHA512
3f86ffdea1b89994a8fd97cba05e97485582b17b85d7f5ccf9701e4d56ae26ec4b483225fd2690ce7d3217fe7a5369bfc399fe5f7ccc537d32218fb1cd2ebd60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
37bf456a3b548cf48edf97436d7b9db4

SHA1
ab717b96d006d7daa5549d4ca9c27a9d3e423afd

SHA256
7e303a9ce11b9c335018fee30d69fecd36881b88ff9dcd0c48919b9ebf129062

SHA512
02a98b3808e58d4e9c6a4531f66ad978583dd766933574b1098e123903ba911863a8bc6ca8dd0c68fb33a756c633fc870df25345d9dd85cab9e74197835575e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
dc1c31a688e5ea31d455fdcfab54428f

SHA1
d2fd1c798081e49292636a4df37613b7c4d910cf

SHA256
f0257a290562b877c81b62a93884e4ed335c839886dd058cab347b2d76da6560

SHA512
4da5f471050246c0cdc7500528300d43a01ad99c2bd2cb0e94874dde36e2b400c3f8573f8595e94f7b4b3334300468fc5bc7611ea4f0ad5be18b8ac8f298ffbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
43d01e7d8517bfd020dca78fd602d388

SHA1
98ec7422ad7803396f3ca533ff37ba1a6ae29ea6

SHA256
d8cab3b018352d52c1517392c14bc7e25fcb6a73a6604176daad7078a397b1b3

SHA512
07be25d4c416cd81d4327628e59488ed3a4ec2437d7e5664c6c9e36cff0b394586abf590c7ebc21fce74738dc405ff7da11d10546724986c8f6b22d76eca8d12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cda042f5d2d7b106b11ed9510a60c480

SHA1
39abb282fd80f5b0b92113738f9426a1e3173152

SHA256
79f30efb2300576dac547c199a283eb0a8b185516ab0624460c362e4a57ff7bc

SHA512
5da6557dea902f3a0f114cce8cd3772ce3fee9b2c6686188926b8bdc69fd6785d0187cc1c4aa5aeabb6fbfdff40ce064f66cb3072ef4188b9b25a1647ce5ff45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
129ea495d119a5e61530dfa282a7e00d

SHA1
6935a3f3e78b62184612d6079279759172a7cc89

SHA256
34aec99776e6d7828afb83b27ada3bab5d7e18cc459eec28d8c170f1071e85ca

SHA512
5758085f8cf4c7907bc92e8dfed3b625d025c553d8c8420e644b166507215cc12459c4ac57100ba1d86c7c12df556a919d4a7495a0205d8d56363febcbebfbad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f51e7dcfeffabf8869b7804c0a558411

SHA1
437ae43e5e3e55e5647b2c27247901445bb0863a

SHA256
30d3399bbe4f5288abcd2dc9812c32444d80471440c25bb8be62bca3e01d2deb

SHA512
1da2e9dd099cc2d74d67feb3caf644f82da6f49847486a480ee44419a0fb4af625ce321b7a08761bddf0e37c6a433859c1b46bfaaa8d5a31d4257d784b35a350

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4f27ed1c981dc700f801fd903069c13d

SHA1
5c9de681dd982d3444b792251285a71d5a1476f7

SHA256
2d77d6eb56638e9da5d6d22cf045031176618510d05ba7b1cafb4ebed021224f

SHA512
87ffbc13905d57a9408f19d9d2f4924c6a15a49a7f0596290fe15e1b7a4acfdb137cbe94975d442c586b16475b864bc6c0e6836bbd874d4a9ffc3079d3110e77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3da91d8b13ab328f77cff4fa2c6313f7

SHA1
27e932758815cd8eb7c65e919d006c10b8e233c1

SHA256
1b1f771f48bf44fac3c564c7d9768bdb7c0f2d7bdaea1b84a5b8dda450bfbfbe

SHA512
b41aa3693b17008030ad83c3266cc8c703a10e50533c8891fe19d57a35de9f095ebdb704f0d099687c0adb9ea64d1615b61afb346d00ff1dd4e19abb89856c31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4af33ec97c745e4a1f0b065027d22724

SHA1
70a8051b69ea70fb937cee4a3dc4a0393b03b763

SHA256
886d497970a165e87ceef6be333d7c38c6348979659c648943a08988c5b605f3

SHA512
9e9469b8d2fcc4bdc5d6d91f059dda8bf11946e3d4b1271f06ef18fcd0331f3f21aaff0347b7f70dbc26d6c9687bb5b8531148497b302f216ece1a6212f78d4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5ffe6d10c27d66bfc2d497c5cfd1a4a1

SHA1
b554dbff77a7e7fd126a40f74928e1ac6a314905

SHA256
e535ecbaf7f9b3012503d822648692a09aeaf71df629baf58f810b60c3880843

SHA512
e3cd73f6c29b12a9ff288e8b7f5ab13af40d9a8a4a82794cf21b6158864a2554f483282d3283f1f222b71d6188c26d1542a098dbf602d2b8fe08acb9d0e08f9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d6dc6784e3129ab180351c13b4c90874

SHA1
617948d1effd59d1641dde94a625f33e1081c209

SHA256
288e856cf0d4fd9728e2fa0a06e41c70f4bbe1d0926f2c4b3042e559244bcfa9

SHA512
ab8c3c4cbe66b0aaddc050ffeec3ba3357813e934366d0a2d895105d249159e0ee0674d01072775d974c26f7f80bbd9184e960ba5f1cf779d4efa91e95e93f1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d6dce6892fa39e76d0f65490bb29ab2c

SHA1
a282a3af83a6f9895d84cc412623040f934d8c95

SHA256
81c144888a358194a09c740f6cf63736dc9aab8911c5f6d8094a13e98bb7c1d6

SHA512
e61d76e233d10c377dc673d93bb63ba0db2017e4d8238d11b078e32f93642c336a66c0297a7dd4d8867b35deaf0beb20a9a16cd1a7b264d68b6e0776622e669c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3e01afaef50003d7ddaa8fd43c973788

SHA1
9705df44705894654fefae2c2cea1e13106a0025

SHA256
466ec5bd9ecfe344ddd44fcc34b921f51dcc7b8101ffc727a9f99c52a7591714

SHA512
ce5aba41b423efa1484036fb45ba1651c02d336248063675c434e43f38f5b71b6667810cd36fe29057610bf88ddb29ee1bee6d97c4891a8b14b2ac741994f39e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f7aeb1ae06ad6ae20047906f740162b0

SHA1
38557d910d7e332b11908eb2c854d0c4905b882b

SHA256
7a4eba075a62b2a1778f48392ea03a50caf555ab6feab0bcda79ea7ecb45e2c3

SHA512
c3bf014cd333dba5202ac9ad4c2f631faebd64dcaf3295e30291eb8be8d54f7fde050f6a9e1fedd2a25c92f27b7b25a0649ce40bfd0684e8cc35dd2199d8278e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
24e25ce29e6c70f08b44801539a84536

SHA1
1385b619cd31ec79c848ec5a0682feda1436ca97

SHA256
2ec7eb1f4fc0990935aba61e08a2a1ef60410eaee9942427bc76391e0bc88bfc

SHA512
9016b411232f59a227333f6035c3e6e7f9d4eecc81bc64137210bf504daf9b1c5faecdef6e081d20d918cb845760dd3be4396977d3abe57463145a912c0c5bcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
afdb0b11f5adabe97a37c24beeb8139d

SHA1
4b1b7dbce8bc0bf89f3678e407125f1a852ffe31

SHA256
a072a75de3a4c3764627ab57f8e382209fa0bc369b94559914a256f79013b599

SHA512
2b3778266246dec631c3228f6cd6946b4db6a01f6acde89f549d6e32bb723819907c5fabfaf723ab08b515360bd404d5f85d961e7382b5865d2df4df77037861

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e673dd57ba20edb7b8b8228398e47747

SHA1
d1c6967ae15569abfba5bb7f895b5be5673c6f89

SHA256
62516228919e4ba2b7bd802feac435939cd61f7e112f1d21086d3679eebe596e

SHA512
8d41575344283960664568d569c3e6eed4f4065e7a9341aae5f84825b2bc7a8c4d80ebd4d76e0629de60633974d697a6057a9097654ed4d2cef802ca7557816b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0a9a9a4f6924ec30b5f94a2e9c1afae5

SHA1
d061845e372d16fac4243d0178f1e6bb96356e5a

SHA256
831caeab3b7ae0b4ef689b1b2be41fe96179cbd6cc99b42d6888e8b58f0bf2c6

SHA512
aa99b3ce4e678675bed91a1f836ca31f735d7f435551cf3ecb9e8da62ef5cdea1840b4a30d7ab216d9172413111eab537f260c1ee1def7c68962e41fabfe8833

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fd38d87bccdfc261bd515324623a801d

SHA1
9ff9f0788d30e216de55afd3ed69e48e7056c9ea

SHA256
3b159e0557855cfccd229b7922feef97a6ac1e5d36cfbc25e9762894b40f00a3

SHA512
07f909bbabd801704355fb0227ff043bf98695dade7cfcc241d0e61b4160153d6c45301290eee726fb88426b1bb14ff8ad1b5b49427e2f1db6ed4009f0f2108a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2241c2afc20063a0516a3cafa3d0e729

SHA1
efbdd4175db557f29bae06dd60e7f0f69f7dd22c

SHA256
b3bee22083de779f0c0df8dc20929b41ebddfa5918366ed081522a2d3acf43d8

SHA512
b286e1b3e5f2bcaf467e647f05230721be1ebc8520ec1422a4fc65031ce8e70687540d1f78656a5f7d7c0b50d5bb1d46fc4e3aadaea4ee227d69202b0cd84307

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
439759b11c6cafe6e5e6ea48e6a87b4b

SHA1
135ad2ff6e0130096d052de6771861f31c92ec5a

SHA256
801fc78f92c08bba3c8beb06ba6c4f2c0e6051454d97aa56de5b25f2a58c7983

SHA512
99a972fb60b11b3e7acbad4eeb5015a25bf698653f56fff53df4c0d8871f565129a35a0df1e77bc6cb25b046b9ed300571026d835075c2e9e5681670ba1e51d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9f246310618441d76af558db74d6a854

SHA1
35d00808aab0337d6fbd6d8c285504aa8f83835e

SHA256
9184fabfb5e911b792dc5629b51f7b7473cea77e419236094f5c7276e23fa051

SHA512
64cd11a28c9bc191ed0bdd6719b9af5a320e1564fbe500e3e33da2bfd2f7d4fde68e64d65ea6641155733c855f6f6281b5b265010faf41461b29d49809e7ad66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d99e9d0ec42c20e9cbbaa06e7120cac6

SHA1
4e072baadc907d319f35a556f82784e9a0c23408

SHA256
0edab44c3ed16423f5733255d1efc9ac54e67c5b000776fdf7ccfc15e00fb41a

SHA512
2c49437c1dbe2b37e157850550a2249ded6372e3c99d2fb660f9d2bcef0f4d4e876b5856e9c8943df450203daf5192cc7a7a36493073bac05fee7a360b493de3

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
953KB

MD5
dd15a872279dfe328a4228d5dd110192

SHA1
a61178f16ed1484558fc1b15c62abd7162ea8d36

SHA256
22d8df9d2e93842fa3ccea12fdec16701ef4e1978e90ba95cdac164d55db660b

SHA512
85ca80a3903cc7c50035964170d3035f3291fef19574a70f90e0d230bce70be2d0e44e3678883981d966567c5b2c99bf3c8f6b47f4730a4017a4a5de919b3562

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2727153400-192325109-1870347593-1000\desktop.ini.exe

Filesize
959KB

MD5
ce84c7a83b3bf82a8e553302a287f99e

SHA1
91956d2dce37104dc206337b7b722db4136f9abb

SHA256
f5063914575ba387549e5d9cf70ea627aadf3a61db8eee764d32f99c3860f06b

SHA512
9b30baeb069037939a079074226c6fccf5b176d42f0a3f336b65d719bf931cdf2c8e76c8590c92857e1dfeff59ae3b69a9bfd06c339e7afee9ba8ad32dff8e4d

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
958KB

MD5
cb6d3d33e4019bda4c89599f9eaeff42

SHA1
5df35c25236224ae136d212dbc5e9a6d21fa6ef3

SHA256
3d0c7b6dac64f9556777ce69cecf748fc962bee297194a2e58291ad10725d9cf

SHA512
4fca6c823f62353625a2a5de63e3c2f2dad1e4441c128ed62d7d46c55ae8c7460866d617c976e71184656dbf9f95289dff2d1bb8728fd795f365eddc17adc0de

Download Submit
memory/632-0-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/632-1778-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/976-5-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads