: It modifies registry keys in HKCU\Software\Microsoft\Windows\CurrentVersion\Run and Winlogon to ensure it restarts every time the computer boots. Forensic Indicators (IOCs)
: It often serves as a Trojan Downloader —a malicious program designed to bypass security, establish a foothold, and then pull more damaging payloads onto the system. Technical Characteristics Soft.exe
: It has been documented as a downloader for Locky ransomware and has appeared in campaigns involving the RagnarLocker threat group. : It may drop secondary executables with randomized
: It may drop secondary executables with randomized names or names like svchost015.exe . Summary Table: Behavioral Analysis Observed Activity Type Ransomware Downloader / InfoStealer Delivery establish a foothold
: In more recent activity, a related variant named ViperSoftX has been found disguised as cracked software to steal cryptocurrency and system information.
: The malware frequently uses CryptOne packing to hide its code and implements stalling techniques (like calling Sleep functions) to wait out sandbox analysis.