71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302

Analysis

max time kernel
184s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
Size

186KB
MD5

6a404f069b1a1ff1d027a7b30f6ae6df
SHA1

c452c73fe28ae0374c879e21aba68a0575e2984c
SHA256

71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302
SHA512

15da397c5413fce271013ea78b2e03850c5d4d2b329c06403542a8872333d129bdf89281ba05457b3952b498aced53d8d0fce62cee65fe2d5b42cf3170cc7a10
SSDEEP

3072:rimsXXK9HRTOeriRfP6pXfSb0dspqc5oY0htVFAHT11Ual21Cxcs0HKAH057kyJp:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HWT

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 11 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000700000002307d-133.dat	aspack_v212_v242
behavioral2/files/0x000700000002307d-134.dat	aspack_v212_v242
behavioral2/files/0x0007000000023161-136.dat	aspack_v212_v242
behavioral2/files/0x000200000001e6d3-139.dat	aspack_v212_v242
behavioral2/files/0x000400000001d8ba-142.dat	aspack_v212_v242
behavioral2/files/0x0008000000023177-141.dat	aspack_v212_v242
behavioral2/files/0x0008000000023173-140.dat	aspack_v212_v242
behavioral2/files/0x0007000000023161-138.dat	aspack_v212_v242
behavioral2/files/0x0002000000022689-145.dat	aspack_v212_v242
behavioral2/files/0x000c000000016968-144.dat	aspack_v212_v242
behavioral2/files/0x0006000000023180-143.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
2704	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\Y:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\I:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\E:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\Q:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\P:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\Z:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\H:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\V:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\X:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\R:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\T:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\A:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\M:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\O:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\K:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\S:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\U:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\W:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\B:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\F:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\L:	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7z.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.exe	HelpMe.exe
File created	C:\Program Files\BlockAssert.ppt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\History.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\License.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 2704	4308	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe	82
PID 4308 wrote to memory of 2704	4308	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe	82
PID 4308 wrote to memory of 2704	4308	71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe	82

C:\Users\Admin\AppData\Local\Temp\71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe
"C:\Users\Admin\AppData\Local\Temp\71c5d63a3b7c7c3e975a48f5aee416c9e33341c50020f97989f61cb96681e302.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops startup file
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:2704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini

Filesize
187KB

MD5
6bc5b941220f2bd9420b0800d8ba5649

SHA1
ddda38386bc704c877cc25c1180a0fcdf0c97fa3

SHA256
814cb3d2964bd87a051d3de6d7c5e660f96d78eba531e98452eebbeac65928e1

SHA512
4d0f3f700c40a03ffbda8e5ce5f422729e9c900bc5039c37fabd883a5302bc83ade37a822fa68dec5952b6c9ee1071c4328343f333aedc03572b014ee019654e

Download Submit
C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini.exe

Filesize
187KB

MD5
6bc5b941220f2bd9420b0800d8ba5649

SHA1
ddda38386bc704c877cc25c1180a0fcdf0c97fa3

SHA256
814cb3d2964bd87a051d3de6d7c5e660f96d78eba531e98452eebbeac65928e1

SHA512
4d0f3f700c40a03ffbda8e5ce5f422729e9c900bc5039c37fabd883a5302bc83ade37a822fa68dec5952b6c9ee1071c4328343f333aedc03572b014ee019654e

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AUTORUN.INF.exe

Filesize
184KB

MD5
2236bb4acc0da12df21a110233f1e69d

SHA1
df5c8b0c11e29ccec86a85065a992d1eba02cf47

SHA256
1727268a2e9abf308d72d475f45ca03a1482a3e961200c07b85c360c7629437d

SHA512
2a74652565e250b8c9695da995b42c52d54c760ae2a31903a3ce8f271d83b013045bc72aa82669e5081de199f07d431fae4104ef121c913cb6eb2df28bab69f0

Download Submit
C:\AutoRun.exe.exe

Filesize
184KB

MD5
73a0012d1d30dbbf6ba5e10dba77e75e

SHA1
c751582110ca562489c3ea18254a6f2716975ed0

SHA256
b7a1b25f1a58fa451b95286b9711a90ce3225c45ea5267a62a0c5ea3a594d496

SHA512
c6f66256d722b244308d95386d5288a90bc426fe7269aae30542be747400eab733ac5db65d94a639ab4878666d100affaf1381f04c901b64f18e4049e1394227

Download Submit
C:\DumpStack.log.tmp

Filesize
195KB

MD5
01b04a62c236fa7282b77e86b93d53a1

SHA1
6c52575606bfe90b6addb46afc95760ebee7e585

SHA256
3c415a690351bd361a1cddf09d1fe4d85e495b55290969ba52084729830452f4

SHA512
4db1522b2f3d8ad36949db33fc0b74e499a565ba14fc8a76d95d8c0359287e891fee2a271c8358c3813624f203ad11db604c7aeaf4dce8fd38fe363060f6208d

Download Submit
C:\Program Files\7-Zip\7-zip.chm

Filesize
289KB

MD5
0dec44ffb7e5ec74455218da13d173ed

SHA1
5112fc2e8a083e1b5cb4623342452c0ca2d8b203

SHA256
71b23116d5d868147ee157aacd2350c10d2c257710eaf2c42080985728978df6

SHA512
e5b4e8b36bfd2f34ea3adc2437d68f3d48986a4573ca381d4d1fbaac5cfe2bba982c200ec0d3365b18fe587e81f81ff0ab9306ebecbad62cfecc2431a1e63415

Download Submit
C:\Program Files\7-Zip\7-zip.dll

Filesize
260KB

MD5
77d2a2fe0e5939e6de6ca93b212dcdf7

SHA1
700c9133aba2b2d5ca426ef925f851235766d6e7

SHA256
632f4cf21a58f175b63900d4b8c81eb532ea98c7105ea5fec8fd77c490da0bda

SHA512
37b41888444b9bf01833541ec3a8b3d6ce27c8276db451aebc062785ef4fa1ad449e673c7a5b34231286a48731a19276136da1a975b12d010021124d3f8119ff

Download Submit
C:\Program Files\7-Zip\7-zip32.dll

Filesize
233KB

MD5
08f1c5188b8a362b9e3915348a4b6c09

SHA1
ecf7c331c58575012aff1b3637bd2bb2b29ee402

SHA256
1345c83f03d0acf435e5f06fef86606ea7ca79af8dc9c77ec3bfbdc31f9d6947

SHA512
c2479bd67d6fbeaea4fdd999435713f140c4c4d28ec6e2376db8c5fb62abe343167ebfd5e4dba7c4cc8f52cebc1865e3a7aef1eec2ee9c4b370b38f531528354

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
eb125e99cdff86270db6b9d25bdce115

SHA1
ff05c28d23403d96540aa28f0637e9425258c0d9

SHA256
4d5f998b2dfba90f4df1404ed16861d3fa4a6b59b0bc58f41ef82ac2224f0fce

SHA512
7794241317b7ac47e153462285829fa2f90ff28bc42f2970ec8d566d1b8e2367d810ce20861e66f299ed3d9e73ba8baebc8613d9593428e2481496360c2b9de6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6e51e6a89ad9b134df0588ef94d4b297

SHA1
506bebedacc3116e0153d0b846734fc9a2086863

SHA256
bc39e56a784e395d19a8863c25ee43b1435e5094a49dc1072182c34f14d58c4c

SHA512
f5b0eae51f11108f90e19b440f5c34530875a576a1fdaa2826e2f65930f8d62d2868d77c1189a44b25c6fd59488e71b1b782b826d7787b794fa250b3acf60b65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6e51e6a89ad9b134df0588ef94d4b297

SHA1
506bebedacc3116e0153d0b846734fc9a2086863

SHA256
bc39e56a784e395d19a8863c25ee43b1435e5094a49dc1072182c34f14d58c4c

SHA512
f5b0eae51f11108f90e19b440f5c34530875a576a1fdaa2826e2f65930f8d62d2868d77c1189a44b25c6fd59488e71b1b782b826d7787b794fa250b3acf60b65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cf7c432d03c1250318dcc1ab6e7024ed

SHA1
f7c46e1e29824b40b30b4e937b61279dfcc3b166

SHA256
ad874ba30133fa33834d17f6028e12d2eed83602f2deaa0a975cf8dac93c9769

SHA512
7d975fa6bf2639813affd0ae00fde0d38ac45db5cedfced4714be9d3562a820bb032dad695ad2afeeb43d6eb699f8f675d85e0b927b243f8d842a6d0840f588b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
500c78e0d80e31b2245c8c90aa83c9cb

SHA1
a8f8ce93e1e1288346d2308327bd843321e01631

SHA256
a26a6db8f7cae1c84ecb65dc40ac51e7ed154e68534be8f7e7a61baa030734a1

SHA512
590074d37a9a08cf8c42ed872d38636c6c74da801793f9c035a6915b0d64f776dec14622d3300d3d02c34138addccd7295c70681e892cdd84f2d4b8303a2fe80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
73259ce36705cc7b6cce3bc27bfaa39a

SHA1
a45d74195a40612961d4f946a316d6580f05fc2a

SHA256
d4e6e56828c93eeaf6d22ed81fe806119311fe7e13a2e06ce4df12e0e99a5d74

SHA512
75dbb35bdd68ef9c731c84ab243e0700f6380576e94ae6be223fdd5a6ec1ba3c85c1e5c77b95b62c33e3db9ccb3cb0544e9528cb5cc66bed6d565e538abc1d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5ad0a7fb422cf3a4c79fd9c772379d98

SHA1
2f206ff5796f3bb0dc3e3d8bcf85607296d0e7df

SHA256
a711055f3c312799a197e2cb7be745e8721db86dd9c66393eab1e4f9f20e4206

SHA512
9494d728a6b185721c82a9948b9d227b7a6c8320d133d26cf7ebe9d525b511e15adf1f5a5abb333f9c55c13446380167d3c86dfebfb499b2bf397984b4e3af56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5f9857db517850bf2e39ab1641cbeb58

SHA1
b85df0bcca6aaf89d4b5a2fce72539f087c54c5e

SHA256
899ed19c764375ce7ab99574d2569884a67f1e93aa63da5a94477db6ecb4b7c6

SHA512
d4a3542745a1d8a92faf1f535930c43ff1d3adbf9b1eb3bce47f72e0fe8c2fadd9b1dabf2dfad1573ab836114a1da42325f050cc65a0c3674acb6100b7465ba9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3f8f15a5532431b355ca62f94865ebf7

SHA1
c518631a16617f2716d06e5e059dc87ca7522e1c

SHA256
5c342089eb1dc26b0e38857cd5e62bb0e5b40d35f41ddb87c9dfa4d32445ea81

SHA512
21a8f4082ec8495f17a6369f52abd276a3642702ce7032c277d88752e6bb7a01032ec8cc232a6829b142782b0e546c21d36219e248eac814e9cdd1f3e96e42ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5d6fa871e687bc4c3ee6c06d1fff32b2

SHA1
9ef9a4497463bc172dd12702b077ad666b13836d

SHA256
808aecc6a21dc52a1f8154f8c758b7fa1940729e25f1d0f5f215d65875022a6a

SHA512
90ee159a1c42387e2e5c4b8a5232f08b94fa7a3cee734c6ee47a76d1181dec6de24f119eb8d746d09c9d4259c75d39d2942c72259e946f14de1774b2a42473d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d57f910047b05219f386ddf48acfb65a

SHA1
73592a72afaafd371693452c5a6d08059d31b0f3

SHA256
999ee13ae8664219c23afc83ac86b2fea7c3fa2c0fea0ce1e9334a8b82aabbb8

SHA512
aebc010d84ef9a344063c62b74b771a8a847042997b397e6b180bfff2f2fccd2b3cbb50c5889941c811f6ec43e7ffe44e29d4f36e0084375d10f35bce37ef481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3d03f2e1e1635cbbd06dab1617fdb122

SHA1
33527f844e2d3b7d7fb72e2f1cdbfb5011af9162

SHA256
102a24796469b94f2647e6001d681098fa70caf2162e55c50b4e2f1aae76d912

SHA512
8ec9dc008857de52253ffc9f15b2ab54fec409f15ce924788a3c8c06e5f800f99040e4e72878f95abb38b181333e60c5c351f873a16de4965951ce765394f838

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
73bc331a4200801d4518ebd5438a0fef

SHA1
a0bff734ab6d1f470d4a35f63a2d3c29dc9066f3

SHA256
12e60b18400dd88d4f205a0b429ece24fdfef308cf2044340c6ab2e1672bd990

SHA512
55cda786f23ba2b941ef4f63a16a63b0e8a4bc357452272e077456a7fb2cf098c051bca4b5ca8a4aaecd28caa9afe1ef08f925de35d4f69061c99df0e2e2375f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
069a7f5b551f468d9208b3240b0a5880

SHA1
424848b9f60850c061dd0cf04e98f3b50a0c76e7

SHA256
3fae94e76b7db737723f9239de791fd2f3cfceed703c2f491b62d006fb8f8e2a

SHA512
c6ef751d6c89b380c9db822e711896ca13ae083e974f70ebabd484dfa9c24a459515c2bdbc40b3bd63cb916f9ab135669e8ea2c3c863514b11d0b9bd297d1ef2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
852d3b598454f76c3570c3dcf263e2ae

SHA1
eb8571f0fb8507f8c1249d2f1df78afa64cd7a10

SHA256
a8cef0b125e3eba61a0dfbb0e9fac0b889a38c14755a3fdf116007ba20c70231

SHA512
210f365b333248885a7d525276d179fb4370a167be83c76aebd6f4374d1fc7f337a4da1b81ea7d97a0362f59b1f65cb302be967900b0d949be4ab306aa9fe74e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3defa3425db046f8105706d4f7d62934

SHA1
afdf878a54646963477727b08d975b79ab2d0f99

SHA256
c2f757b0d120c70a4e07f5b13ea7873edfb6ca54c45d13352751a7d3e4cbf3a8

SHA512
3f870d5fdbc6f9e914c6dbf43ca7e8e59ba9171cae3483961ce5d306c383cf6d973c3cf00d61a97c471796dfdc561397c78369b2c0240b16d985b083f5f282d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
51f063bafc0385af9971b1676abe013b

SHA1
1f81a71adbef8b8bddf388347b7dfec595f49cb6

SHA256
0ef1c41e4810b8a0fdff568fa608b3440a9d51a8bee40e293c5a198eb95cd0aa

SHA512
4afadd00a6f90b9ba40a0114097ee6a121d0b71c143e15e9798924e4375003efb072bd94a12350d96d7b61fb57ddb8bd787c152cb2d0f603894e38d05470b079

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1b147f4c2d4035e5812033bc3b9ce3bd

SHA1
5d7a68fb5062022dd2a2c97b480161af7fa36c68

SHA256
495d00ee5d046a4dd1d04df9c0d0195ddca8a73c1cb59ac2d1b340876dd6324f

SHA512
cf3522f79c063d867f0139b34b3f3b7f32844e0d92edc7acef0b6caec8aa9d198609f0050aca92e67cd566cb8dd4d0caac7510274092c8afa75716b549298997

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
865550bdb015dc190574a17daf0c3a05

SHA1
ec7dcb41a91efc9c9cfebe7ec0b293e1d997e0de

SHA256
8c2ef72e9d9fc11b4f3556e8551c99b7d2edada443ddfaba4986473b6895ed33

SHA512
2343d2a5086092e2f3f24ac721fcc63bf122aa9ea8b496fdc1724fa458a17d4c650dee3ce2a38af24fe939a5d03f73be7173a8b287bff3d2c3d78a3d2988d2b8

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
183KB

MD5
b4e0c14a9d003a1b53b27093a5d9f6e9

SHA1
fe03590d74d9cb1137eca3a7a8b9865dd5487377

SHA256
a63b25b5c9a9f8b2c0216a71bc150e61b1aa41a5c3707bc9f17506764a382d89

SHA512
d25035fce7ce4d25a5fa3b2cf81eefb699bef513472045c9c5c70af1dbc603dc00dd7706c38af4c60cdc7cd8757797ffef86314bb3b49df83a7a589614526497

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
183KB

MD5
b4e0c14a9d003a1b53b27093a5d9f6e9

SHA1
fe03590d74d9cb1137eca3a7a8b9865dd5487377

SHA256
a63b25b5c9a9f8b2c0216a71bc150e61b1aa41a5c3707bc9f17506764a382d89

SHA512
d25035fce7ce4d25a5fa3b2cf81eefb699bef513472045c9c5c70af1dbc603dc00dd7706c38af4c60cdc7cd8757797ffef86314bb3b49df83a7a589614526497

Download Submit
C:\odt\config.xml

Filesize
187KB

MD5
e08d022986055713a83b249efd805367

SHA1
2e22e1b4b71c8f543b0038d53a16e6ba98410822

SHA256
d6218cf413a246bf3bba1e0c2367842f3ca0b2ef2ba581439d8d3892e59ba2c2

SHA512
84ec635e36947fb512712d7c0b0d1f015959d35922d11066bd8d7ddd69d7594d87084de4f93935fbaece22ee9c2ed5b19a701638bd182fa85f898ffa0b102bc1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads