bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755

Analysis

max time kernel
151s
max time network
113s
platform
windows10_x64
resource
win10v20201028
submitted
02-03-2021 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe
Size

1.1MB
MD5

7645d030acecd41143dcdd1b7a7f8e2f
SHA1

283005990df987f824abb8b0c2ade624b2d3cb01
SHA256

bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755
SHA512

163c0b722233fae7f7216579e9c15c4465bb54250dacaa88204644040e6bf7489b4a70a46fe7405796a1bd48c0fd1fc8400c5037a55004366301d3a25b9a8bba

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HelpMe.exeregfH

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	regfH

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\regfH	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\regfH	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

HelpMe.exeregfH

pid process

3728 HelpMe.exe
2820 regfH

pid	process
3728	HelpMe.exe
2820	regfH

Drops startup file 3 IoCs

Processes:

HelpMe.exeregfH

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	regfH
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

regfHHelpMe.exe

description	ioc	process
File opened (read-only)	\??\M:	regfH
File opened (read-only)	\??\T:	regfH
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\Q:	regfH
File opened (read-only)	\??\R:	regfH
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\F:	regfH
File opened (read-only)	\??\H:	regfH
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	regfH
File opened (read-only)	\??\I:	regfH
File opened (read-only)	\??\J:	regfH
File opened (read-only)	\??\X:	regfH
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\B:	regfH
File opened (read-only)	\??\E:	regfH
File opened (read-only)	\??\L:	regfH
File opened (read-only)	\??\O:	regfH
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\U:	regfH
File opened (read-only)	\??\Z:	regfH
File opened (read-only)	\??\W:	regfH
File opened (read-only)	\??\Y:	regfH
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\K:	regfH
File opened (read-only)	\??\N:	regfH
File opened (read-only)	\??\P:	regfH
File opened (read-only)	\??\S:	regfH
File opened (read-only)	\??\V:	regfH
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\G:	regfH

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 5 IoCs

Processes:

HelpMe.exeregfHbbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	regfH
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe

Drops file in Program Files directory 1 IoCs

Processes:

bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe

pid	process
652	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe
652	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe

description	pid	process	target process
PID 652 wrote to memory of 3728	652	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe	HelpMe.exe
PID 652 wrote to memory of 3728	652	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe	HelpMe.exe
PID 652 wrote to memory of 3728	652	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe	HelpMe.exe
PID 652 wrote to memory of 2820	652	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe	regfH
PID 652 wrote to memory of 2820	652	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe	regfH
PID 652 wrote to memory of 2820	652	bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe	regfH

C:\Users\Admin\AppData\Local\Temp\bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe
"C:\Users\Admin\AppData\Local\Temp\bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
PID:3728

C:\Users\Admin\AppData\Local\Temp\regfH
C:\Users\Admin\AppData\Local\Temp\\regfH
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
PID:2820

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\desktop.ini.exe
MD5
6ff68349a0d6174ef7153fc6d5f73ad4

SHA1
713eef0bd0fa4a673526ca9f8257a91691515f9e

SHA256
3b07728f0896e4f9f036e4168c2915efcb087daa2677e2a8c6109cf1c34c6e6c

SHA512
cd5a84d21da5f69d53c6ca6f150e1ac4f6bc96721b2c66f11d42c176a5d9d15307ac7e722db67904df6cc7aa4101e59330d6fb75b218cc558c306a31402467b5

Download Submit
C:\AutoRun.exe
MD5
cb45eeb2d0ec69f164cddf3e097d1fb1

SHA1
e0f715deb653678ce75723ba1a0ca937f0e665c8

SHA256
1b799d7d9a32c38cc491ae98f08e506495b4bc84ddb5191c3d4795f0108de2bb

SHA512
16d5dee4c9e0729735198de1b7c5bba04e61dedbba04c9c5305c58b4d7d60ba0360c13493aa2a31bc2592cc14e2c6ae5d632bee86c7245f0c87ddf601df13e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\regfH
MD5
7645d030acecd41143dcdd1b7a7f8e2f

SHA1
283005990df987f824abb8b0c2ade624b2d3cb01

SHA256
bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755

SHA512
163c0b722233fae7f7216579e9c15c4465bb54250dacaa88204644040e6bf7489b4a70a46fe7405796a1bd48c0fd1fc8400c5037a55004366301d3a25b9a8bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\regfH
MD5
7645d030acecd41143dcdd1b7a7f8e2f

SHA1
283005990df987f824abb8b0c2ade624b2d3cb01

SHA256
bbeca55485073a4a32693c2e5b8e19e3f589943dba8446cd74be59e1afdd5755

SHA512
163c0b722233fae7f7216579e9c15c4465bb54250dacaa88204644040e6bf7489b4a70a46fe7405796a1bd48c0fd1fc8400c5037a55004366301d3a25b9a8bba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
2a91a3ba9138334682745b2bbb68f362

SHA1
c3511a8ca05e9b5964b15d3ff0a6ae582b04a50a

SHA256
368800f00b8ae2551a2d7644ef436b6efcb53a336564399d2513c6815e66a7c3

SHA512
2c312579ffce30b26e5a3c6562c2848525c6760ab90dc47f589f95fa4deb7b2f8b1c3bde87425071541cb86cc0b414dde6ad63f08302183c780cf4b616a9014d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
7d914c291d06e35147e09644129cb3d0

SHA1
f5f388ff542c78461a5fab1c80c4c3aa2c0cf4f5

SHA256
78db1ac282752b2afa82ca5e37386ec98f3d4ff67730be227bc282659396aa73

SHA512
184acd6838d2d1b67c26c8f89ecaa73e8723105bee782b7ae214f7d3e64f1486032cc7f6d7580642b13f0dded28c30945c115388a2e6f88d1e1e093061d7a1ca

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
MD5
cb45eeb2d0ec69f164cddf3e097d1fb1

SHA1
e0f715deb653678ce75723ba1a0ca937f0e665c8

SHA256
1b799d7d9a32c38cc491ae98f08e506495b4bc84ddb5191c3d4795f0108de2bb

SHA512
16d5dee4c9e0729735198de1b7c5bba04e61dedbba04c9c5305c58b4d7d60ba0360c13493aa2a31bc2592cc14e2c6ae5d632bee86c7245f0c87ddf601df13e6d

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
MD5
cb45eeb2d0ec69f164cddf3e097d1fb1

SHA1
e0f715deb653678ce75723ba1a0ca937f0e665c8

SHA256
1b799d7d9a32c38cc491ae98f08e506495b4bc84ddb5191c3d4795f0108de2bb

SHA512
16d5dee4c9e0729735198de1b7c5bba04e61dedbba04c9c5305c58b4d7d60ba0360c13493aa2a31bc2592cc14e2c6ae5d632bee86c7245f0c87ddf601df13e6d

Download Submit
memory/652-12-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/652-5-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/652-11-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2820-6-0x0000000000000000-mapping.dmp

Download
memory/2820-10-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3728-2-0x0000000000000000-mapping.dmp

Download
memory/3728-9-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads