9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
Size

189KB
MD5

fa1708db7d7d13c8a84c6fe88b9f75b5
SHA1

cccaab060b85af3f0e51c06e342d64e4e2bc5c67
SHA256

9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a
SHA512

1533d7e13c24a669c7920097d38b53d325a6f0785741c6ad559ca807669bfb6675cfcf75d6782df59d3d475f42058a2537a8d468a6da55290531e8d02a2bcf12
SSDEEP

3072:rimsXXK9HRTOeriRfP6pXfSb0dspqc5oY0htVFAHT11Ual21Cxcs0HKAH057kyJM:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HWq

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0003000000022dd6-133.dat	aspack_v212_v242
behavioral2/files/0x0003000000022dd6-134.dat	aspack_v212_v242
behavioral2/files/0x0002000000022dfc-135.dat	aspack_v212_v242
behavioral2/files/0x0003000000022dfa-136.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
4616	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\K:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\P:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\Y:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\G:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\U:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\T:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\B:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\E:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\H:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\J:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\Q:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\R:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\V:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\I:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\S:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\W:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\X:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\Z:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\F:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\L:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\M:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\O:	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\OSFINTL.DLL.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-oob.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\Office Word 2003 Look.dotx.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJHBD.TTC.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_sw.dll.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.DLL.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-oob.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Sybase.xsl.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinStatusBar.v11.1.dll.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-phn.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul-oob.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\CopyCompare.mid.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\resources.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\invalid32x32.gif.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.DLL.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar.exe	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4616	4316	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe	81
PID 4316 wrote to memory of 4616	4316	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe	81
PID 4316 wrote to memory of 4616	4316	9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe	81

C:\Users\Admin\AppData\Local\Temp\9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe
"C:\Users\Admin\AppData\Local\Temp\9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops startup file
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:4616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini.exe

Filesize
190KB

MD5
0e076d6dd146eb10c4b4aae458945dce

SHA1
95bbefb6a54fa6cef0a2bfe4f202546c2dd7fa6c

SHA256
418dbf92854cec0f63098be44441572fa94d5e239a975e3d8c54fb206a26da89

SHA512
6ac1c4341f29427ea13d37f4950e3d37db2a3c1241cf207870dec93d8ee45c80e1a90377c22415ac354abf984973c589a4cc2420e1671004c0795394021f6382

Download Submit
C:\AutoRun.exe

Filesize
189KB

MD5
fa1708db7d7d13c8a84c6fe88b9f75b5

SHA1
cccaab060b85af3f0e51c06e342d64e4e2bc5c67

SHA256
9eed1ea810666e527f27df4d39e1a330280b569c42df87285a83dd0e27316e5a

SHA512
1533d7e13c24a669c7920097d38b53d325a6f0785741c6ad559ca807669bfb6675cfcf75d6782df59d3d475f42058a2537a8d468a6da55290531e8d02a2bcf12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b4deb1876a4a4a6bfbfeb63932387e41

SHA1
a0a0268a6ee21650f5cc0ce09e83048cda9cdaa8

SHA256
833552d41dbc50ea4c8089809f8d490d113219e000f7a8ad68b67d536a1afd02

SHA512
72c3ce7652baa688fc4d5cb86f7adb442db97aed13ddf5de8e7298e420ed6c5de218e571ca537ac43497fdfd2db239c03a407a9c8fd2889dafe48042cec77ee8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cc9c1b853720e99cd5c8a75187ded772

SHA1
d5c385d0a588e047c1fc4342daa7a623bd4e1ac2

SHA256
77536776d03fa161f64a9d41bdcb83520da8db1094886980bf5429869abb28de

SHA512
42c62ae26447ab286c197e1f879fb3135ab2df2d040995e5dd7e95a5b82dec99f81cfb793052b169dd00336cbad14524966da2dfb0d3ccfc129c3cdad611d3cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f736109149f8ee5e4c3d680d04a498be

SHA1
5ddb86c3ddd566b0f08c2e45d4b1052b128afdb2

SHA256
6d8fa7a0c5992fe8aecf084917df17c1d318a87cc16f1c8652102aeba7f72d52

SHA512
86ef36410e4e716a83956ee057fa111ec8c9aefbdb66ddf792e5b4768d05dbbf2a3526aa4e424f1bc3baf5006c7ad17bac8bf94298f7d89a2ec98a9031379b10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
83113bded43d8935a415e4a9f567776e

SHA1
8b34c2d2629505a93906d2132c486a6fcfe38263

SHA256
3ce3f2bf4a4fb883f6418da5c5c05dba2dc6511cfa66c968dbfc88204896f9e9

SHA512
7f0bfa1a3191afdbe7f71a8dd0970875d012cebe7812dfe3a838b4b122189203cde18ebea7404778d3c596a75e95bdfd11d3c72d974154bf2598f4b49490665e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
40190c6771ff8d53bab2c0516ab5b8a3

SHA1
82b64fdd02239da8b1e7c0791c96d0b233e28e3e

SHA256
559df1ee2f2a09a407dc3d7e6bb8d5d52929b6fbbce559445596ff5418af006d

SHA512
a294e49b2816c583f86950dc1c84f3d132c0fe1ca29bdcb1ebf340b692b4810b307765790fe00e6937010ba500a0f27a97ec7d6fecf769e531e0c007b35316de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
02420906309080a63dab21e3b20f3002

SHA1
ba47a961c8de7482142d146ab821c526e2f52996

SHA256
f7922c415089f9233f0c99ed56556000723c2e47e59ec4b373709ccb18ef2562

SHA512
93fd1d489cf1dad4ac9089d9ebfb7fb8264888ef967f19cce0f73d965a0c3d2fe5b6137184507eaff513406f0e32b7ee2221f81cd253d94d7f30d6c26b558239

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
02420906309080a63dab21e3b20f3002

SHA1
ba47a961c8de7482142d146ab821c526e2f52996

SHA256
f7922c415089f9233f0c99ed56556000723c2e47e59ec4b373709ccb18ef2562

SHA512
93fd1d489cf1dad4ac9089d9ebfb7fb8264888ef967f19cce0f73d965a0c3d2fe5b6137184507eaff513406f0e32b7ee2221f81cd253d94d7f30d6c26b558239

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cd0dda21af06056329713f346032e231

SHA1
74c47a592641ee8eebc954ecd0f30cb2d3f7db26

SHA256
125e6da4f7fcd560578c3d6ba6ccb0edd91f337e06dcbcf20d1b096b5ef987ed

SHA512
83414b7ddd822ef3479fb8ef3472d8d06fbf1f4208615175fac17d8c41ab231ea7a2148a010e9522692df03a1a561eda4413c28a59930738ddc571d71828703e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
33359d992e3245796dd221a3b69e2c22

SHA1
3ccbc22a83691d0e72932dc36959759573b9673d

SHA256
113142a6740750d898a5c218cc7e9c8fb89ab556cfcc49203ab0c9c868af0fde

SHA512
ae65fd12156c35f701f12e975e8a1f436b92a2c0f9ddadc60fc00a58ce15738d301982cad25c4538a18daff034e78e7e32a499f035763838c04a804680a837b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
eadf3c507c6dd05c4f93e1619b4e2ed8

SHA1
469660d96caf2a3a3649f52733ef5751c7f1231c

SHA256
52bdce413e4d9bff988295eadffb3c3a225bdd2822c658df5fdef113c6b94409

SHA512
e5196dc7e23e95b2b3702df7dac147f0a5157484a39c90c25f404e987901a027ccfec0143b2e05515ab93f600b720ab905bf6a682afe022cb1d66843f05a9927

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
cdef78516b80581da95dd33eae988cf6

SHA1
0dad97b5563ca28f245075955299203e38ca59a5

SHA256
723a98060a6147520be49e525f10443a98e471313f546a008338511b35bce1d5

SHA512
fd7f666ab5f86b22d2794bcf533bac1bcd9483bbf8f6749345f17bf9139d5264efe8340150f96d6be5f169585515916ddfb6ff35053c651f3bbd4fc64bf330c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
462abb6646619e8838b04ef483d1a3d0

SHA1
37e3827b88734bf7d852bfc72e90abc7baae2924

SHA256
76bdd4733381a767c52804e907f7bc025ba0942f50170fe575c241d176113412

SHA512
520c3c8ccfd1fd6934e73c3ebb42755a452d5e3e743b5e10077e1a54ee51aede49f40599baf2cef9d217b08872f46b9abb67fd29ebc608b0d92fe4fd543fd1ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
78ad6fee14f3b75ae98e4d409e8d08cb

SHA1
d979156a1d1f333c60e1608a138ba84aa0ccf5e8

SHA256
e12c46c8bc205dae1a8cf630d35aedc7d33c7fea24152222585fe8882d448158

SHA512
a1692293d93a8a073c4c23a8c1cf4f04c7cf742e960f00b7c543ab143e5758c288a7a067f1d7773bfb5b4a1c9acdfe59b4dcdc6f2d86ef24c03fb5f4fd7c4874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
621806c8b25c75ccccf05e53424a7fa6

SHA1
a729984627a96dff72ba9ac7b78339567525e4bc

SHA256
b00f6130822f9736040e734c4722be02e8557c8fd3196c4b29db22353ee545f3

SHA512
665a8e04d68677d98b0640f935076183000208653723ad7308e5dede8df03556adfb6fb917e6a91001ecde428868bf821c9707db03012afccae9d2309359393b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
628e2570daad36d586ed82e6bb3669a9

SHA1
be038f0f07b16e66209092ee191c40451d189035

SHA256
b8cfd5afca168bb45131b0b75819eeaa99af29a4a950a61d7c1a4bcea7dc634a

SHA512
da0018d877e080f90e9d139cbade2de4345578f8ad2785090102ba0ae89973c43e618c3fa70b4dba65721c25dc1415f2229ff8a756cd02088781b2d85e1ce3f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
32d900387e1d177d2b5840040fe0498f

SHA1
639268fbdcba16079d28def4c45773f8f9f7c0dd

SHA256
d462550e99f56abe1c9f4f180d571acadf97d28908b4e1e5da0f63763e67d7c5

SHA512
eea7577844c26d806e999317dd98e0086e7a01a4ec5200815fc825581d2ccda7cdab11ef07af7e55f2b9d1b071f07cdb60afbb53adaa6820f929fa167b3b2dcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d31963451cc5b64dd5b4adb3b53ba9e6

SHA1
7b96e434dc016914f5318f65014886460144e813

SHA256
62135404a3d7e4fdf0751fbfd584ebb5a9f14b70a59495c4549fdce524ae778b

SHA512
2281b59ec60a68dc77bfba640297c996aa2718f673db98e7fe4c61d90466b082c63bfc34e337482e120ab4b1042b81cca166b8f8330a3fc6c18631f738a26311

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
998937e8fd3f3082428b997d0d150ccc

SHA1
41e04ea5f86ee5a51889f5530804c9df0187075b

SHA256
a8f1e6cdf532d910edb7b5886cd780b0679a3941d4b9045ebd50a2053ddcd78e

SHA512
54b6f9cca92c9a6a37cf88782dda2bfdee8990f2cc96e8e1177f0c503fc008315eb2828998160ec6dca53d1e25bcabc5b08671e7ccadd2072f0ed68a91bdb245

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f4c83394f2a61fbc4ca7b58a8e5d7b46

SHA1
35ab63d7b0a0ea7464717ae5be5545ca6204deb6

SHA256
f5b242459ba6d4f952f4072752e4b5bc6d0c5459e714944a2c9463c485d49640

SHA512
4b32a2aa563198ae93f124546bb56b7e3e646464621c2678baf5b01da5ddcc815b75947c017abf669f1f21828daa8e473512c8fbca252a673a0b51bab76d0df3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e9d603bcf65a8ff6869197a021f28dee

SHA1
7fda4e021f913c22862f9a2d6b8c8d32be9097ff

SHA256
777f21a05b4d5c9ad361878601b76ec3e74b5af2d9fe1f832d3fd05a7ef157f6

SHA512
507c56c7005684aa05c36c0f68da0fecbd753a385381cbb99edc25c931a6b851b34591e1c490cd4c268bf03e0e5ae5b654c8bb6c43d8259d0a3dde54ce8f5f97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e06b91a34f090a42b8c877212d326c28

SHA1
2318800cd9873ce6e1f0a4349c9d5a18956ebff6

SHA256
5d8ebe27b941fa807d273b61b840978aeb2224d9211ccd7ca640ae47c259b20c

SHA512
c86fff397ef50c5d674b6d8687ab463fa8e3fe1c81ab34d6b2ea8c05583353409f00be435017d30e7a2bdef48480c5106acbe1949894cd6dd54f943debb98ad3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e06b91a34f090a42b8c877212d326c28

SHA1
2318800cd9873ce6e1f0a4349c9d5a18956ebff6

SHA256
5d8ebe27b941fa807d273b61b840978aeb2224d9211ccd7ca640ae47c259b20c

SHA512
c86fff397ef50c5d674b6d8687ab463fa8e3fe1c81ab34d6b2ea8c05583353409f00be435017d30e7a2bdef48480c5106acbe1949894cd6dd54f943debb98ad3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4fa1b3b947ae494eca50e7fb1f2c4255

SHA1
8f989d26f9c0762e749ccb03cee8438a0a8df143

SHA256
491f657f46e2914ae40bbe1b5b30005a8acc72a9b84bdc2fdc6b7ac4b5facd7d

SHA512
ba1cf57df11e6441d8e0608be9cb40b7d5144bc09baae47f52b3a905d1219642f8e0fb055eb266bf87393d3cb601409be83f1e0ab53f131c42b83834295a4990

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
52619491cb2bb0a5d40a630a82d65749

SHA1
ae1c9eabda1bbb5cb3e1bf3ccb6ec66561a228b5

SHA256
99ee350b61aef33f379375166e342b5e110914fab874d255ccddb1c58e2dfb4a

SHA512
ab544a229dfe84bd7c50651821589289112a5e195b0e619a465ac5f2232306216021754ed49ab1e3ba335ec0f850d0d731a0fb10572bfd4676cf0711a15bf4d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
088f56a2b660aff3c2dbc8ce5928a85c

SHA1
c65a99d437bd7efe7af1b93be99ae8d1fc9bb441

SHA256
9e700fa368a7a4a061538bffd2135c57f75bdeb43f46b851b73a4b67711e87cf

SHA512
a8f488cf79ff50d793b52542663d0ca064f8d2ad9168e1c334bea0c2c0421a928dd795a6c10331cb39cd413137e39007880ff4cbbc4f69fef3854d388b29919b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
96346091cb684171c2395978f4d94244

SHA1
6525d1b1c81257b966f8c40989d0c4c0062746e8

SHA256
4f4039056ce0ab59ce46401618f73ab5fe32829c99356fd0c54a251ce88af46a

SHA512
a08b294eccbf8e991aea19702b40f7c63d9134498dc05f4cd6ca0db832e624e85cb12d852547cb5314f5edb8915f8b338ae59fd4a4ff3d988ba8d7896d6fc4af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9706748d54cbba1d324ecaeed4da710

SHA1
f0604d23504560472d9aa91c979b0ff5d17fd072

SHA256
9d66dafbcbd9de248eba790daa692abbe92440b24aaae702893a1eabced04b9d

SHA512
0e6271879598b03dbf1c15060cc93ceaf39d6bc4a049fa888cc30e0832393b09c051926ecc8e24fbcdef44ab23a3594af29a9fb03fae891c77347a3c0fc92ad9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6cbb7a103646a3e0aa3fbc8e5547f355

SHA1
3aabe7117e4f04ed9d1e96310d6117cc56269589

SHA256
ef74b647e683aa38ac4b6ddb729b20d6621c655de0ae55f94fee70529bf045ae

SHA512
3b52c602682ac4ab826ce85d64b57f5c4fd776c85e2564cba233a238c83b2f9038e7fd43fdb6868d48fc68f31de8d5fc864e537218c467f229509fc13859c2f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e8f13f28bbb878f31cb10e9eb392941

SHA1
907fbd0d920646e892162bfe965e6327f6160976

SHA256
9dbae711a221eb374a9022efa8b1c8c9e322b6ab47b2c75123b675975c65f7fc

SHA512
3d8148c717e9870ceccf3abb917579d4b7664a2dd60b1474406c7d30dcc951a82b49e0f5faa5bba4f51b85af29952a7f60f091188ebd976dc1210cf06d860512

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0020c9454cdb84b38c55d6014af4469d

SHA1
ed46f2478b3d6252139faa9c3dd28b6c08804e67

SHA256
a9c789e10b1e9e36c306ef8653e537afe0715a3d371bec916aad605e68f0a6da

SHA512
452eb0e029eb4d04553c025a27fc8d86fb256a4815dea70e16a49de31257a8d60a1bbacc8ebf4f8737feddf5413cc6a28664bae6d5abc9cfd101bef52eda0215

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
877fe4cc0569bff8dc7ce1f85316ca82

SHA1
1129b07acd0b5c4f9b4db0586548b426f818b4ee

SHA256
da9203a127deaa0d710a5637fc479ff16efb1d034126fb4deb3329199556c1a2

SHA512
baf41d55759aafba2003443e6f64cea0b9ada1a7771cebbd34e233ceb3c55855b1cab3914acf4abd2b0b9d70b76f6c3e645e74a8405f724d92324352b3635334

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2722be9583e3286cf3e8cad565e10c08

SHA1
c84dfa9229c1cb0ab78a1238c8518e3aa22b83f5

SHA256
4ffa168a156a4b563b000e3741ef12deda33e27de13d6231f065064f0179beac

SHA512
2a63bb3cc4e6c7200ca866378c77ac013dc5066b7efd5562fcc9ea701858be91b9e6e8873b7bdc6018577fec46543f0381fa0dceb4d9f6b2016c9ac71fdbc0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
977d7d5c20b2b7c5ae1dbcc81bd9d237

SHA1
ea85761c553ccd62aa81b9c44d82fdceb3eb6a4f

SHA256
61d45301ebe832f9566b035fbd14bdf40a45c606d9f075d5803dfc6611c2caa2

SHA512
5d82d1ee9ce01e8185a9ea0c7760ae8a6b4d9e7c86fc2efc642e16dd45b7fbf8b0339152bc0a6fb1568e03ef295ad90e0cf8baf70f9e356d75b5d53082bc7b9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
977d7d5c20b2b7c5ae1dbcc81bd9d237

SHA1
ea85761c553ccd62aa81b9c44d82fdceb3eb6a4f

SHA256
61d45301ebe832f9566b035fbd14bdf40a45c606d9f075d5803dfc6611c2caa2

SHA512
5d82d1ee9ce01e8185a9ea0c7760ae8a6b4d9e7c86fc2efc642e16dd45b7fbf8b0339152bc0a6fb1568e03ef295ad90e0cf8baf70f9e356d75b5d53082bc7b9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
23b67f94b4de02b5d841d5a06d2bf106

SHA1
3ef4a3c79e662ed87680daaba4f43392611f66cb

SHA256
c62149ac601449dc74073ee21950fd30e651195a53d222f18799d8d1d105ece5

SHA512
da206c129544bea99fa79eb92bb8fe5d2e2042306731de2bcc179de12b9f2cf7c2a560f405709d3df25aee1a7e7f62fee3235827985ad54cb4e0fc9d41805a83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7cdaf88d7ac1c9aef3a6f69e08b68657

SHA1
6096af6ff882c5d0f59f9bf37d087219a61052fb

SHA256
e7a222ea53d3d32336eee5b5122e4cd797adaee8772e7f4335505b9f429ff2d9

SHA512
e659960ec9961594961d8c93f793963f09de3447f60d20a96549085d1c09da9de3645c48916b05b42f817f24e8a943c29b0a9a0229201cc2ec28969c72c8b8e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b32f9ccb713d772be36f1a1a370804db

SHA1
54cadcf4476e64a7e2c76ab63d51b9f123d22345

SHA256
190f8de7294e02252e94f9bfdccca8f9b1a4230a04d58fad98273e224a59d484

SHA512
18d2d54ad95b7550e54a5f34603242a5182b89aefce7def5444bf4b32259d30c305bc04dfc28034cc84579871969aa29da8bdba01a921ec3447f42cf5bc3a699

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3c4b635877ea79778b0da692c7110320

SHA1
abae3feea8a1a455a967b4e8abbb16011d9204a9

SHA256
69319b02858981cff0022605461a74a73d714048d7a941d610daac7c7af369e9

SHA512
de8a7be74443902ccfc918c0aee90f57d905ab0a021776b46598a20b1ad5a55f14a7cd1c6736573d4cecbd8e9c6ebc3895953cce2162979c0dd115b6e61619b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7874ce6c39cdc28b1c5271a82614ce40

SHA1
14a3f408f878177460b429ad87ef1bfe7547cc6a

SHA256
17fb3a6b6b148affc2f00ae35b7c6859958f40e6457e08cb1201e8a73f2ea30e

SHA512
0bb51e9ed6b262159bbc6d96078cdee9a7ed839ee4a0cc1a15da0d401fd7608829995ade96102870c677673c5115db088e3f9d358db9a4dfbcd89ecc76c44e06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e7338ce71234d6507883086abb1487ac

SHA1
70379ea5fb44ac1ecf1dab77f5aa23e47e8869db

SHA256
31ebcd2f4901c69976c98f934d079f48071176733bc0a7687bfa9b37fc534e33

SHA512
a4728ce849ef68cb45c513f8635de04bc9b0e41407bd66085b61dba2d39b35d273d74e2358dbf7265bd35da1891f8b352cdafcbbf6ed35ef1e84597078334926

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7fae17aa7bc8d156dbe03c89ad14b29a

SHA1
754fd8f50ca903d6cf41e2a18e75f09cf4cdd022

SHA256
aff6d578e2f3261b8853a808c846f1672c4842e1b52836921540d738e201ccdd

SHA512
20d712eea9b14cac8f59bc682759cfd1bf6891678204c9e69710fc9679cb1d4d9fad2082ef3932026e6c7268c9f8cac92bbc521af0104004ac76538d2d83a7cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2471e5bd757cca515caae4934371005d

SHA1
80b2228388510fe2f93edfac77831801d1902f8b

SHA256
5a76df8633e5509fb1e38d43d7145b1e40e0753cd0b3824f514dc198e79ae37d

SHA512
ebeaf7508e137e3ff60793275be02bcfff41a88f347b8fba52c99badfa3fdb19d2d9630d6f2a53cf3d9a3ae65341617dd7fdfa5366747997a2af39421767a106

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
76e03d7cc988191ee3f3bf7e8cd66b11

SHA1
78134bec836ece16694a05bbd1b1fbf68efb2153

SHA256
1ef7adc5b7aa708140d0ba9db78bf0dd72401001c6784a711cc46b359066bf89

SHA512
3da58888a038b7a198adcc33964bcd29f919bad21f5e4e6327b744b55625c13bee9f93b8e496b0de6b9f3240e6bf51b6e250b5477e3f6d2cf71b9b6b08c0bad2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6b1080c493cbcb817f276d052fcb6ba5

SHA1
7795b898a5bd9e2f9acff8be8b7affe2b993029c

SHA256
cccc29a750c7f8cf8079e8a10cfaeddab16a0b3034e45c9c949452d3369798cf

SHA512
59d84a5e62c9bef98bda5c54e3a510124846643a7e9b64fb3dca7eace8e07471c9e916aefe87ba5984f111588326c44ae884db05d6500ba30d868734b740d84c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cd0755dffb34b8d30238c88ca44d8578

SHA1
ac23e8d2ba8ba1564dffb0b97b737ae1e545778b

SHA256
a74de1ef6b9076813a682fc2722d545a299b358ede0606d41f9b874cc9518a21

SHA512
9d92b331404f9e3fa8a26b1d4fe866d73a283c9c80358c44c4bc858b188e02fd27a1c93821c630119c208ce9af8398c5a56c185f26b539b3d5552c9ae50f785c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
26dd15473a6a3266768f0ca2d0e3c829

SHA1
17c2116da8c199c7dfeeea06a0b9ba2d9c58a2c0

SHA256
9a8d71903cfd5c2d8b9cd4ac58d8005a7a904654eceaa5e5992b366613351444

SHA512
c9d30b61417088ea346a74ebb020ffdc6c1766d365fd89c2331ce0db18dc44063ede2804c877c8e1a6edf61979d0c2da18e6e8e9945e3397ea37f14c49c2468b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e03f925459944c2f105c21dddc6185fa

SHA1
3c26a5eddd63294983c9fbd1291f3cda1f466fb6

SHA256
236143a3aec9462abe2156ba4fd2652847feed0a27cf7fb68db1e719ea78d43c

SHA512
a83d33048b903ade42356ec54eafe57600eb658d0e74caeca6ed727c5180f95b582afd768352bb0f588cf873defebeb8f64e749df1cb95f6ce58d62bbdda2be5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
77d24fa92c216ba9c12a58c7cffeaf79

SHA1
f3221dde664fc598ba94f931f922304d7913e416

SHA256
c8e64d35f916821fbba296e896a90a6c247734f05c4c013a3b78dd8d677181b0

SHA512
17d7d53dfded0cf8c9b55a0bb8b8cf884d962876351e4a0cba2589990fd6281f76daca2246d8525030e592ac2e86dd616ac54f3cfe18b3183129af958e32127b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b50b81a27a568631af6f0eeac217f4f6

SHA1
beb43ea53a9a57ce364cca75969d485de9181661

SHA256
13027ce50b64d5523750011c72bd284cbcae48e4b4937c75d15c9b427b7a64df

SHA512
0a6d8672bb9f0f84f86c0c2f6c71f6e527d96c53d491c0489c0607376a1143540d9dadf0b85495be11f2e4626aa1949d4143cb886aa3910c06f3e3343e9c8506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1c46733607742108faba0e9a643072d0

SHA1
15599d06bda9048a59f350a952d4a5b2194248a0

SHA256
270cd82f70ceaef64a8cbbe34351d544bfafdbaf28dd2dbe80884877afe716fd

SHA512
e2a6f47c913603f9fb6f9d6c74c7d1e602748c21dbcb71b0a240f7144bff5333d0e881b554e1a10001a0ef2effd1d2dc5c1fe0c531f06edc06657b262ae91f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
76440c18f1c20637010612067e24e9ee

SHA1
4667fab43c2050e0eee3ea3b9fd0300a71c8f810

SHA256
8611c3a96cf5e68dbe17826a7d00b9f46b1697041fb98a22d7f20c8daf1fd049

SHA512
ddf3970a8972931bd8f756b1dea869b43e295dad68281f15ed515d7b6d7c0108f78e73d976de12e59e545321a0ecafd1d3b1a0344040d97e71bbf128d25da4d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
af119a59e8129377e82ddad5c34fc7fe

SHA1
81e35b1c7f3ba8380b7c52382383ae3a40db818d

SHA256
73d61a705cf93ceb9a428dd401cde02056990d3aef71cb0366b339c6cddcbd2c

SHA512
f8fcc876b795de3f13016fa1e069e616e62a5fd43044a032fc3e0bc8c5f6754f3fc6ebeaa2a1899503906d10f7fd8d4baa1c357f2553d4dbf4f902229bd2d8de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
cb2b9867972d0f6fcf4ecfe3ffc2a944

SHA1
f54f8387c2c03b73eacc19aa259d89472cd53398

SHA256
500e24e952fc7cee118ede8f1b4424338a7b7c43d03dde63a5d55fff3a57663e

SHA512
c38d094ad8aa74f0cbc845db4b88c9447a124b7f141b56fca359c1ba968676a3e5eac4b3a799e47a07579a2711d735799d20711c11e8d784dd2f7680f3ffb7b4

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
183KB

MD5
57f260903a34bf33a2c503df61f9403a

SHA1
1d1d528c3f43dec5c9c7a20c8c166fcdc742e7bb

SHA256
49b3cd308e4da9f54b3b283225a13d962b27b5d033f8839fc7d36dc799371f10

SHA512
d9d226e0fb4a2e9b985be04a1ce20b3763305a8867648041157dec6216defd21ca1aee0f801e0e6955d891facb14a5d2047da5f47b4dd1e4b6a8c7131ad533fd

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
183KB

MD5
57f260903a34bf33a2c503df61f9403a

SHA1
1d1d528c3f43dec5c9c7a20c8c166fcdc742e7bb

SHA256
49b3cd308e4da9f54b3b283225a13d962b27b5d033f8839fc7d36dc799371f10

SHA512
d9d226e0fb4a2e9b985be04a1ce20b3763305a8867648041157dec6216defd21ca1aee0f801e0e6955d891facb14a5d2047da5f47b4dd1e4b6a8c7131ad533fd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads