c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993

Analysis

max time kernel
115s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
Size

6.7MB
MD5

32e845f7459a02d026db70ca010ccc40
SHA1

b3678082663c4cd21f50b354cd7556331abf7736
SHA256

c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993
SHA512

c2ecbf2cb686564752639c4b359ae9d909f83dcfc05c0fe258ceb4a0103efa5378b606bbb8d09e06dde7453da5c4d0d6a358510b819c20894eb74e6443df1477
SSDEEP

49152:Kwi0L0q+wi0L0qR4wZB8NIM+B8NIMI8Sfpwotkzaxc1OGz88wk:Vi0fi0H4wmIMrIMzKpXOMGQ8wk

Score

10^/10

aspackv2 discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a0000000234e1-3.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-15.dat	aspack_v212_v242
behavioral2/files/0x00070000000234f1-33.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-41.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe

Executes dropped EXE 1 IoCs

pid	Process
2624	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\L:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\O:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\I:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\Q:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\T:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\E:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\H:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\N:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\M:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\U:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\K:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\Y:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\R:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\S:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\V:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\W:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\B:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\P:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\J:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened (read-only)	\??\X:	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File opened for modification	C:\AUTORUN.INF	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2624	2216	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe	82
PID 2216 wrote to memory of 2624	2216	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe	82
PID 2216 wrote to memory of 2624	2216	c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe	82

C:\Users\Admin\AppData\Local\Temp\c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe
"C:\Users\Admin\AppData\Local\Temp\c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993N.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.exe

Filesize
6.7MB

MD5
a51b7aad1157818895d5041bebfb635c

SHA1
6bd11ce9a077f7535413d5ab2711f4511d524514

SHA256
dedcc4ecdb9411291e58bcb5833f383d30f3a6af325343c2adac040ae11c646f

SHA512
a947199f42284252e8500170dc89eacc76fc989cbb2b06cf11933b60f5a1e741f55db357027f49d35e907957e5221feb9ed671599652af295178d9deb551dba4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d71ca5fb99af7c571abbb1f6be567892

SHA1
420960b3d8046ab9d306edabeb32ecbc650dc5ef

SHA256
6673556fe833273a1b79cb6640d34b4c18ebf20ec2aaf811da37bf95189eb84b

SHA512
ecd851e92e9ff1cf1016bd92804fdde1168f039165ab7dd9f1b363b6b6f76eff2908dec13a443c5af6156365049811086a3d66a5ee382fbceb4246eb5ccd0bdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
197d8ca9b85682b9a879b35148181f83

SHA1
712d3bf56877836c6d38cd6f1eea28e89737cb26

SHA256
74ca0fe9180afc3f3bdf69559675e383a8cd10805934cab988ed0f27c2df5523

SHA512
d3270be8451e4b930f642f85199473b167f5d8c2048ba85b51c73dd0f175ec3672043ddfd072d6d166336e563adaa11a01faf87a7572cd66e0d7fe64a80dcd0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
70b371eaaaa40269d9ef2abd52f2e16b

SHA1
89fdce86f1a2510d2eae378c30dada46bb6b292b

SHA256
876dcfb66bf01d7642843a44541a1ee4aa44b16ecdc00b72df50cc550b7c44c2

SHA512
1811548bda40f0cd05ba476de7d8f3d1836b7ad29fce34922db0d568d8bd226cd966239f05d0813bf29362f84ac2810232ae0e8b79a3cdfedeeefaebb1054506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8d4c30d91780eb73ae118af7c5404816

SHA1
badac67e4ce5e2dddb669cc96a8e5961e0445e59

SHA256
f11ef18d0bc9f923ba3ffbd5a14a1e4ac5b98d5649d387232beebfbf8b73b060

SHA512
be42b49475ae7edbcf6329196578d1243ea8f9320b9d5c0b20b967677d28177ceb09ca3f114abf5e752b062e7ac5e42f4335578d0dc814f9e2ade7525e8a4fb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
01938b1efd43163e105a31df10a80e1c

SHA1
54cedf4bfa19561261fe013e6b24f62cc93339f5

SHA256
5e82cffad6eab57ed2979d5b0a5ca09a7d4980bd8a094c93065dda93f9e40728

SHA512
9b0da87b035b89169483c75b25a38f676fc63fc945565ed71af0722052960e6824357e6d837493584b27776822d609cdcef1aaccbfbde1b199fb9387fca9e242

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9cccf6f9b985dffb0bdc4cea1fe613b6

SHA1
fabe2e8b50502af9b496700651e72a3922e5344c

SHA256
0e031b83c6e3e87f1ac6dcd6d7cdac02710796a31b6e5a4581d95fac3b076751

SHA512
b2e1aef18a5539e858dfbb3809cd94155ff73df0b161a26fdf4e529622ac5af3455817ebdec7f9d0adade579ed23b1260a25fba92beabf830caeac0dfbd9f948

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7ebab34cf65f3e90b37fe8b5c44e721a

SHA1
b5d479bceee8ce3ec9017673fb1fc7b0d20912c9

SHA256
c064e9917b3abf0567bb7e305e562029816183a2cafffff1af646fa47622a40e

SHA512
b1e988be8a61b193490f12a4cfd6641d6956ba1d6165fe0c823df584638c8a15cacc630f1427a1990fa6f98a5dcc1b3bf7a1526b11d0bba311e438fbd8e1bd90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ba30816b98443e3893d7201d14250cf4

SHA1
babdb102e7ca3f5e74860190507742f6c6c794bd

SHA256
6237da5e8729c22943013b78125b05745cae02bfcab7647ddb315009cfc8a8f2

SHA512
b0ff5c822a233a459b399c216077e3c1d867f931f6d3f0b10686f9adf21bc06393fd5e164aae1730452fdd32bf2335b2aca090ce7367c23f4d48e664c964ff71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
dee8a39fd034df45f3a00b3b809be012

SHA1
ad5eee1b445636923f021c2f31b7deaf8f6bc171

SHA256
67e2739c28b9da76e3039257f3b429a3032f48bfcfb9af1d35f9626a2512b15d

SHA512
c22443ac87262f03f5ced4b7e928f16e435cfcc266c2f5ba9716e3c76838d5ee243f7918c6c6ad8db13fa6518a1f6557917190db60f604fc4548c9bb995bb0e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
305ff977c56faa855b372c6188157e0c

SHA1
800765f6284c88f7634fe5941789cade39ee3a37

SHA256
b5057e2a2816a1646dc709ee1443c57f2807ffdfdf7909ce9a783c98128eb6ae

SHA512
b4162717960abcd5bcd45b64c3d8502142e26ac9611877bd9f2928b867ccd3af0cbb2f03ae88235eb83ae62e5c8611d04ec53e43b68cb122403c9b840a1f6c36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
07f9931c03ade829f40cac7f25dcf297

SHA1
bf8b244f454ad03a89e544fb777632390822e0d8

SHA256
dc535ad01d33f0476bd3571e4f119066f8696bc028c6288873515ab4cad33428

SHA512
173789b6d49b3ca4b32b3fcba9f71b16ba4ee488ca0da01806988758ef6675ceb7b00091c20ba69ea577bdbd7b028aaf51e922556127be781d15f3565ceb36af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
752d7c4f262117aab1439257a79946f2

SHA1
a6f15055fb88bb62d2ac13082b767a799af53b4a

SHA256
70a707e27a83879003461adbd29fae663c1fe31a485798f7dc790a09652c244e

SHA512
6c4f7465fd995cf172ad9be8fa2911edcda394010c2e543558be1fb17952f7529b3a51b46c312b9b50ae43f0b0df349714f43dd2ecb907df488906e8beceb125

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8f25331c71e1e01ea8b608463f2e9490

SHA1
0251033aaf3a89a9b37dca571d7b8640ae752328

SHA256
0f55643a97a290f3b4ac6dbbfb40462cac0c58dc8101ef1b1b6fd06d32d66a3f

SHA512
7fccfcc4a5d27fdd27302685dc5451a87aa5d9fc5f1c121ccd0c5f3f82d5f788c9b4b21504557d43aac34caf1660e39c1972eeee12ec9dc9f9eb0ec08bca6251

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e4968ce1e4d52d1e0ddae2c8f542b96e

SHA1
b00309c6f9a6063626a0fba89a9907ada99cd48e

SHA256
c5031cd294ae7de1d2c4a8343b6d54e7d839623795975ce5ea619cdb88090a5c

SHA512
3c953f73234ab373b3cb38956f443ce408deea718167ebd127f3e4a7e817904854337ca4e85fa6e876cb4eeed66ce9b54a61ef80cd68ca5823fb32b85b6f08f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
80c986427a176b6f2177817ee28f01be

SHA1
141d1165dd468094cfe80babb787951786a74b16

SHA256
e06e8f22c945956b14af0706bcbc1db8590ed089437d8e5bb357b47f2ffc8ae0

SHA512
b89d12c9f209e2aed0686e0a08b0f797ca46f385d44693a73f1ec5c7d6efa7b3cc0bf0b3f6d4b029b2ecd0f544d04d037bea0ca143f80c6dafdc9f8067114638

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
da49dbb0f592a34b6cb3ed92a6aba924

SHA1
58b5153671ddd82c69f9ffad610006a13791e47a

SHA256
a88844a8962c7bda2949bf6fb27095aa99e405d7f0ce3da25293680a19def1ba

SHA512
5c5ecf5c8a0d30dc1f86d896208c25b6beec5678c585e20d3ba5b81cbffada0cd4f2e13866a8c4b20c71577cc553afccf018c0c28804b4784e7a226543774adb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
bf798aaf101a1d21913609237a8629cb

SHA1
d9ab794663b2d40df05e8cdedc945b45bd133a52

SHA256
a7a13294f0a2e6e6d2e6af477b9eaef4584ef14fb93a0de2caf5a480dbd35740

SHA512
c96063d278a59d1597a87f80cf2112c534777b2bd1872ea0c1440e18fb3201aad1a0d3b99b97a496d34c257a9439a16eb723378afa6ebf4d6467c9dd7ff3e8a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f1f0982640ef546a285054b43ee13d89

SHA1
a633e4fe8243606cbecfc7fad4b53082c1d7698c

SHA256
afb021252ee0d75d2b90481b0f675e4f299924b196facf7a20c42d1b3663c2eb

SHA512
32e13fa55f9fcd34b5a5a7832f5d6971fd6946cd08f4e79b40a5952aa626ab2c62c9756ceea0d0e5282e48f9a65af97bc6fad27488649a71f48ec6c529198469

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7cf4b40329796cb7129b83334bebd9cc

SHA1
b68512f28a6bfbb32f5d2445efddc6dbb4c7e822

SHA256
9582f03a3929185cb93b63368c3dfa1b908e93554f7230ef9a261bcd9145c538

SHA512
d4afc47c38248e7bd3a56d0eb1ac3fc368f3f90a112a715222f6f324bac4d0893343478726605e481a40859b7d0d87aa654d71487c370a04e1eb838ebc92b031

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2bc97d54ff3d51ae1cd2a9946007eee1

SHA1
432792912e8bc267d8d98f6f26db5efe96ad33fa

SHA256
8fb599e8944e8e74f8fc0012d0c88a686ed4a7044b7ba6e3a8b81016d4484f5e

SHA512
5638eb07cb045e4d9c7691ba045f8e5eec1be8f1b87753990e47261906fd4384f2384947fe937b2d78859fe1a61862b03dae80a7ebf2e74323a5fd0ec0c921db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ac1591242f687aa081e8c6ccfde92945

SHA1
f3b4ed9cea35890a35fe8d1e5f8fbc5629f29111

SHA256
f3fb6b27fc09e058f337d6da2e7d473f23b4082dabae9e574efb7531bcd17f11

SHA512
2fb3eb5469d71d77f99be2d2fbffa43e6958bacf34bad6dd3a4e072376871ab5557bbad29a7ecbedfeb907b62a64e09d3c98aa71f00dc92eb1745ff78cb49f1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c54b1176aae9fb3147ca3f5b6d20523a

SHA1
56520ecbc5e8ad7ae869e8c3c86c00f1688bcc96

SHA256
b72aa3f216c6a7aca49332b0480ed26fe2a3be2b43e9d0fa7625da58d831868e

SHA512
1a25c196cc8146d0ca68a671a278cae4b11f42d5e3717982c1fba7188f45cf3f9cdb7aa118f6d2bcf53bb5f2dbc23391e1849716513bb6f9cbcbcde5e050f160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d04edece0c08aac60ba116e8dba02a32

SHA1
37efe252b55401eb027baac5f3d130484ce61c1a

SHA256
3b41c082f156b7408662d3f1238253068aeaf4e6177de5516832e4d615f4b364

SHA512
9277daa5c53cbbc32397a4bb26a07e43a17536ae50b52613a1b25607d06d55b2d754148c4f5b40674f0b49cd8f154cc38f12f2d2945dbe084e233ef84b7f449c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ea74d126c243b34c2fd22d8493c6152e

SHA1
d6eea45c8a14efad6fa89a5e476237d9f1a0d3bf

SHA256
a1931ad1aedd34ebabed400804a5ea94af20cf7cd621bf2dea0990cfe7d11a3b

SHA512
38c009e06236b8929101c8ec8c613e22c2b52e32596fbf947b65a326bef15e9857acdf3671ec003a5a434492a507acce5bc9b7316986396979dc48c3a36fa93b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a013d5dbb1eaabdbf1216392610c174b

SHA1
77485ba574a1e238908d3b3905e2feb9e229fe2d

SHA256
1765e4c60a8e928ce8c1b8ad53a06e6353ec06752c80bef1ccc6cba29614803d

SHA512
7dc149814c985cc8c2bf8be3a3c51102c80d9dd545ae9bb6b6dcc827584343e851fc446f62145f9f9ec824d5b8874d0cdb8fdc9e674a44e79df00015fa6757fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2f17a9fb6ce6dacccde85bbc68d183ba

SHA1
3c74e5ed24eb15a045890efdf0b3decd0d24f740

SHA256
cac89918c570200be338d983e14fc7bdcb15bf61c00f03e2612346df078d1e89

SHA512
c74f521e7f3232a487badf40849e05a0f9de34c2a59711ac6d2b22ac59e380bb823f5f7caeaca82b9db7d187b7aa53aa829db2640d95df5015f7cf9c2ff09d69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3fb9d74de1fb3b8aae583abba8822aae

SHA1
9de07224f60d5e2d1e9851c9eb7d13891ea4efbb

SHA256
576720bf54e5a94228dc4864c1a689bb35432fe77bdc1d470a11cea3b9b5b4b4

SHA512
cac0a802a1b6baa82c51c91ccfff9c1bc8994158c8e83b16ea88524b38576adb17b85514db55ba8dad94532060b26b0794690672c087ee430b4341e2e6738ee4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
dc8976242a2867a2cd3abd7faf7891a5

SHA1
a5be6bacf3f3836bee3b3dc6425fc07c08ef89a0

SHA256
5bbe0b68a0653d32989b13ac5033eb36fabb27e1343c49f5ce1164ca0cab526e

SHA512
8d791db73a7a1840cb83e273427dae58f197232c45c586f62fc8dfa62247b90cfb10c3b9cc277dfada096ebfde922ed7b36fb624dfc5b7cf0412776e7717eea7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
aecc7f18e2b0c2a0313cf8bc65de8b36

SHA1
8455c0a7f4e4f7c9a1e454d9fe4324fe9b8268bf

SHA256
520fa303406c10ee199a2c069bf923cecbe293cb6373c296a879faf65f95cf4a

SHA512
833ee7c4144874bcb4d67b280a39646965f4b28dbb28c590192a195e07e84350176b3537c87d2bbd49c81ce9da6117c385004f502ceb81db38b1c9a1cfbfd13b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
44c6263cecc28811596cc9bb31b9a3d3

SHA1
0f07e1b6322f7dbac935e370201360f136a6f94d

SHA256
164defcb7462eb7ffc1ce186e97967d3a3f767f0b20be442a3d0689908c21b37

SHA512
cf74bc942f063c01a4403a69a206bf1ac29e1835878f5afb588fb563c7f4fddd0a735e7d7af32d48985230640c87003966af33b023b304a68e1ff530857b4f97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8b57a3d9e83ac9910afa1f9d707e2a83

SHA1
6d24e7e80ddbd27aec2ec3cdb033a02128b45dc5

SHA256
c1e3661a547eeea88c551f843b2985535254e3754889212fd1a88108f62cd461

SHA512
a3aff9d3df95800cee8c55d54f75dd58e32a784a8c5a44f7b36a91b96ea7ea0fe11eaa7b1efe29d40d1652b0296da25bbc0672ef1bffd1e056b737b4cd3496f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d86e48dfa66fdca1f85717a84cca2eda

SHA1
c4040c451fef731ee0a6749101c64bc1e7097267

SHA256
294f98b5a11573ce6abfd88ef8e6de9fb1f94e4ad072f6a190484748f67815cc

SHA512
b0377c2b28715401715303938c60cab192979455b33f93a1b20412d2e8531dd3777e727938f52145ea7a4c622d8f4e5eba0cb519b7f9c032b61693611014b3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
daaf7abfcbb0bd0ef0fd96cab69273eb

SHA1
759ecdcea3ba18863a583e439e7db7c3255ad08a

SHA256
f2276b3bbe40288072423298f6b79e7b87986be746e7fbb0b1c5d997130c3490

SHA512
8d3daff9a11cb571be19f88e9966e6eab0d916fb1ace90812eb5e6ca0ac9cf6f65079b5c8e5479dbcba1251e246a058a2ade84d5f43e1b7fa39a22a1b234d602

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5d0c3cddb0b4231521b8ad99f4dd286c

SHA1
fcc4983c2c71cf7d024a8a5a292a9a967149bff2

SHA256
24981e9034dc0520716feb35844635848a64dceb2e608097982b615b69c58011

SHA512
5cfb8c1b64804699fd23f130845c49346a0f387f16040f326b8685efab7ef527e037d2421ed327a7060bfe49706db78db24b8a09fcbe6af17d634ff0bfb3f776

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2d507876e68f25efaf363b814622fce5

SHA1
7228d2b9cd0428e705a265ee1c7ad3567abdd327

SHA256
e1a9476c353ee52f9ba2e20a18a241c0ba5528855be70d2c29d2c330d94dd400

SHA512
1da5ff4dac80cf6efc40b4cae3918de0cb250f6185a9e812763ed8f294b6cef556938a8fc6b08eb56ca54d9d4fb5559a43a9c3b61f85ce31f6bba31cba43f84a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a2c3360caa731a2931a8aee98853f8f1

SHA1
63008501c1672588ba6c12240f1286fdb2d17f7a

SHA256
78cda77ecde1e8c226fbf54fb6b40a69a689088ed0713a79bd80c66b2d6547cc

SHA512
9a9162a68dedf96f199d5d0736a5f351c5462d49a49e33683f2d382143271515f69d55759f8083e1c5085e8f6ec0c0f81751d96041f46f8c9542f55fd8d7a461

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
988a528280b6d19fe305719eaa6363f3

SHA1
0a8fed6d0de2ed4811656f52e07ba5e7f882b7dd

SHA256
5ed99c883488f3e3b6fe0fdb6c14a3008f48d205ce296f32226c51ef835137db

SHA512
47ec580f288c0862ee63344927f28b41683097a341636d163feff8cdbadf250957b706c31aed12feb86dcb865bdb83159ff5763da384904dd37c6f837c620cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f514b6434e7e6ed145c26a90ee7b596c

SHA1
50244b690713b928a2a143158c5a1891c2c17817

SHA256
1c51758c53e275c1bb594ef58519edaadf65457eb94edc1b7b80f61281041977

SHA512
58be8378499f11d63d1ea36b1fa607cfe413557ce9e92c5f3fef2c247b96e11d7d1258031c1c42a3850a818b7d1ce157480ac2702ae6507d3ba974b8b5ef4848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a94e0200dbaf0ae775d97e26b26b7218

SHA1
e0893c4fb56ab231855a227e15d83ae47aeb5dd5

SHA256
6e0be0edb82f8c3af33d48f8fc9b32090e365b943ca0bbf624d1e01284ebf66d

SHA512
a9958e348fa46e50e7801aca360cc2f17874a0824fcda9887d7abf775ab2ebd0c8b6016289791d6f092fdcaa8296ae611577c384cf6a089adf81bf94f9c4b52d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d3143cc8741573a455eabd6c5154b492

SHA1
9587204c8b411002cd7f7972cfd5be167b10f05d

SHA256
8e03f02fcf6b5263c734e62f40c4ad571933f8d7b26f7c1af419abf4633fc8a4

SHA512
3160fb87dc3df37f865e54f7efe5c5a6d2d6f334633b895ce0c436fba1a248c31a6589096fc949a62be4ac27ad2d7be84456be7edc629401dd2c3b4827713dac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f1e7b9176d72489188eb75aeebbc1f8b

SHA1
fcb3ccd99421a3d8a061be766a3f9401e68f29fd

SHA256
a4a6f860ec391da39927ad27b106d096e29e6865ca16132538f3ed2bd983878f

SHA512
959eb2539c52982e7490a9f776f44fcd79d6c11221c42e4234857e8ad33990a6ea21646bba679dd05d6c05f730c3d81e6faf9668bfe270c57cbe246b10a6eb23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
9941b792f08e22de75a13925d6f5cb36

SHA1
96be2a38bf2d3fdddce428c1103a49e8a85878dd

SHA256
10da63353125efb4a45957115a270f0d23827446d8498094837824f500b82fc2

SHA512
33ee386747d1de30a57ecf28a4722f1552f8ac524926ed8d9196d43f2cebc40ec7cad1cd5deb4b90a69a4d6469f2b4ae805a456fc76c40226ee774e7ca7974bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e4d84717bfad9e3f71d3ada990fef32

SHA1
757a94b3028e5aeca40d63f1e2f6721bfe32ad5a

SHA256
11e1fc3a98854b145678f7af4bd97dbfd5facaabf65276f67f15fb4ff4571f90

SHA512
8fb9c7a24090b5f4a77fdf4951ca324f36bd0e14a7659241d41852bb3e893833df8746c23ac125502a9c3037f02e5472abbf27978a7c8076e975a4f700e03cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f03e1f03f0d8ac5893ed78d32adf1638

SHA1
7f067bb891a6c012b4e027bf7ada331797aab438

SHA256
c78d280cfedf4b3480b50b254a94f43e259fb8117cae2b4a93ac8648451c62be

SHA512
3ed2f7712fec0e0cb4d25021145088f627aa1c6ffcc6e82d334ddeb084b7541ae100725b68cee05dadc81fc9ceb63df641a38fb7c9413791d434ab962fed46a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
963576cf4654408b64790d4d6cda1c64

SHA1
93941facd46fd4e1d94cdef1c0ccfdeac1e380b4

SHA256
3c2322a68ce30ee625de5f66ac76663af438ee4167ae152039679a624a464008

SHA512
db20ec5b08516b1232a905998a9d9cc6af786f33470837658abc5534de9025566ba4ce978e357049a68130efd3b1d58592e421cdb74bf09b879a123971bf2fa4

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
6.7MB

MD5
ae569d8adb0270467182b351b868a054

SHA1
7373b5ef1b2e0269377bddc5cbebe0f2db54812e

SHA256
301a8ee1fa7b81c45e3162ed2c433c557f49bb096bc23fa51949b21ccd6a3feb

SHA512
59decabefc7852bc4f1dd60e2c5f6bc005f86be735b448f5347ed1809dd51134ca0cc97d1f9f39d8ac044da5b00520088d64a6f8387a71076513a9f24f9c4bc7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini.exe

Filesize
6.7MB

MD5
90ea5ccecd35d504de86d43f522235a3

SHA1
36514053b59253fa1db59ca2ce2e68fc5e4f3d91

SHA256
50b413234296629f9d98399e5b3e56278e420db4e4dc7d45f525eb4464657ad5

SHA512
b5873e6d9d5488a7ebe8251af96607ad10e86c69dfe062ddf9940d6dbda1974693ef216de4d4b648ec1bc4a6b6ada125b929e86e91fa9fe2ec46805826c1d029

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
6.7MB

MD5
32e845f7459a02d026db70ca010ccc40

SHA1
b3678082663c4cd21f50b354cd7556331abf7736

SHA256
c98fbadad6784f4542ddff3a63c73f9133569ab6663d6ac0fc0543fafe6e3993

SHA512
c2ecbf2cb686564752639c4b359ae9d909f83dcfc05c0fe258ceb4a0103efa5378b606bbb8d09e06dde7453da5c4d0d6a358510b819c20894eb74e6443df1477

Download Submit
memory/2216-71-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-0-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2216-119-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-91-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-109-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-103-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-81-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-149-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-129-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-45-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2216-139-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2216-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2624-92-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2624-62-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2624-140-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2624-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2624-52-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2624-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2624-134-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2624-72-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2624-114-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2624-152-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2624-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2624-5-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2624-82-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads