cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6

Analysis

max time kernel
175s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
Size

194KB
MD5

3b2733f12a4f58a00300049b4d2de5b6
SHA1

195d6e02e684f59bc56d669fa1f75018d3027dad
SHA256

cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6
SHA512

b738156919ca3488b1edac7e4a1849e60d5f959aece6966e13b9b9d5778a1446256120f943e844a0064c61892331dc560c48a6401db26adeb70ba70981951f50
SSDEEP

6144:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApwk:ZMMpXKb0hNGh1kG0HWnA+k

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000022df1-133.dat	aspack_v212_v242
behavioral2/files/0x0009000000022df1-134.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e0c-135.dat	aspack_v212_v242
behavioral2/files/0x0007000000022e0a-136.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1072	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\J:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\M:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\U:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\Y:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\Z:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\H:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\N:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\V:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\A:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\S:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\K:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\O:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\Q:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\I:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\T:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\P:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\F:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\G:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\X:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\E:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\R:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\L:	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\eo.txt.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\System\wab32.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\mlib_image.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\LICENSE.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_iio.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\npt.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\eventlog_provider.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\snmp.acl.template.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\nb.pak.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\icudtl.dat.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.exe	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 1072	4148	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe	83
PID 4148 wrote to memory of 1072	4148	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe	83
PID 4148 wrote to memory of 1072	4148	cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe	83

C:\Users\Admin\AppData\Local\Temp\cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe
"C:\Users\Admin\AppData\Local\Temp\cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops startup file
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2386679933-1492765628-3466841596-1000\desktop.ini.exe

Filesize
195KB

MD5
67ca09944ba2b99d36811cba529ab745

SHA1
6c5714c9c130c940b021b91f2a5c56cc9dedebf1

SHA256
cfe089574132655cbc93421f26a5f808d6d14bb13293abe78105af22f1dcd70f

SHA512
29faca780fa308fcfb79a874bc19a302b6d888c368c5c4ac78e6b7436957630545a579d5a447c4b227f9f97c19c9be6e8165b7b4a172021a51f35621a46a5291

Download Submit
C:\AutoRun.exe

Filesize
194KB

MD5
3b2733f12a4f58a00300049b4d2de5b6

SHA1
195d6e02e684f59bc56d669fa1f75018d3027dad

SHA256
cf9e8537bc8d23e05f9899f00d8d5380969bfb135afc672bdd72c0c215bc1ed6

SHA512
b738156919ca3488b1edac7e4a1849e60d5f959aece6966e13b9b9d5778a1446256120f943e844a0064c61892331dc560c48a6401db26adeb70ba70981951f50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d7879ec2a4f2fc2e3d6e7d8c2b42fc8f

SHA1
53fe72eec95e1575a4ed45a6523c6907c2830e9b

SHA256
54d52033c24103a2351b6e86ef16a6b61c3207dfccaca89b23d3ce11675b8f23

SHA512
a799d80c81e4ff18a18ee35914607d3795296bf611ce26f80869d9dde2d5935c3f7228e474867b1fd9c72667a7780ae1b13aa51ca97056e3e9d699b6ebc20de8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
60800876dfd2e79547636a3c8fd8359e

SHA1
3af25d9c013a183307a5aa4831c167c039445ab0

SHA256
99119b372138cc409443cee64a1bfea13bce7632c2d27c58815502fbc149db47

SHA512
d4c8f15991ef88b2bb97b3a8e396d20f02eef404757cdcba0b47abc5d3a6870497644d5479ef4258821b2e21c1ea4a5211e5967f53faddc997153d09eb49501c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
18dc86eb5925d7ccfe9b20cc790e24ff

SHA1
3649019ce02c2d0f95735c54bdcb89521490106b

SHA256
9b5dc33a0c6350960a812f7df4f3e0fcb7b268c7dc6a940b7c859244df3fc79f

SHA512
e24ae6084413e2056cc057c381f8a289a48d0e6e9ae367366e0652e7efdcadd50903d0d333f0b21ba2fe66fd15810cc2a80ed2b812baefb0105dd50f47536b89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d0a88b30100ab6d751a340667f5d6c77

SHA1
60e318bd6ff243f7039196e7f8a019e821a07f6c

SHA256
7b32f482255cd1b66c829a7a0941aeb297dc0e7f3520947aea983d67ad0a85f0

SHA512
7540fda00b95395c94060c54c26ee832ff3735c2fd8ae31ffdc469b49770de7b758a9146cea02abbb8d2deeab506fdf4c3c60bac257e83c96d2f5b3449200661

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d5ad5518bc4f88bceb5f7fd00d4b4ae5

SHA1
cf3d7dc7c9f38bc79191d05e57ffb4743d077bfb

SHA256
566afdbc034479c03f5b59327b97218fe888a6e4277cefebe510ec18d52414ed

SHA512
88ad5244740edb0d9140836e78e3039d94fa4d077cb9af3f40dd4ec46c960c9463a81d72fb0c7bb7b6fc62685322e5167afb376f4205a97ebd869a0f3ddcd8f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
78b6eff226227a5f906352bfd35bc7b2

SHA1
0ce7c8114e14a017b590fc8a889cd7b8a715c31b

SHA256
1ce29a1753f7fe22e888ce210116209495a265e66cd79b5c5e5d632b02460a2e

SHA512
a19f50770d0403b8b7e59012ea3c5e331c061af76058dcb412698464c8748d26018cf66b27e2eb27866d75a514a02bd64d0484141183dfbed9636fbc4e57c5ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f51bd9193b407f6a72afd1d74c104d5b

SHA1
3306abddbe27e552c590daf93e04c416b60fea35

SHA256
9596dbbacc9f7c2f949e77fad8b01ca26230280a46a8e29eb229b2544868e663

SHA512
e921f6d46082f14d40b773447fede2079e533fc2e23d09c4b10c8ddaaccc061be1e80f6aca976ba02c36b01bdaf887b6757fa58327f27698bcf4b8a43ce4f8b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6a213135bbd4554cf314b50015ebdd95

SHA1
c47497cca560e6105d86125d5cef8b45b5ff6ce2

SHA256
422cb686d6cefb7920122e5c42618a7a27b42b061ac97b4bb08cd190c96231a0

SHA512
86cffce324c2aa9270069ac229d913ff0da8f83f4810eb7f11d4a91fcce21b7a73a07b90c09aec2cd31a0f062bbc9932964936cb4d35097ed0b0481264e62a33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f9aa435115c9f9d3a72be91dbbc74d8b

SHA1
7ce0c96eef841c96a924e7d4cabead0bc3b61f6d

SHA256
3943ac647dad87085251ed64aa43abe1e0136d63ac17902d9187e75bee3bfa94

SHA512
ac1b3c665f12fd333ed0c4c82fcc40b7acbc9bf899c3482de8b05152e9e39e203a8e832fc23c3745c4d5b15961ddd449e31e8d320469c1c3ea4e66fda79e9e7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b8b474725b6cd96c422f90dd0eba4aa3

SHA1
0e07aa5794f398b821b8f8211adc8edbd47ba728

SHA256
aec52dc9217c91a242f2ef3a659374f10891b9a7e314fb71887b39f13bc5c0d6

SHA512
cb2559a22dd4e32383a102ecc562bcb9ce9dbd44ed53288381ca9150307c6e06d7dccefe30f497ca26a320d460c7c34386465408280a565a43229d23bbee1c04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
cd70fff137c4ba8ee9797b93b85eb999

SHA1
b67e0b725028941ff7dda6d0ef0cace828038715

SHA256
92af093c379c1f9d6c5cfb17e2b126260c0ca2ec411c6cfb38fda17c1e3015d5

SHA512
8a5dac7a2cfe65f434467704981e032e4be0a348b91f58c7a941779a9bdd30f3029281964530c462ff36b5ee0eae3ec100c8fef9f8558ebbf27dc397826d0939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9def23435e773eaea28a0b78da55fa6f

SHA1
d329951a496a99590c0fa0022d6e039cd103b8f8

SHA256
cf8698999d7afbbbe6ca5d3d6c3f100e46d8c22096b55a5afbe3e97ad2ff1c45

SHA512
cfe01da43adbe3071571a41735b071dd06cfdbf0c03dd44740a61d6d2f4ed8c66fab859050899d7a98c5bd5c643375cfc555617b2edf2df9d3441fd155495bad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6e7a97c4a2d2ef0d88c930d5720c42a1

SHA1
f46bca3f7886e518d59716d47b358cc09bd23959

SHA256
ed0a531856d545b2dda6192634291a1ccbdcdd208a59788a24436daf1a4ac52b

SHA512
a0228afa92dc6c3da953af2eb0af30030a47e77505a66e0500bef0ff645e75d6929c508ca46e40fa2e6667389375cbb0254a365a90a6c649b187171fd959cd8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0fa5d35796c4223aefe5290a51801c9d

SHA1
d113a5eeac09b4745bf6d44df7b4f81b90051afe

SHA256
9b8d369eec256988dbd5ee185f0aab0d5c5b3c44058c2b2a39f455dbff83b5a2

SHA512
a13d38b954e23a56cc29e4a0c09a18fc8bbd65ae0afe38a25650a7d01753d4db30cfc6b9e150b24e8514d2b7f041c5c78ce08e7d7615213b4aed2c73b2852690

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
39ca1b070b8b67d0bdefd40e909ac0f8

SHA1
ba41d3d6f4bf403700ccf6ee32add25f9b9b2aa3

SHA256
55e9de3c66456e6eaef328e1ba78523847634f24ab041ebe7d52e0fab66a3d33

SHA512
441fe4207f5cceb7eabb9d227a8ac6f69b8405ecbdf15bf9cf9190ab6111c154d4de5eec50cbb5dbcb8502fcb7ce1bba1105f7e995f29adfa18f2a39897ad444

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
dac1dd7dc7f99002c18bb714692e68e6

SHA1
7a5499219ee7667b0aee0be073e9ec5faac7b30c

SHA256
0be80dbfe80aaf7fdd53397ff380bff1f46cd336ea3f2684b944af9d45e6ae3d

SHA512
3fcf5c663826bd3c7ab9fca9fcf718ae2963764a713ae614c2b1e93efc9e07d2a693460c21605d6a893395d24366153668f0f4aa270924d909e228c19bb3a976

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bf5070828cf4625bf209605af0fcc65e

SHA1
f0033ca611a5c8a93356b55638a544d5812896a9

SHA256
5aa39dfbcb61d825129a08140d6d2d826351a92fb0cd5e6e414a27549d0555e8

SHA512
68f7dea53a117ca8565ac425d9eaca83a56bd69d6438112c58af15ac5fd210744305439d65227a8a5336071df6da14962f6416465d153be25febdf943acad534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0309af01ff3979a6d05c35cf08014d9a

SHA1
9a7aa2303edc8143941c51445f2cebf439491cfd

SHA256
6f7c6a70ab9c7e577d9ac9c36ca54c47477017f909372afa7f569d6c5608596f

SHA512
4bd544392a4f51418fad726c61aae770ac442460b83a80f097ec0c47eeb054ecd1b7ffcfec448f1f31f2ff0e92d275766f4b6f1fc120ec0dface5274f99e85d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
84d90ca772b881310c013103afdd82d5

SHA1
c38db583338d1386841d1627ffbbbae3e43f43f7

SHA256
e18b145e951da42f029a59ed46faf6ea42e2cf1eb4fe24d8eec9bca4449b7782

SHA512
cb61cf081fa528a44a465a25a4995be66f52368d20aee2c8534c293c17a68f80097834936ff15845ad389bfd04b180bef8e9980280918d764d438d6a922aa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
84d90ca772b881310c013103afdd82d5

SHA1
c38db583338d1386841d1627ffbbbae3e43f43f7

SHA256
e18b145e951da42f029a59ed46faf6ea42e2cf1eb4fe24d8eec9bca4449b7782

SHA512
cb61cf081fa528a44a465a25a4995be66f52368d20aee2c8534c293c17a68f80097834936ff15845ad389bfd04b180bef8e9980280918d764d438d6a922aa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
50d5a036dee7d2ae6ae097e866d25959

SHA1
372fd1ca97c277d9aed3a095d4a965d533260986

SHA256
27a57c9f2839bbd5257b0c8354ff669c56803f484acfc6c45bba6c80ad393903

SHA512
563df0e4a160146dad05c1d6e31b63de4284aabc3c7a4419bb190daa6f7ba1cd3b1a4e8a30b7f9c2441c2a95f6979ac95a8231d358721cb6c4efb49cb085c81d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
481430c51a65634503115bc1e8b63d72

SHA1
ed93e45ff8b922771a5fbf5b4983115c0d40e2fb

SHA256
9b5dbbf621f3d729cb2b187f085ae03402d92e6e5daf3bb0eaa0bb71338d37df

SHA512
1c9065b26084581692857b0a1c227f8598d98214d7eb9a531c26291305f22bf7616dead0b4bc1fd8c538880c89f2fccb56ddf1a372d2f58fe0c9a61ba1d032f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
6ddcdbe5718c93a23fb3f4c10568a8e2

SHA1
b3a59992f3846da2f6b3a534fb4cfddea58af04e

SHA256
5f48106821169bb5ebae937ecfd15fc9df5e0072a215a5346299a7f4bfb82cea

SHA512
08dc4cd6ee326acc16e3223e5c0833291336b7e6d8753133ce2c45a5c913e0a2058c6ef7999f5dc59452603abbe5dc4cebbb82857af564f52d7b711e50ea8df1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
71933f17299235312178b25a92f9f4b7

SHA1
38e7b1de7eaf994cb8fc1414705758fbbeb0a08d

SHA256
e6ba6e0f7fa9f2377c6c348c98f9fc7c91320fa6fba228aaa4464ab436aeee47

SHA512
f2f04b35f9306d965f179dad9dbb704603dc9d6221434d9aad2a218601c4b0135113c5a8973bb605f7beb8f92ade43731145b8f4d756e0fa584ca3bcce7b060f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a9cb4ee6ecc52e3b4f94579bdfe82753

SHA1
df8058351df2351870f8a7106634a1ab5c3184f0

SHA256
bda95d463a2e184195f238391a89d685719974a554f688a0005e50435c5157a1

SHA512
28af63bbf70d82825a0f236a250735fd7f07b4616c55a5339acd10cc3975fb70d768c347416168745d6f0304d100ada7c51e1facaca238e65f681d63f0f907d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c1d61dd0aef5e871c634ba97cc4cd9ac

SHA1
14470cd19b3076a0d5202e55bb2c8fff7b5f77bf

SHA256
a66f6ce89d3ef7ada5c7d41d8d4f97e9978347ce62e090696361485ad43b58d8

SHA512
a00ffc63bf171456cbb4408054d4b8d1644d837a66825aa6bcea5b38162c5b83584011257a0e3ee18c5daafd87704c8ba0e2f3abea05fc26061383b5caea7845

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a6377b97ad628bee252f1b1519eeab6a

SHA1
284e7ae33fe875a872ea258220edc7101462db03

SHA256
ec05907c21eeaf2efdee2c1520f8476b6949e8583e2004ad3ede09ddf8d1cff0

SHA512
ef8e19f9398897799bf0ee445c890385fa003ab527b9af12eb984ded9f6d2a03fffb325994b64001e9153582af9d34cd778cae4069012e6f6cc5966f74fa5ce3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fb6ba6cf2ec8809ad1f9c0bd88812d8d

SHA1
b3a12075ef37287ce5aceb94d41ba928c2e9f2b4

SHA256
7c2a5b744bdffc047fff200d26bb06c19164064255fab10894862bb27b94a05f

SHA512
48d81783b96ef223fc81726a72fbead31e465b51017b2c6e80b36f6e86450ed600c8e0fedd089fe51efc8e95dd58750cd3a4b510560c10de57b8010d8b25efc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f1506bb147ab88c111484a001319b317

SHA1
77f69a278b66f49788fe5421617c42b26645ed4c

SHA256
25fc1414a115f4046a22b4afc2ffa78f1109ebaaa04a782fd5b722b865741581

SHA512
3eda1561ec98b5fd648dbe144941fb54f74c86d8d0f95d69510219d1a8a5dad8366da74f5d26cc9fbd9c6c3c6094aec143d885ff50b77c4a963db640a8858c0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ee15ee605a080e5a5d4554a1b9fa182d

SHA1
0e40900ffcae83b4072ce2666293744f224bf966

SHA256
a011b66d4c35694dac7b3182882480a572b2866ce4d0ca799eb658a9d916ce69

SHA512
632f7438a4679e3eacadbd561316ac2f11f93bae9545a67a35202a5089d098e8c07105deb980cbb8727c3362a8ef469cdf1ad789d2ffc986e75c09a499a91a17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7055c57aad5e5e57a4b09f0cde78a07e

SHA1
f0dff1fb5ce8c70013bfff35291c1f96c317ae08

SHA256
62f6c65082f195bd7bff0e693a0f36840b6b2fbf3187773779e7f062434313a1

SHA512
ea9d0ec2187506190207eb03c6197e2f26b887bc71a84b75620fd603af1ea087914f0b288e05543d9ade3701001b273b683acee4e398b1351db4265bb5626dc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ac5fcd016dafa6d54961021cd1293101

SHA1
d3d443a83e127ee598e48c64563ae2853ea14c4c

SHA256
5e4de889fba1fdd802b74442dbee9df0e53e951fef7b5ce4223e1dd400d00b90

SHA512
8551bc099464d71f51258c2d870e13857fece78c71fae2163f4fe01cd937e8b2933a8bf38a4a8c09fc3538b8c4c9d089c12170437baa7764a31afe63a8bd362e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
97c0a760d5a44aa2cd3ac2ffb9844e31

SHA1
04df881e7f056ccde2a4647fa70d0894890de4aa

SHA256
bef16e51f1fdc62edbdbdda15d3432c6ab758d1709b33da3c7cbe063d8daac64

SHA512
9ed970cac7f27832b9985f9394d949fea3be5d7a2c27b4a51bbad1f52216bc69b52b726c3a67383853d64cb7c1d224b78722b78494b6d4f37223a5eb46b8b1bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
226bbb35e5bb3a426f0fac38cec14504

SHA1
f0e0585fba665949b82d628f200c13496f8e7765

SHA256
45a6df93da582198dd7734bb5307ad4f9255e4deca69e8118408146caa790a24

SHA512
f03cce1d42b16ffe712926ad61e0b470c1782a92497be7517f6d4b7d41d6ca084dd81f6d96f85c25a02343d9e7aed8e4598f724ea2d557c71b5ac8299ee39a30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
10dc299228e7c5bae1cc90391328c325

SHA1
03a3543a297a83e09ab6def33d46b9be5aa410c1

SHA256
f4a16212b4e404e2bf5358a9cd318ef86298c9b3a4c4c7210b773016155fd2be

SHA512
2e98aa4f346a6613812f157bb21410d8e4e46cd667206eb9664a680b4e0e8334c1e19ff5518be263e8deabbf57ac86bab063eb070f86d916286e9a94f7b58aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2a310a699f98684d8a6ccea81c220b67

SHA1
8296ea63ac3312900a6623449cabe597408946b8

SHA256
bbdd6e2dec62a3c0d922edde183687da0b574bfcbaa23bfefcf39987c50d4cb1

SHA512
c0e54a5e48689abf93cf555f2d14c8838ef2781087460557466d19a35410a53efed2c663af543cab8c27a247efbc82a69de1767425cccf5edfe869c7c71d7d29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
16c5a356efd2170ba9df8d40c0cca38d

SHA1
f86355ee11f41e13c8d9bed47bffab05ca44cfdf

SHA256
56678ba4836f6f2cf033a50aaeb275b07e5f601e2ff3ebfdf21d91c00c5459d1

SHA512
dab8f5286307a32bb4d1ed662e511e098e78d8962c8dea184c945666d96b8063bac5473615e3458777dbedf331bf2104d8c4297ead50561cc73abbc5233e162b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0e24966ef0bb3de0bd7e51265be69ca4

SHA1
28d4d6f6fb1c34e1304c9fe569df121c84121cb7

SHA256
502c49c1f67d77b36127c7a9521d5d2d00d7028342deeac1cdae40e472c8dedb

SHA512
1bcdf7b0e2f39ef78dd61f09ae012a237cdd0b46d949c58b8904a0c9c869ec7f7f5d9c130dc6d577ca173ae49592fc41e9bb75847e51396843b5f614a6099e30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
87f1802ea2936a44eb808e928e03e5b3

SHA1
80c2ca56aff9ce3a7a0d0e6a5596c763d659ac33

SHA256
82c488b0c1398e59ce2956ee53c814455cb3399f3a8e6a1dbc70334df23df0bd

SHA512
4d9be952d4adb97b62009b677bb57f6514545c07e21bf666bc488d60d8078dad7cc190046557b2a07d7098fd135ee09dcb1044a300cecd57339c2da105150305

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0fc96424c08d8d0c6ec0661fde3378f7

SHA1
57dfb2b09ab75b03fd8e5710182c98df60582d5d

SHA256
abff90a6b55413279b6c9759d6f80c59898b1fc3dbb65f772ea66d931415b64d

SHA512
dac75635b2715d6addf428e7514429312b13664377802c7184175a61f7b85994f57ab41e305fd8aa5148ccaa675e39f73e7bfb49026a821149890cdf5fe02a8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
626cca8cf84c64b81a2d6fedb29ac902

SHA1
a2bb69d1c78241970f81aab68850a03483ee3bfa

SHA256
5e6436da69fbb601cb5d32945fe5c1c25db131d609309b486c42223f08fee2d5

SHA512
9e821233b5cc83bc408040b3eff94fec81ac9bd6c1e0461126654d093f3bd20b121e022d50cfebee1214a66402911e976e75e25817aed995b536ef1c9f36cebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f1dade19d70498ca3b8cd6800782317c

SHA1
b73e2e161c75b3ec617bd3e87107499200ed1111

SHA256
22a5c36041c4d4d564c8d7abcbb50b13a94153983239ec23469741cab08df18e

SHA512
2f23b70c542178b2694a795929d9a69518dd381f0c8e515f140ad834256ef7d45c8da9fcc1ee350dd5e47e75e1f23553c6e0e02075890a237a3c14c0c641dc69

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
182KB

MD5
957ef6168c05d96c5518096a0cc8eefc

SHA1
eca115feede3c8fa65c3437bb7e8bd5d3ed62538

SHA256
8aed0bc552a888ebf180b7701666559ccb3628850b08bc1261b815243b59ea9b

SHA512
e0cf1f50275821b74f748dd3204dc5c0515814192d67f0e956c2eb0089ca1c12a844f622440632f91f679bc2604ff5bf5dee48d4b0dce349fb481e11f8b26e41

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
182KB

MD5
957ef6168c05d96c5518096a0cc8eefc

SHA1
eca115feede3c8fa65c3437bb7e8bd5d3ed62538

SHA256
8aed0bc552a888ebf180b7701666559ccb3628850b08bc1261b815243b59ea9b

SHA512
e0cf1f50275821b74f748dd3204dc5c0515814192d67f0e956c2eb0089ca1c12a844f622440632f91f679bc2604ff5bf5dee48d4b0dce349fb481e11f8b26e41

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads