3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157

Analysis

max time kernel
187s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-07-2022 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
Size

690KB
MD5

05fd27db47dabe28246f7749e8d48bf0
SHA1

9501a3d42ae13d2574e36ef1517d7cc471cc576b
SHA256

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157
SHA512

dab21f22abc846fffce3b23b5a174d28bc1c90aa8190f8d9077ae534c6e3b80df34abb24523a1dfa0f910184f728fa5cd911b0f528f30a56aa70e3e2ea0f62f9

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-2277218442-1199762539-2004043321-1000\desktop.ini.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

900 HelpMe.exe

pid	process
900	HelpMe.exe

Drops startup file 3 IoCs

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Loads dropped DLL 2 IoCs

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

pid	process
1852	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
1852	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\P:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\Q:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\Z:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\I:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\K:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\B:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\O:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\L:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\E:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\J:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\V:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\X:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\S:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\Y:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\G:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\W:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\R:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\H:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\N:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\T:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\F:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\M:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

HelpMe.exe3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

Drops file in System32 directory 2 IoCs

Processes:

HelpMe.exe3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

description	pid	process	target process
PID 1852 wrote to memory of 900	1852	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe	HelpMe.exe
PID 1852 wrote to memory of 900	1852	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe	HelpMe.exe
PID 1852 wrote to memory of 900	1852	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe	HelpMe.exe
PID 1852 wrote to memory of 900	1852	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
"C:\Users\Admin\AppData\Local\Temp\3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:900

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2277218442-1199762539-2004043321-1000\desktop.ini.exe
Filesize
690KB

MD5
9620277561563da1176894860174d98f

SHA1
958bbf970c3953cef304e1267a86db0469012063

SHA256
a18d7975c359f55d00d7407f3186be2d7150e338ab9e3f74e565302640e867cc

SHA512
789a89cd9c7be2e88705909d0b3f65475b839a2c64dacc0454b712f0b5b56be3f2cf97d05aeed4c12f8e054f241385336585263ddd21f4203619a755ad50f8b4

Download Submit
C:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
12e72f58ec64c2302c2223a2f44247b8

SHA1
66f8c5e02a8407480694802a5c59687e58ad7776

SHA256
a5e93ada9171c8c34965fa14319fc5153d22a47e01bb9e83463f231964b9dd04

SHA512
6726ade90e8cc80f64782f4141ebe035718f80c65578465384df18517a14af3165c5a8f582f4208dd84fad6b24f3261b6cbd869f42ffd915ea9bc2c965238924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
12e72f58ec64c2302c2223a2f44247b8

SHA1
66f8c5e02a8407480694802a5c59687e58ad7776

SHA256
a5e93ada9171c8c34965fa14319fc5153d22a47e01bb9e83463f231964b9dd04

SHA512
6726ade90e8cc80f64782f4141ebe035718f80c65578465384df18517a14af3165c5a8f582f4208dd84fad6b24f3261b6cbd869f42ffd915ea9bc2c965238924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
12e72f58ec64c2302c2223a2f44247b8

SHA1
66f8c5e02a8407480694802a5c59687e58ad7776

SHA256
a5e93ada9171c8c34965fa14319fc5153d22a47e01bb9e83463f231964b9dd04

SHA512
6726ade90e8cc80f64782f4141ebe035718f80c65578465384df18517a14af3165c5a8f582f4208dd84fad6b24f3261b6cbd869f42ffd915ea9bc2c965238924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
4941aa04d1fa3d3389c74706f9ab52db

SHA1
f397b2fa5674e25d3786f9b3af845752cad216cc

SHA256
5a2ef314329659e0f1cc6e825e80b520b82e7f297c4ecfb7e26c142724006b7a

SHA512
2d5afcd4034360d9f273aa198c6fdaeb95780d31b959269f52bca94255a12ffd4597410fc08968d321a85e025cc648ba9df568c490397a2d5fe92a279e69995d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
12e72f58ec64c2302c2223a2f44247b8

SHA1
66f8c5e02a8407480694802a5c59687e58ad7776

SHA256
a5e93ada9171c8c34965fa14319fc5153d22a47e01bb9e83463f231964b9dd04

SHA512
6726ade90e8cc80f64782f4141ebe035718f80c65578465384df18517a14af3165c5a8f582f4208dd84fad6b24f3261b6cbd869f42ffd915ea9bc2c965238924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
4941aa04d1fa3d3389c74706f9ab52db

SHA1
f397b2fa5674e25d3786f9b3af845752cad216cc

SHA256
5a2ef314329659e0f1cc6e825e80b520b82e7f297c4ecfb7e26c142724006b7a

SHA512
2d5afcd4034360d9f273aa198c6fdaeb95780d31b959269f52bca94255a12ffd4597410fc08968d321a85e025cc648ba9df568c490397a2d5fe92a279e69995d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
4941aa04d1fa3d3389c74706f9ab52db

SHA1
f397b2fa5674e25d3786f9b3af845752cad216cc

SHA256
5a2ef314329659e0f1cc6e825e80b520b82e7f297c4ecfb7e26c142724006b7a

SHA512
2d5afcd4034360d9f273aa198c6fdaeb95780d31b959269f52bca94255a12ffd4597410fc08968d321a85e025cc648ba9df568c490397a2d5fe92a279e69995d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
4941aa04d1fa3d3389c74706f9ab52db

SHA1
f397b2fa5674e25d3786f9b3af845752cad216cc

SHA256
5a2ef314329659e0f1cc6e825e80b520b82e7f297c4ecfb7e26c142724006b7a

SHA512
2d5afcd4034360d9f273aa198c6fdaeb95780d31b959269f52bca94255a12ffd4597410fc08968d321a85e025cc648ba9df568c490397a2d5fe92a279e69995d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
12e72f58ec64c2302c2223a2f44247b8

SHA1
66f8c5e02a8407480694802a5c59687e58ad7776

SHA256
a5e93ada9171c8c34965fa14319fc5153d22a47e01bb9e83463f231964b9dd04

SHA512
6726ade90e8cc80f64782f4141ebe035718f80c65578465384df18517a14af3165c5a8f582f4208dd84fad6b24f3261b6cbd869f42ffd915ea9bc2c965238924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
4941aa04d1fa3d3389c74706f9ab52db

SHA1
f397b2fa5674e25d3786f9b3af845752cad216cc

SHA256
5a2ef314329659e0f1cc6e825e80b520b82e7f297c4ecfb7e26c142724006b7a

SHA512
2d5afcd4034360d9f273aa198c6fdaeb95780d31b959269f52bca94255a12ffd4597410fc08968d321a85e025cc648ba9df568c490397a2d5fe92a279e69995d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
12e72f58ec64c2302c2223a2f44247b8

SHA1
66f8c5e02a8407480694802a5c59687e58ad7776

SHA256
a5e93ada9171c8c34965fa14319fc5153d22a47e01bb9e83463f231964b9dd04

SHA512
6726ade90e8cc80f64782f4141ebe035718f80c65578465384df18517a14af3165c5a8f582f4208dd84fad6b24f3261b6cbd869f42ffd915ea9bc2c965238924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
4941aa04d1fa3d3389c74706f9ab52db

SHA1
f397b2fa5674e25d3786f9b3af845752cad216cc

SHA256
5a2ef314329659e0f1cc6e825e80b520b82e7f297c4ecfb7e26c142724006b7a

SHA512
2d5afcd4034360d9f273aa198c6fdaeb95780d31b959269f52bca94255a12ffd4597410fc08968d321a85e025cc648ba9df568c490397a2d5fe92a279e69995d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
12e72f58ec64c2302c2223a2f44247b8

SHA1
66f8c5e02a8407480694802a5c59687e58ad7776

SHA256
a5e93ada9171c8c34965fa14319fc5153d22a47e01bb9e83463f231964b9dd04

SHA512
6726ade90e8cc80f64782f4141ebe035718f80c65578465384df18517a14af3165c5a8f582f4208dd84fad6b24f3261b6cbd869f42ffd915ea9bc2c965238924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
12e72f58ec64c2302c2223a2f44247b8

SHA1
66f8c5e02a8407480694802a5c59687e58ad7776

SHA256
a5e93ada9171c8c34965fa14319fc5153d22a47e01bb9e83463f231964b9dd04

SHA512
6726ade90e8cc80f64782f4141ebe035718f80c65578465384df18517a14af3165c5a8f582f4208dd84fad6b24f3261b6cbd869f42ffd915ea9bc2c965238924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
67f9c8eb4c083f6d9b76d6a970e004c0

SHA1
5d78bff1d3033bfbd02e440beb4bb97a6e02693f

SHA256
0daee646af4422a5db0181257978938ada786132f8ee338281878a5ad58b81c2

SHA512
91df0e7d3ba36e5e5a6b0219870e464530e305ecc11a8f9041ff2bac9d6273e1155b410bb93160ece1d6ddd15924867f422382fc0b924824c867e3df19432aac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
4941aa04d1fa3d3389c74706f9ab52db

SHA1
f397b2fa5674e25d3786f9b3af845752cad216cc

SHA256
5a2ef314329659e0f1cc6e825e80b520b82e7f297c4ecfb7e26c142724006b7a

SHA512
2d5afcd4034360d9f273aa198c6fdaeb95780d31b959269f52bca94255a12ffd4597410fc08968d321a85e025cc648ba9df568c490397a2d5fe92a279e69995d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
12e72f58ec64c2302c2223a2f44247b8

SHA1
66f8c5e02a8407480694802a5c59687e58ad7776

SHA256
a5e93ada9171c8c34965fa14319fc5153d22a47e01bb9e83463f231964b9dd04

SHA512
6726ade90e8cc80f64782f4141ebe035718f80c65578465384df18517a14af3165c5a8f582f4208dd84fad6b24f3261b6cbd869f42ffd915ea9bc2c965238924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
12e72f58ec64c2302c2223a2f44247b8

SHA1
66f8c5e02a8407480694802a5c59687e58ad7776

SHA256
a5e93ada9171c8c34965fa14319fc5153d22a47e01bb9e83463f231964b9dd04

SHA512
6726ade90e8cc80f64782f4141ebe035718f80c65578465384df18517a14af3165c5a8f582f4208dd84fad6b24f3261b6cbd869f42ffd915ea9bc2c965238924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
12e72f58ec64c2302c2223a2f44247b8

SHA1
66f8c5e02a8407480694802a5c59687e58ad7776

SHA256
a5e93ada9171c8c34965fa14319fc5153d22a47e01bb9e83463f231964b9dd04

SHA512
6726ade90e8cc80f64782f4141ebe035718f80c65578465384df18517a14af3165c5a8f582f4208dd84fad6b24f3261b6cbd869f42ffd915ea9bc2c965238924

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
690KB

MD5
9852cdf393e138bafa1eb17ad07a1c02

SHA1
2f7ed34abe320e9e699f67b9832486b9c71359f6

SHA256
80d0b9e741d19b1fd68043e01c0a6f5c5d8966e08993ddd807888d51f5bc2986

SHA512
13a301a9fe1e80cd08b841b55bb4a08c299d4296af6709dcfff82449d1f9fb3420e216c086547f40e5f7c631815409ebdeca5569f3d41aeb9c899c81103e73eb

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
690KB

MD5
9852cdf393e138bafa1eb17ad07a1c02

SHA1
2f7ed34abe320e9e699f67b9832486b9c71359f6

SHA256
80d0b9e741d19b1fd68043e01c0a6f5c5d8966e08993ddd807888d51f5bc2986

SHA512
13a301a9fe1e80cd08b841b55bb4a08c299d4296af6709dcfff82449d1f9fb3420e216c086547f40e5f7c631815409ebdeca5569f3d41aeb9c899c81103e73eb

Download Submit
\Windows\SysWOW64\HelpMe.exe
Filesize
690KB

MD5
9852cdf393e138bafa1eb17ad07a1c02

SHA1
2f7ed34abe320e9e699f67b9832486b9c71359f6

SHA256
80d0b9e741d19b1fd68043e01c0a6f5c5d8966e08993ddd807888d51f5bc2986

SHA512
13a301a9fe1e80cd08b841b55bb4a08c299d4296af6709dcfff82449d1f9fb3420e216c086547f40e5f7c631815409ebdeca5569f3d41aeb9c899c81103e73eb

Download Submit
\Windows\SysWOW64\HelpMe.exe
Filesize
690KB

MD5
9852cdf393e138bafa1eb17ad07a1c02

SHA1
2f7ed34abe320e9e699f67b9832486b9c71359f6

SHA256
80d0b9e741d19b1fd68043e01c0a6f5c5d8966e08993ddd807888d51f5bc2986

SHA512
13a301a9fe1e80cd08b841b55bb4a08c299d4296af6709dcfff82449d1f9fb3420e216c086547f40e5f7c631815409ebdeca5569f3d41aeb9c899c81103e73eb

Download Submit
memory/900-57-0x0000000000000000-mapping.dmp

Download
memory/1852-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads