a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8

Analysis

max time kernel
153s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
Size

186KB
MD5

6fc7d46bf78a5dea96c7fdc9d5456743
SHA1

0ae6ca13828c488ac0546af3a21d5160b9619a58
SHA256

a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8
SHA512

2c5f3495bc7d4d52170fafbb58646ff32357bd7158c8e3ec9779e2b4408468e91992a07f6112f1a3c0fb84c8d51dca65a1fbbc2479893233db4de607fdc7336d
SSDEEP

3072:rimsXXK9HRTOeriRfP6pXfSb0dspqc5oY0htVFAHT11Ual21Cxcs0HKAH057kyJo:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HWa

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000022e56-133.dat	aspack_v212_v242
behavioral2/files/0x0008000000022e56-134.dat	aspack_v212_v242
behavioral2/files/0x0006000000022e74-140.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e72-135.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4912	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\H:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\T:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\U:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\Z:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\G:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\R:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\V:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\O:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\A:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\E:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\I:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\Q:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\K:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\S:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\Y:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\F:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\L:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\N:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\J:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\M:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\W:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened (read-only)	\??\X:	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\resources.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\mlib_image.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jsound.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\en-US.pak.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sr.pak.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\deploy.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\jce.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\.eclipseproduct.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\instrument.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssv.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\sunmscapi.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_CN.properties.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2native.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\management.dll.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\jsse.jar.exe	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 4912	744	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe	82
PID 744 wrote to memory of 4912	744	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe	82
PID 744 wrote to memory of 4912	744	a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe	82

C:\Users\Admin\AppData\Local\Temp\a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe
"C:\Users\Admin\AppData\Local\Temp\a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops startup file
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:4912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini.exe

Filesize
186KB

MD5
c7689cbe9c25e8c716bf9519617501b3

SHA1
67817c49796ac97bff1499b13565d71d509e531e

SHA256
060bf2c3db963eb6a7e650bac9dd6b79f902a7b63514c65fe56ef3d5cfd177e5

SHA512
5138d932aab2b657b6b170341783db4000b08ace455cce6d5c5a77e97a289f1cee0ee38eec5e816f95b90ea9d02e761e95ff0dccc36c841e10985837fdce747c

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
186KB

MD5
6fc7d46bf78a5dea96c7fdc9d5456743

SHA1
0ae6ca13828c488ac0546af3a21d5160b9619a58

SHA256
a674e4d991daf4bd597c94ede8b34237f7887a9a6187acbdb3bb0f63f3500af8

SHA512
2c5f3495bc7d4d52170fafbb58646ff32357bd7158c8e3ec9779e2b4408468e91992a07f6112f1a3c0fb84c8d51dca65a1fbbc2479893233db4de607fdc7336d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
72b81f9795596d9e275dd80c30051b15

SHA1
6a4bda6d1754c57002887321eb58aabc7fd51bb5

SHA256
9dd9191a9da0ef15192da8b803dfa759de2ce0c8833d5ea74bba6ed934dd9f70

SHA512
47666ed1162316dc09cfc8471afdbf88f488d918eec78a8c04d887a42f26155f293ee89bf53803179d5b7a1d1d7d03aef6a0158a7f9dec0aa74d57beea1c41b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
75cc00539f7c5040bf9b61c87bfd8e58

SHA1
4cce898f72dd0db0a3caa87a7c4c759bac6a9e3d

SHA256
8f0b01d1419a8fa4252efa191f8ea381d47b28116057dd5c62ab092e027a1db6

SHA512
3a704fb21de0196bbdecc8079a10520e6fece1cc38e6e9270309665eef82b63a31a42f4c28c32a628c32d486235efc1b36cade78acf9f0d2fc94848c9e896902

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e0bb63e0b758725f4600c18252105c6c

SHA1
3f056d2a6c1931f9da10db024cee7e3d450ef6f1

SHA256
4e5ebc4db29102733b702d2976a925e17d5be8f94f945bffd3920232c510c928

SHA512
10429926125f994f52b61664975281d518d1ce26b3b11171b6d07f1563ebb734f2929396ae2e751279777d5044225056dcd3f2b8d253545ca1fc4b79f903f5e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5adc9cef5de324d57f081b7bec83198b

SHA1
3a372eac6a47272aa3e1f7e3df6e442effc67423

SHA256
8c3b56098ede4c445365a3c6dba9f3e336f4bc2195f53a154259ebf6353fa883

SHA512
4e78a18266dda41922563937931f37e24b4a65bb1b8c805a44cc4beecdb8b2da2fff9ba7a15d6112389fda45e0647633714f5815ee681bd22d9b9b3b9f77cac1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
30fa20a4e59be23cdfc77d9663d51e74

SHA1
5e59ddf65ef299712154dee881c60fcf61fbe305

SHA256
5b7f4f237f4b3125e7025932b9ba38636dd7d93118fdd7d1c34a9002472fbd8a

SHA512
b4a1a97974df7016b15e4ea2b0a0d75d2a935b7158b012278a5e7750512bf96ad2c4fce78bc436339ec2072b4152000c82f609cdd0858cf81f89c928eaeb5381

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fdfc3c14e162ffe0134d2a9b3009b726

SHA1
ec701d4c83ef993ace0388567ac85c4642c7d8c5

SHA256
7b57974ddc2aebffb17ddfa2d6491b743d18ba52c5cb6ef65f2b0bc4e0724f4d

SHA512
ca50aa3842843218bba63bfa587177e6a833c7de98149ae20bcb9b2840de0b7f8828f1509b03b07a3fca779bdb809abe4cb5f0bbdf1cb4963911c60c0dc5b092

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0229fe128bbb5386e80045428c02ca75

SHA1
1785a8499b7310f03c7ffe7347f689c8b20b2729

SHA256
82dc9e989e6e15dd73a8430f7b94f991c8d0675fe847f3fd1c404cc05ead1f37

SHA512
ddba485732863faf6c259df400fae2d4b482ed95338a642eb180adbe0190d42bcb39f2b6a9fb31f6a5266daa20d0d893c248aa2068a237800c70132d807536f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0229fe128bbb5386e80045428c02ca75

SHA1
1785a8499b7310f03c7ffe7347f689c8b20b2729

SHA256
82dc9e989e6e15dd73a8430f7b94f991c8d0675fe847f3fd1c404cc05ead1f37

SHA512
ddba485732863faf6c259df400fae2d4b482ed95338a642eb180adbe0190d42bcb39f2b6a9fb31f6a5266daa20d0d893c248aa2068a237800c70132d807536f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1182bafd0ab8acf8f002ca99a5338cba

SHA1
a3d62b916cf32f6efb500d1042a349490583d582

SHA256
ee5837f51a09cc0b5ef515eea911706395087eeeabcca760588a561ae94ca883

SHA512
25b1dd0d0d66a8cf6e27016eb03b14df71cf3f6133f4a02f1a51cfbd21cf53074b72c839718503d1f7d890a22c2b8f4c8660ce2bf3a94f0aaa2a430d91eb7b48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
500ea65c6217df3900c8a95fc9d7109e

SHA1
87a34f1c077bac62ce9052eab6f46d2843fc1f25

SHA256
efe7e1ae82311951d151b63a38ae90c5010ab57025a03c05a544f65b5148021e

SHA512
0ee514d5a5d3ca721fe5d6a802069290612d8a3debd1a5936da18a39cb7127f3a05b2b3841afc8cf0b471c67daaa9a80b0301056692c278c61638e884cc16427

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c4f33c6dd92e3307011a5728dd78f49f

SHA1
7aaa380ddcad575dfb9ac7425bb241cd25618b00

SHA256
c09c088dfcde1617dff2c6597c0cca8fe58c0148ab147b63a95d3789b240c404

SHA512
eb5995cb4670ac77b9ce46d03ae77ece035f57a2f424f802b20fe925eb86a42f8b8941fc5a4ba15a9886a43ae5f49f120fac5e2daa5d841d5c96cd1e07c4cfec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
53239113a51842cbb6a2ed4871412fe4

SHA1
0a8620d893b4a69d0b9a6b26966f629ef62a8935

SHA256
6d3782b9ff97e73a6874a58a45b1261b9b38ef5a8f58537a898d843a4c9f2cfa

SHA512
3de27a88decc5e297eeff7caed32f1ce91b7f1c9ce19dd91e656905a9fc178dd4c62c9549b03a3bff6cc5e9c2fd5392067a2a85193124af6d822f283251171e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ce98002b6ab7a1fc4f383d1173052cd7

SHA1
1922597cdab51f53d56240fcd555ce5276876ceb

SHA256
3e1321c10a7c641e9389200535c2395d1fd25de9f92c130e39c31f140e8211ec

SHA512
5e6221f7c207db15a0c7f20f010190a77d949384e0c77981e35576723dfb0055d72ed3491f887e8be146da939e4b00823995efd2afdbd2440cb6984b242c4b02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5c0b2a3f3c8f8785fc462b6515db6142

SHA1
f7089beff35eeeca79b94548938430329b502fac

SHA256
81762d55e850a204d7852df12d1bfe22326d5d439de77c3caa0f25d0bbf884f6

SHA512
e1bde7d81afe9958af133b408bfd75706f1fae6ed7abc07c03714fc51c4e043536ebd75772678adc1e0b7531c722fed1ddc719d6f427831178b1e4a28ebbe20c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3ecc48ea0a2d1c3f6297cf4688d223ba

SHA1
6859da065169789be1175b3086f0043a751821aa

SHA256
981374b13b25a4eb66edc59fce6b058028b6fc7c3b2bda521374ab259765d352

SHA512
2f50c3a5c4c75f28aa333e7944c1bd6283ede1567d1b3c1937baf0a89c4f26536260b6b27fd787dd211b45fccf92f8c7e186c1b07877047830d07fe1fcf1f4f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
942f497597cf8c09841a5bf17f570fe3

SHA1
91302a30ec320927acefa31b34620272853bb0f6

SHA256
a131e6659c244101e3ec930e27fc5f1e027050057c8e84124d0c928ec5ab29da

SHA512
46180ad6aac1c585e65993bc74e6b1823e1599d2b7c3c6240d6a076e8efe3ef703611b83a1f0458b4f5d7b99035de6d0c14d5c9ad2c51f66d3669812c0ec1715

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bc130fde56ee63eb33a0fbdaf9fb60cf

SHA1
31e6c327341135119dbf853fc1b365c8bda2a3b7

SHA256
888fafa60d66901912897006b552eaabcaee550e529bfbc0e8c32d69a2541242

SHA512
fae7577de67c60e61e865893f84316ee3257b8e42cf2b4b82cca8637ec91f28c377af85df40a029a712be88abc895e09fc32c91f03155d56ade1fe8d9471ea09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c50df459c731ebcadbd3121072165d8a

SHA1
1b30c8216584baa7c0c8f004e51c700c58b38042

SHA256
df8ad613768be883a12612cdc404811d3d57d32f8230291cfa4ebc65ba05c56b

SHA512
dce2c22fa0534ab56d33e0908e253d781425d64a83d8310c320fb2198acd0dbe310985d667e024f29ca0b4a8df005a13b00cb3c7faee9f7ce77af15b5a94a62e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e96562c48961f9e6975ae885ea5be67b

SHA1
b7b3911523b29c74e59340c1c900750d0d52541a

SHA256
32575f6bf83881ef0c22247613f3ab03617b6dc23821390afe623658913ae2b6

SHA512
c0fa9aae2faa786b0004e2f37ad6f33724810340ee9ec170eac2372f9145c45b0078e5ad7dbd9b5c6557705321519e7874996d1ad4549bc87377092d2af32650

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
51ae4c43f0eb88565705d40f7d63c917

SHA1
14af75fb6f713a4fcc23cea25ba7fd594f6be335

SHA256
2755d7bed5feb7e30bddf086b0bdb950273d462663e753bd517491a53f0c532c

SHA512
0fe2eb9e09da2f193716551e5870fc9e8693b3c2f57bf6fb7383715170c07b00053d20670cd3576a83b9448c3535a124eb798b386949b184c5b96ab8c4cbbb89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
785b6fbb10b0a44762adf56bf64de823

SHA1
3286ee93edc1d77a5d0b0c8cd6d0c95785481bf3

SHA256
30c43124d3324bc8000fd27377e4f25cacbe0e77f7b129eb674ceea32e1303e4

SHA512
55d852092767273fc41942bd7a3afcf7ada9008a3f4ed0a62adf8611be4dfcd4ef518ad7783b0c7a3ce9dc5c84164077da0167d4ab07cfa7d4eb2b5c08eac630

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
785b6fbb10b0a44762adf56bf64de823

SHA1
3286ee93edc1d77a5d0b0c8cd6d0c95785481bf3

SHA256
30c43124d3324bc8000fd27377e4f25cacbe0e77f7b129eb674ceea32e1303e4

SHA512
55d852092767273fc41942bd7a3afcf7ada9008a3f4ed0a62adf8611be4dfcd4ef518ad7783b0c7a3ce9dc5c84164077da0167d4ab07cfa7d4eb2b5c08eac630

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4b8fdfb382f6491b48b37bd90d329a1f

SHA1
009d4f03017c94dfb680259644980866e7fdd1fd

SHA256
1dc998ddc2ce99eaa0fb3dcd9237ef7a8493b4b5b625c97a55c2fec0d5651340

SHA512
3857aef7c5feaa06e73025c58da0516b5c18f88c8514edcf0643e03a73a82870d1d1f98012fc305012b441a1cddc36cbfc358d26056e257f0bdb8105548869d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
da052f1d2805c419665b91965770604b

SHA1
89c540ff6ea9e0a27801359cfc6a3cd5fabf5688

SHA256
7d93acae40c84dd657fe4f22b8d85eef8b8bbe4ac10bf85e5c59e32dbf870fde

SHA512
65d0aef932d1631fa673e67a1b8a55f7018f3096331c317314d912d8d7ae793b7ba6b4626f0276f1a510145bac2accce4c02a8d2e2409574b44da84bc173afd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4b133e5be335f97fb9701747132e04ab

SHA1
198c245043826f9ce89a404701b71335044a8673

SHA256
cf8567cd9537e538c75491c5a6188198a8c985ead53e49dc0374eb7ccaa1f82d

SHA512
e5e0a8f9ccebbcf2adf7d87a15980464822781927d2fa194e09ed7f0c86e49ab769f9c50e7bd80dc2df04133d937e8264b9dcc40c796e48b4e42054d93daa93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5d491c772fc6c906ca3130114c37cfff

SHA1
32e8810fe5a101437eaf5f91292e5df047123f9d

SHA256
554017871b62e8ed2d8e5f7c7ad91724a493f252163bbbc6d9b6ed1300944845

SHA512
9109c570f9cd6a66b48a45654d7b37ad881cc6193d876b44908fc4ccaf3d8a2f5abd861b99797312ebb3b4cbda0ce99b8db6f3999446d6866ef4aa022a066081

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d0961c4a5015221035c27eec2ff77554

SHA1
d032902dfb2b637c7ace361bd23dec3b59868435

SHA256
aaed8c0f3c89c286bb397d32954261e4c8700a529896dd964d334b9c71e31aeb

SHA512
486c3d846ae5ecdab902a0250aa90415c87185aeafe428e7178225734c4b1dc542e3147ad2ac59a2fa877a328cc8288eef80b431fdc2a6284f9008d827e6aead

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b3da8e4f1b5a0670bb005bf230e0b0b8

SHA1
dc14cb14d662ebd2b9e299b54592ffda2739190c

SHA256
5533d9e7bf81022ed6f6f6b3d42667a34a9b47de796c16f1f2ce03edb3f2706b

SHA512
e48e475d2e62dbe97c1afd49e54536b63581bee806bbb1da52c2c503642181f3e2030f7784f82c10eddfe1eda041d148bbd9114cce64a35be93f2f7c74b1c73e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7309b40ba6a8bd2475be59ea6ef2d38c

SHA1
77d622affd35463257c2c4e5eb6c8b47de15ede2

SHA256
c3f3a01198f1dd179e82e238666f4e678caf02b940b76ffea58a87047013ff6e

SHA512
95ba996d77d583ae9d38234c6326e0710c7ac3f91910c7e8785a3a53336aca2811381ecb0b4d3f6acb9dd0d84d9a8941e67815302eb0f96c5b4f60c883e9f2e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e076b1120584c1704bb0b9ebb7e58a2e

SHA1
a2d8d9c85a528b6eb49533a631c0485974789df9

SHA256
a4e446a1b74bc930bbb4cb3b3f1a5f6ec01e3f8690c099ee1d4de00ff0312570

SHA512
e69a584a0941e8159f0ac5f51213ae8150c31253f933f57141d8ddad8252876e94f77ecb99828b9199567c4b18ace8a3ddc6f70a67768d919385ffe906ddce34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0cbd5a6eed6ffb6dd90454f7e119abb0

SHA1
77c5d968a9d1f1349836f029db03e5162ec852b0

SHA256
c4502f3e1828df32ae8f8effd5b6d8adc75bf95ae1ec7fbf27c1438c0890aa84

SHA512
217228acefde97225ae91b16b14ea12410df1cf8345618eb65a0815851b419634b8ba252f4035ff91c65818b27e960cd6270f26c52220afcfd6a788be764326b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8ce5af02fa548701445b176b216041a5

SHA1
9c906d9db7dd9743ab57e66ede27b2b26bb37c95

SHA256
5dedaf4bdaec1073f1330196c46e9ce9f6ef19ed811541e0457bcfa6665c4435

SHA512
ba30cbb44aa9579df9ab4064a590336f550da518b447f2dd26c3c4d9106d33c919cbd37636e0d99bfd8f4e482d6f84bd07855dbdfea89a7771927344c0bdd8fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
09022aaa64312a973b3d99b105aa8c88

SHA1
400c4949526ddb6c014911fdc6ff35a693f66925

SHA256
8bd26147e46eda22351102eb52a72e14dfd158f98b83056ceb53da7210080716

SHA512
4e9612c0bfb9b36eee876a1c476749a6b15549775ee0aa691c977f631f8dd625fe9d6a1860839612849985c29e875e53c5a5a25bebcdc9aa65f01439ec5fc7f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
19311a7e491f3cac59a62df88b774c1c

SHA1
4f47ae9c2634ae370511f899333286aceb30c804

SHA256
84fe20bd0fe666d214c930e46729b843336b532f48db83f1c89b1dd767a8b9f5

SHA512
ad0e53bdec5e58084de5d63a95b5d500ed6f7db1fbc1a9dd662763832907a18f00ae9fd57d2d0d0357e1346161a51dadc8a04e661c2511944189d8a9eac75e83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7c9fe5898ed8e98cf35b7695f78e4300

SHA1
50d5b5f76e02dfa43a2ac4eef44ed1dc3bea9c56

SHA256
c287eb20bd375276ddb5c1a6b59577ecaa4d95e37af0b4373583b777a1c37e22

SHA512
68d469ed5a1709dcc1ec669cb5a38833a86dbe1fa16ae51eb6aedc30430116672fc76b070ce94a46d70835c77269ca6fb761d540355bbbf5440d109f354a4fab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
155d393d1527bf5a8898340407081e5a

SHA1
c7e83cf3e0fccd9202da2b15905e109894277348

SHA256
e051f02664b37e6140b33c587de4e6364a67a0c4a4fbaad034f4c1532c42008d

SHA512
9506b1696d9142d809c7e8f7a84a5783b0b1e0cac6baa4c3b73a6a214b2601e2506b5d2ae5f28331667475f0e49578d8a9306af9fb33b4d3f8fc14b1682f63b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5377cbc7babbd9b02a0e7f0dfce5cd35

SHA1
0008a9c4a891d697854d85046dc0613217f43783

SHA256
38d186b6d52806892a65d4b6f2c7c2463e82707c4aca5ea6d0f305499f7694e4

SHA512
b819a128bfa13e4a51c549006e6922d7eb91fbdf2b258ec185c5104db83d3d51a97329f8719614f2917da4e4b69de63fa79a85a82354100b5e912acc1151ce2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d6dda597165c29fa7ac6272f961288bc

SHA1
e554bf19482d5c22f275a8a9b85f335696be4fc2

SHA256
1abe58956c9f516f119bac67c546e3020c02cfa88f89bc8c3b6ced0ec636412e

SHA512
7f08b047f2fd47b8d4dbda9cacea4859694c41ed6283c62239b75fadc4d0ff9005a991a4ccc5d5eec57b6bebaad2fc0b8a8432427b63a15189990e226096c218

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ecdc04b44dff2f1a436e127c8bd128f6

SHA1
e5ce7591f6a43ffb145af377b43f67c565e0e319

SHA256
a51ae86ae74d7824485d68caadf31501c08869d4bf83d312efdca409dec703c8

SHA512
0acfe33aee9c4d5f143da7df3f2d50da244ac9b984adebcf7be419c5cfa8af57fe8fd8e89f9c5daf794e7046daf87077adad116dbc415bb14ead4350dd797043

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
30479252b3bca309822a4a82dc76152e

SHA1
e41def81449a6ba4d6d2fe2213daa8839ae5546f

SHA256
ecf99f523cc76fce5f6ba8c38881e07836a61692206f0b840dda380e534b4b14

SHA512
757df5d80c623c7b13b8b9e1900a4cf9876a840e8ec3686edb1f1a72c701f64eb9546dc52af43c5e6d7d1018aa575c9e6131b36b660c7aaef165c5bb9d1b9e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
81a8b48ec34d1e2a1413a6572fc383ca

SHA1
a87115b370b63a8b57bf1a3ea876538334fb5ec4

SHA256
222f484a4622beaf81cf2672186d59020afeadd9c265bc1f35006e61c49814f9

SHA512
d878a0670b51d7b769105f9f283e73969905d4624707ad16848d8f8c3bfeda43f8bf0fb4a25404f80978c2fb511aef3accc5fd7bdbfb1c1c6c0163d67078f739

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
183KB

MD5
642204f5f29ed00a25daf8fa03777a3b

SHA1
2b5ae7ee534b90cdb216c3e91d93e04ac9e46d6b

SHA256
e151307c8873bbb0a7005371185458ef8ed4fbc44115424bcba69755b8bd7aef

SHA512
cd74fe3b5793caaa004bc251b544f8b866f3e887b80a355f98d4ff1e7a5c81bfae7434ccad3a20472ed491451f44eff07dac607d670f2588a8167f976afe49d1

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
183KB

MD5
642204f5f29ed00a25daf8fa03777a3b

SHA1
2b5ae7ee534b90cdb216c3e91d93e04ac9e46d6b

SHA256
e151307c8873bbb0a7005371185458ef8ed4fbc44115424bcba69755b8bd7aef

SHA512
cd74fe3b5793caaa004bc251b544f8b866f3e887b80a355f98d4ff1e7a5c81bfae7434ccad3a20472ed491451f44eff07dac607d670f2588a8167f976afe49d1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads