b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd

Analysis

max time kernel
160s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
Size

810KB
MD5

6322aaa52753ac04073e1cb2e30ae790
SHA1

fd662478da1c5045fe7b92797ed0c63dd6d14083
SHA256

b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd
SHA512

5de058a38bd7294bb12e6750b2182cfa86eef37e4232b9d5a1f1c850c0043af0e272eace26900d22e39f07c50ddfbcaa31a091157f59de7f70e32daa1f5ce1ee
SSDEEP

12288:Cp4pNfz3ymJnJ8QCFkxCaQTOl2ga3Cz/kJ:8Etl9mRda1P4

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
4360	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\A:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\V:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\K:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\W:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\F:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\X:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\B:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\N:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\P:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\S:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\U:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\I:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\T:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\E:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\H:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\J:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\L:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\M:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\Y:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\Q:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\Z:	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened (read-only)	\??\W:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\README.txt.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\ApproveCheckpoint.nfo.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\GrantClose.mpeg.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\.lastModified.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.ini.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\es.pak.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.bat.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\cursors.properties.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\tools.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sl.pak.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\youtube.crx.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\visualvm.conf.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-progress.jar.exe	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 4360	4600	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe	84
PID 4600 wrote to memory of 4360	4600	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe	84
PID 4600 wrote to memory of 4360	4600	b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe	84

C:\Users\Admin\AppData\Local\Temp\b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe
"C:\Users\Admin\AppData\Local\Temp\b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops startup file
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:4360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini.exe

Filesize
810KB

MD5
fdb4c3c33fef00e5379cb8a04d9f278a

SHA1
cc050a0e700751a0947163f8c4fdbe321e70bae6

SHA256
fb88d3d57f0d50d040d6df6b8bafd9ca39f29f6c5f99903d29423e0342397cc6

SHA512
e23f8c0867883854e98b23fa5f1fe46d57941d7c54dd6962cae37a0c5c88dd81d9694af1807c97446b056af865434675da1cbeb9fd7bff8aef7817e6bba2e983

Download Submit
C:\AutoRun.exe

Filesize
810KB

MD5
6322aaa52753ac04073e1cb2e30ae790

SHA1
fd662478da1c5045fe7b92797ed0c63dd6d14083

SHA256
b634b0609b46701001694e90075d8ac32dac1cf015d45dbd42e923bedf0340fd

SHA512
5de058a38bd7294bb12e6750b2182cfa86eef37e4232b9d5a1f1c850c0043af0e272eace26900d22e39f07c50ddfbcaa31a091157f59de7f70e32daa1f5ce1ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
93dcd4f078c3f91adde9114bf7fed196

SHA1
dc54b1fdf1efa7a6bb0db41fa2fd71742e708278

SHA256
7822a500e13cb97bc16958a240e3a5e1f1079967178b6cfd7ecf992fba2f5a0b

SHA512
55125e9e8fe5c33f76f8b7738967d4510cb151749dfbde835b4ae2c4aac2ebd6a5720582fdc6535553d4a0677f76d2c55673294058d5c48ecf61d1949d798db5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
be256fe222669908bb6dbefe859cefef

SHA1
dbd7467a78d79cf16197d84983e6fcf512187e51

SHA256
b44a7da170b0cf2613713f2a0c564ebce951e763d7deccb66c8273ce8cfa93b9

SHA512
b969c26c5f063ba9efaa4697acd7eaa05e4d0a8151d795af6dd54c4a01c42706efdd9a0bb303c919effe3e271b8632b9527ec8f8c2618a1fd84b432e21bd9f82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
079dad67bf073f45bd374b9e2d545e32

SHA1
cccfedd781aacd9af75b458f8dd27dd8bd2fc4a7

SHA256
c575bea37ba4d9d98a8b2591a739faa3fb87a71fc677b0315411ceabeadcdf1b

SHA512
ebf78c7a781072f01a814c99d782429abcb0f702fde97e07256f0b9f3d99d929abd66f6fe788e1b8b6025c35ff395939c3df1030166f31b720d643c39c576c22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
97048e61523da9384e56a6cf43c411fb

SHA1
039fea5cad5f3c93029a4e2e178351f1b2d89d32

SHA256
f38afd76721c79f33ac3d850f9178df385fd3e8b3b01cc35553b4b626cf7e2f4

SHA512
543dad0f269fc5400aef0e9cdb8c7071130b394cda47e3d164aa1912b9cbbf9daac814a20ae7fb8a3a4abf3a4ea20505dd18ed2c0a2d86123e00fc1493156d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ff0d0c467dadc69276cd47b7531afef2

SHA1
0f68c5d86e57b6a6d8123431cc9e38598142e4ac

SHA256
165fa0a19d82b74154ac14cbee8a6fd201a15b9cb759b4b44dc477315eb13937

SHA512
0d73fb2e6324dfc1085e1f58e449f1024592a761efd69c7ce6b13c736e0f288c61e5d617c820066758f860bb6894d5e153f3d87dc51b21ad7868a30e67b99366

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
82ae0be71212f07aecd5582434100638

SHA1
a808ca43af6dd14e81b28752d26d72aaa510271d

SHA256
e3574d91114b8a404834368e103aee6cb62c00481891e96c2871923a94552bef

SHA512
920e8cfd0c262645c88ed84296507fde476fc262ae861d3859b45d37889caa7319f449ef21cfd7641fc31069befe4fb478cd822d489eb74949852eeb9d0559d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e344e43886853363ebf4f4ed47f468d0

SHA1
ad6c494307c88bf739488de88c792c1f49a771de

SHA256
1fd52adcafcee5b650c6756c313eb74b77e0c669cfa3e1f1a6142c667dc5db6f

SHA512
7a4c3611e02ae96db147e2da14a6210f449bbb2f765b91914d872b662133016959012abab9089519b343559e2b121c0528fd4e25dcbde03fffc6a7713273931f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ffe4c53638d4a6003fbaed753ef843e1

SHA1
4e30e543c7f8d392800a3c770ee38a9a6ef5125a

SHA256
ab5b42f8b517e9ac7a96f5f9cdd067fe253f5bfaf0847dec147c5f3a8ee8ac86

SHA512
4497a1f0c4a5c2bbddd0c3660893423e746dc6a76f7f4126a0ed46e65071d8efc6b2a474029bdf09d96951e13d655ea135653427a6b6bb4476921d2cd62f89de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
db256c657a5b518cad6139c26bf921ed

SHA1
acbf79247b98cb08483436d3eca67a9b8100196e

SHA256
3957f8638e1ed77fc1bfd854673abfa2332aea7e264678b59c1186e27e2e800a

SHA512
ec1c8325adc5af3a51ff3276376be5eb4ab0bdc9df88338cb60493ce249b7abac3bc47a6bdad70edb5cc7ee8b3c5d26222613c42c61cd172fd370abd73c19f69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
94703362b1eb3b46c21f6ae137941a16

SHA1
672eb06f6c0544d87c14c21e3c35691085a03133

SHA256
540e103688212d4262f05cca5726f5b419b1c88650ed2a0de500bb18ac52d58c

SHA512
a13e5cf472895ce801c191416b50cb5f25506f7c0377e5baf0db2a30e7c686f09f42138fbd6968b57c59bd7000fbc6abcc83ae07579de1c6e752b00ba6947c74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
84578f1c2c38419bfa985f3556ca9726

SHA1
70ae7e1f8a3684e4da9785b0d647ef87384bb584

SHA256
202addd98c224cc0a5c226047dccf24bd5dc6c18c1ad4b464265eed1e00a4d9b

SHA512
69d9d147f363a4d8d05aced2dee1793add6b3b36790d7318fe2d68c7b1b302001a199e074d7f7b8cb1ca8fcfacdde98b67adcd9fbf00c7458f196b1805675bef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d3c06ecf4ac9b9f1e7d21650f6645efe

SHA1
deb3f036139738708a6cb3ea58d8bb1feab28dab

SHA256
18ab920d4aaab205462e2cafe1586da6ae86bb78629eb85d888060fe56efdfd0

SHA512
f24a2545e39dd2922882f67640be592e8560ac7feb6bd548a1543c60cc32bd419bc52ee17c9de8f792a535538334866894ebe8a4991f57abedb8c9589f0beb5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d817e5f7eaa17b507749bf90b73d87d6

SHA1
cde5803f0983927e7b4471a9737893f16b47dc0f

SHA256
9bcf7b8afc65ac96d0ac55d06175d08f2983b3558af0387303b78b11357c0d43

SHA512
7d2b35ce5db422f9c1ecf995f67262527aedc9897dcee9f1576bbe066b4c0b323fcde6d5d197fc9d1080fa4b3fedeca37743614345f0c02116b31a5adc067cad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c3d20ac195c4c0248f0bf842e5b876ef

SHA1
dfd5b232932d5a0927c729120cf41f415441ab96

SHA256
e29f0102974f1aaf695544f42ca1b7bd5d9251748a8a2d81ece1093b85b33c6e

SHA512
647ef5c083fb758a6d77643f625543e864c40823da2de9364d43cbf18e6db1916fe13818b54d7dbdd5e365292589e0c19f733b8eae22eec0e225698c608348bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
187830b9ecd50381fa492879b1533cfb

SHA1
434bbbdc4766cabf5d76487da124cb019b58ec5f

SHA256
9936ca0993f199c214ad8b936444fa0f47a3e5cb95161c6d2da940761dc1f986

SHA512
d6731d9595909d3cf926e603a3bb2a98a172a23133f5c3812e119b5232becd0b0366e12f068327807dcce56b587dcffa47fa0b19b20d265d05f4b269e8341590

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9cdcfb5394876a54120da69e120f711d

SHA1
640e5bb6b75eae19c0b10523ddb271b7edb15e9d

SHA256
fe5a675ba79be05e5c0289e66ce3f3241e9c8d81b62986566d91c540e8b54244

SHA512
9d031d57697567ac9194698cb2a8dd338284773be1b1a8d77bc969c5844a9acf2762cb4c4ea46fbdea05215c60913664c757a08495cfd6782cb5202af8f0f81e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4ef6caaf54974510517b49b2f6810567

SHA1
81f8b13ba85d2705418bbba908bcb187f23427ca

SHA256
4e23bb273cfe520a17f5384428559f4151c8553a9e75bd2ce8e04db8f231979f

SHA512
7d85b0cd182a5c90715dba9c4adbe16051055719482fb00237d19a7852eb5530b00eaab9fe229f164e2b9a894379c879f5fa078d160bf7e8e8c1e6ea0ef41280

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5b412ad937d4f14ac8e189eec009a1ed

SHA1
075d808d4ed9fe7d5005f583071944d4f27ee528

SHA256
06f3021b27a69b38b7b263709776ac72191dec7461ca7ee312f117a5e9c275f1

SHA512
856af58e48c13c83ebefdd75c343d89d072fb83b12b02d18907c62004ccf9458124e271242339b9a8f39ae39de425370c4865f9715ab24f2d6add61908ceb231

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1781671e44a4e606b9e80589772bd64a

SHA1
82405bd92ef32d58b4c97f51ad621379872a2bc3

SHA256
d1d83b3a05cbdc64e534d542f95252fb8992a472d53038e209df02b0e92ae1cf

SHA512
6e5c9e538472be27e1b1f03247654ad26a84e31e497f5045c59d059c1aed285d27d00816056dbf553572c326917c3b9190eb1982ae51c388dd1dafb4e161874c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bcb8600420086b79c8e61361072ba373

SHA1
762e6456da501548eabc6c220de4c70307847aae

SHA256
dc1dca9cfe71ef6d3e6ea0504118ae16904e0b1f95c696a5809df57ef038e762

SHA512
99b907327fb8988a246682650678ee761754a5fd06fb3e9dd889d4c42df391b6d14d80afb218dd7918cb3a0c9019bba5f25e881fac7862bf213a8cac913da5e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bcb8600420086b79c8e61361072ba373

SHA1
762e6456da501548eabc6c220de4c70307847aae

SHA256
dc1dca9cfe71ef6d3e6ea0504118ae16904e0b1f95c696a5809df57ef038e762

SHA512
99b907327fb8988a246682650678ee761754a5fd06fb3e9dd889d4c42df391b6d14d80afb218dd7918cb3a0c9019bba5f25e881fac7862bf213a8cac913da5e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
894808200eb8bf612b4fbd3e79685e79

SHA1
dc092bdac428c9b0550b402e1b079e41a1f1cbc7

SHA256
847cc79066369782134cedbda0a2a2b176d02d498434e6b11304b1d3908940a7

SHA512
fae2c8fe36b4724715ee24b9efa179165fa07af264cd6efebd684b63ed4283e0b6136fbe1ab2c6b339d17f7142c25ee2bb48075b83c3961126ac0a46c55cc511

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
794dd819d42668c46343607c87146344

SHA1
5e7713082c34c505f2c91cac347935dd4e44c1f2

SHA256
b9019a98bc351ddf974ed7bfac2497eb803a7bb5fb47196c11d5ee702d0f8b49

SHA512
8dda35e2a5c0c065fb1be2bc0513798bbf6582d3e4706a91d27f38adabcf02778162e632b4b40c56561dc572e825a618f0bac1685331f6cf8f01d1c60c96bd9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f1e936fbeff7fe34c445a446a4cf241f

SHA1
d6331708550fbb3ade4e8987ed785f13a1e444b5

SHA256
20d5959ce05e115f39caf1ea2783ce86df8ce9edcf41daf854a5e601b5e01a13

SHA512
fdb000dd23327de2fe605c96cdb18c73f42f685b885d4af48dbc58a8edf540b0d5b9cd3f2583cf3215af582d3e80e6e3b4829dfa9c3462826f4dff7af3948979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6a138f424e4a6b59a1a4d06e975e634f

SHA1
289e82ef588cafb34de5603a1ccf788eb93f50eb

SHA256
8b2aa3e8dc1f8b2eb54afeee4cd60c7b8996eccda08ca079be56b3f953bfd4f2

SHA512
04ea593cbb24fd6d885d55b0be06b5cc33936f6ed4740863438feaf21b733df51ff70137bc1fb02de0284ca3b322e738fb4fffeacd96d9302160e74f42dae08c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9e26e6792d785e0be388f1214406b1f7

SHA1
000cd32b92ae6bcae7da20667ad7334d9070261a

SHA256
8bba7d998752da92e7831f97a77ddcea3ca28357ede8d04deb79c2d01e7323f4

SHA512
ac83e2b0edce20fecc5f47016f723127e9caf9ecc09025bd4bcac805aa15cb2d8e6aa7ec83a951bca8186d888aa972bc62d164adc434cb93bb3a4de14c9b40b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a3935b487aa54e2056a7d5d9dc8a9d88

SHA1
70c8e0fef470045a4fe92e494278f1b7896a0543

SHA256
5775c2cb9e280a7a2d5c8c3bd1704d5928d90edd242a214c65e153338bbe6573

SHA512
305da146656f2b29690624be8e12f6c38af048d2c17c8df114e9107fe63418979d50a4f6156d0141fb5adcec88762046b10f48bb494448ae8c8f4d39d4a32543

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b659b603b2366b28b59ef032d191a31

SHA1
f14d47a1c5943ba840c7bbdb376974abb6c8a591

SHA256
ea2e0621b095f62011f78bbdd3dcd54a3c7a5533688bf481191fb0db046b417e

SHA512
6dcd20543dee00b0e07e8a67aebf2cd0764cf396bd59a0a4bb699da6767a67239dddcc651c0e75f6799dfb32c28fd0a99cb634f3115c6a17bbae560ba5078216

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3f52755148829068dd3d65caabfd6ba3

SHA1
03fd6eda3086d69f5e6f511d3f6fa1c61e71cdc4

SHA256
f5a1559f7468d1cf41e01bda5ba39f4cb5d0a5bc4885bd6f0d195006834ef9b2

SHA512
2860acf1ab233a02ec13781ac6f144b846441eed14e37143ccd5c1bf4582fa056b2c29c56e914e85f9d8d356e3662001d1f15b5f1684af81f5d09fa3aa95c398

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e136a3dbd8419403e2458b31291685d9

SHA1
72b84488eb3a9274c89b5543fd41c674e7c7abac

SHA256
8c5f4ec73bea86d4f102e217b49f9b26efb0f61b4cf59bb26891a01889b596b1

SHA512
9f3da0d299d9e3f38ed60c1619355629115916688a67e86471335d37e62cc60669539a8596174ea5137f1fd13a0efe0598a26133d739cf223cdc14f2d67fcf84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
13df1195a7c93e2b2b342359bc8cc537

SHA1
ea36505c8759b1994189d41f34817ef1ca3cc98b

SHA256
6315e856c03ab159f52a9aba4e1373bfda407b0d7c996063cbd3d399cb6a1b99

SHA512
638af8e4535a127678b1b27794c4be685d4e378b0335262815c2d5454e0ff8d628a7ab20fe22e777e2a047a76632751d24c848b074e73c1e140a1932029407c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
65d3cf7e7f79bbcece8631bf0b2215fd

SHA1
f4c55affd0345d46bf8156d55edb004527dfec10

SHA256
181f21c9d0c0e63ed9718367cb5d93acf5f0808aaa796e758f31b2a1140e641e

SHA512
d4fac00da6e2ade82f3f77b7a50e1e378fceb2c833fd203ff0133c63048c86882de072cbebc9ba0b224673fae13e89b6b1049cad2dbbb71e5350425afa2b7cc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
357536bde94fdce05a4678353afa74ae

SHA1
54ddcd498d557f57dd1ffaf13e37a5c857ca4410

SHA256
8531faa74ad1ad2192ecdee7c6f0b5720e00eac15aadb70674192cfa5672103d

SHA512
95dcf6f9dc1978ecc9f894ca5fc62a823ea1f6a935db285cc1f3d3d3397e0fd80ae73556d4f6cb829f928852b0592cb838a29331bdbe8f2eb3222eb4ecf303ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
acbd36e388a4c8462a31bf80d3fb545d

SHA1
d5e4defc3a56d8795170b8373f6524ea2864259f

SHA256
17ec22db3d99da04e0c653b807af20718789fbbbbb3d467a1a619224e52e8933

SHA512
eda1c329ba73f94e2872cc1e1709c65ae97fcc58b06b9a4fc56988928c88420195fe19350e1636a01050c22811aeded58ec976003e39751fee28d72ec42d67f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
acbd36e388a4c8462a31bf80d3fb545d

SHA1
d5e4defc3a56d8795170b8373f6524ea2864259f

SHA256
17ec22db3d99da04e0c653b807af20718789fbbbbb3d467a1a619224e52e8933

SHA512
eda1c329ba73f94e2872cc1e1709c65ae97fcc58b06b9a4fc56988928c88420195fe19350e1636a01050c22811aeded58ec976003e39751fee28d72ec42d67f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b8096666bff046baf07039cdc2b88359

SHA1
9dd1085e1d5d050b2e8dd7940576acc3dee8c716

SHA256
747bee0e185e68762fb308554dcb756cf40257b9b16eccdb0607d6d07f644976

SHA512
abba1e0e64a857b84cb991cb9223cd2032635fdf1cd95d9e3abbdc0333d2777a30fa87cfdd516c11cb155bfae6c91c0ae170b7dd7768df8c458ef0e88799faf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c61a21f2474783a50dc76d2004a65c4d

SHA1
be52306381fdce041efbeefd25747e303661c0af

SHA256
2ad8b114c3c433c00243c3353ba2559459ee8bd06f366ee8b2d931d4d825bb7d

SHA512
6e2f0770fc022c435545387f80d26e347aad578ff1d0dd76bfb03a6c5f039e171bd6928d49f23039b6bc4973ed2ba4129b0e5a834c768097d7333b4606c28a95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
dc2f0f1dfc7fad0d7ad1288f0d890ff0

SHA1
743376d3592a00925db0024a7a547089c10a641e

SHA256
5d9ee736c7babb8ef2c01776e41472cb1e02873da3c4f503abf4c022a98cd3a3

SHA512
187384e5b5104c35aeb829b51e2d86fa90c1ccd127110ea51fde44e01e2f5bce809c7fd8ebb4a69c6913072ab605a8c454c907f38a3fbf278c1eed157a47e1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
210f33f9acedb21df732507b33c45ca9

SHA1
9346f3bd9af2eb8dbeae7cde4657a90cf227be11

SHA256
e757d2b4b6345b50c9ae92dce9f7927cd00e61da71b55f70be383be61e556572

SHA512
a4ddbe891bdf6057b1ab4b2e2e2dfa483eb0e3772f9881b913ad6950b2cdeac735a4ee7b4f0be9bd4f333e48f0fd8b5bb8135495134e1ddbd2a8f2d9f1823e17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8fa6e37843f64a6f1d6c97f4920dfe7f

SHA1
2f555565e715d418b54263e440a3d9adaeb954f2

SHA256
4ad4a0772e6f945488f6c68276024bc85b33914eaac41b4275498b4b3122ce77

SHA512
309e1751771b61488938e26564940a98933f7ee4b4679d90c4b90278c6a6982d619a3eeb248c40545b4d658309e734dccf595d9fbbfbe514ae62ced3fbbf9320

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b4b133c018c73982c2b011565b608b4f

SHA1
ad131ee45cb3f6f753e984d5a5d1d62a71a24b20

SHA256
20ca4c2926a6ef7eeac0a5e6557612dac3452f9e72bbcd4fbe7a44a8eed0276a

SHA512
295675af539a2beb26e78e7d997fe6e9802797417de08f3b6940f15eeb82155ba4b3ee10af0009a9f275039ed8e5d8d138720c999fbb5f4678b6837938364802

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0a780f8043f776d22ea6469e1328ddce

SHA1
acbfed02e454fe8d8778cabe2928fc8f5047d241

SHA256
ffa6dda4e61f293de02cfa09a1c6b18d861d03eb376106d23cd6574dba28e984

SHA512
062b7b1fc381d92b276a28ab1b545e2ccc49cc4e21272ed40fa194b80b0bf948823e938ad78d7290aab132af2e092e07c5235467fa76ad0c27ecc2b47a0d193a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fca30bd925b4792b64ed122c0d6cc06a

SHA1
78b106788223fb82edf86f9888f89c27e65d7d96

SHA256
421c0b17cff6ebd9f266debd7c1ee54769a7b0d43ae31deead03246a830fc017

SHA512
77edee024161901a83de9a5bb93aa23f5bf312fbe1c7d2c95c65ebcaa44f15390a11f2912899e84f2cfaa1733965bf471b18c05a549258d724f999e4d2b58584

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2553dbdf73cbb3d1866a8e03031bdd2c

SHA1
71c502505353d4c3b71ef44154caa8ef302e72b0

SHA256
a00b13da91968aaa8a889a030666dd7aaf73aaea928d40699487fafa70988230

SHA512
2e582f337e035a36d6c48c65ca1f82218dbc4307d048415b96878e593dfbd23fea52f8ee62f878e6b0e621343b4a3f1e2cc8e7a3b0f6026b53fbdd929ce80e95

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
745KB

MD5
33ddcd4ae8aee761ca0f381aecd28873

SHA1
7e9a1e4c28e2ee7d449628a983032af2bf6fd2b6

SHA256
899a39099e83d2a90f734579619d55a72dca9f2639020dbb59670b78887dc620

SHA512
972cd82f6c12cbc0b3fabdf70a5f1a01e899b67d1ba6e99271e407f965f9743367da0345161366c8d12cddebf72612929f8740a1e8b6ad58dc429be0fa78688a

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
745KB

MD5
33ddcd4ae8aee761ca0f381aecd28873

SHA1
7e9a1e4c28e2ee7d449628a983032af2bf6fd2b6

SHA256
899a39099e83d2a90f734579619d55a72dca9f2639020dbb59670b78887dc620

SHA512
972cd82f6c12cbc0b3fabdf70a5f1a01e899b67d1ba6e99271e407f965f9743367da0345161366c8d12cddebf72612929f8740a1e8b6ad58dc429be0fa78688a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads