fcacdbc16d4a101aba2204a0bd7553f2102d435a339edbd2f1b699697a6ac7bd

Analysis

max time kernel
154s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/05/2023, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
Size

2.5MB
MD5

cf96dc24ccb78aa865d9569a28da9168
SHA1

c03b4338537fbf27aac2e0abbc26f27b9337e8b7
SHA256

fcacdbc16d4a101aba2204a0bd7553f2102d435a339edbd2f1b699697a6ac7bd
SHA512

263c7d8ba66605d9f5030f73a188d00039469092ea89fc5cd26412f089086adb9d187ec8f1ed0ae7961cb1c4cfdcf5162c77c2ebb0243e8c9fbe7101fe4badb5
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCH:eEtl9mRda12sX7hKB8NIyXbacAfk

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
916	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
788	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
788	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\K:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\M:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\L:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\O:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\P:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\S:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\U:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\V:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\E:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\R:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\T:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\H:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\I:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\N:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\X:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\F:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\W:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\G:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 916	788	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe	27
PID 788 wrote to memory of 916	788	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe	27
PID 788 wrote to memory of 916	788	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe	27
PID 788 wrote to memory of 916	788	2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe	27

C:\Users\Admin\AppData\Local\Temp\2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-11_cf96dc24ccb78aa865d9569a28da9168_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\desktop.ini.exe

Filesize
2.5MB

MD5
9894a670896f837f05d8c918a48f4e7d

SHA1
2b402fbda104885c91a92e771740bb8e25b061b8

SHA256
59a0edd433e380c0adb56b4c95012ff88d8869ee36ec3c82d023037b1b0fe373

SHA512
9d8a611897a8ff5ae91c1d6059cfdf6a76c25dfe8c6bd5e9111f3b4516b7333013259ef48ec476fc877b6607aa1ffb9989c7ee731dcbd9605e14b571c72585c5

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.5MB

MD5
cf96dc24ccb78aa865d9569a28da9168

SHA1
c03b4338537fbf27aac2e0abbc26f27b9337e8b7

SHA256
fcacdbc16d4a101aba2204a0bd7553f2102d435a339edbd2f1b699697a6ac7bd

SHA512
263c7d8ba66605d9f5030f73a188d00039469092ea89fc5cd26412f089086adb9d187ec8f1ed0ae7961cb1c4cfdcf5162c77c2ebb0243e8c9fbe7101fe4badb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
e0307f8146ef208e2ef1085691c9f21e

SHA1
5c5d8d4dad5845fe4551295fd546e3a64b77109d

SHA256
8b84dd4b5bb30aa9930a799105e2ea1ef4745ed749db8a45af5870125ba820cd

SHA512
a70037f748d903eabd39df4dd5824771328a0e056338c3af9d7ad61680c3f4685ed90789ae299af7e66bda2a4c48a0db3ba51dcfd6adae94806efda7587c7867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afae47cf1d4f23dbed365a557e3f4542

SHA1
d9676b1f0a0d451366f323b02dc9c8a67d687693

SHA256
4d4c4e04023c8c000c700d55e770b36dfab8b57d73e6d6646d6fdb5467b90844

SHA512
13bf563f47d715f57a6ddbc67fb668aa77bd7be0483bce55c168854b3bdd0ddf01a6be4756768e1ae16b482fc039c4e316052582d201e1958cba4350145d3cb2

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
a9fbffb01fce87079637c0bbc225dcfa

SHA1
3f9e2dce5534a9a93e3aef5d1f88cbe8a68581ec

SHA256
da3ff4dab527f1cad77282509e3056240880d4e0aacb1fb3df8fe15d95dd7e58

SHA512
9256794a01233c189bd7a962424ae56546cd7e94322b6ba7524896cd23520c17b7928af00259e6f02172d8041813959504a500c5fd59f7bd4e2b0c4ebdbda131

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
a9fbffb01fce87079637c0bbc225dcfa

SHA1
3f9e2dce5534a9a93e3aef5d1f88cbe8a68581ec

SHA256
da3ff4dab527f1cad77282509e3056240880d4e0aacb1fb3df8fe15d95dd7e58

SHA512
9256794a01233c189bd7a962424ae56546cd7e94322b6ba7524896cd23520c17b7928af00259e6f02172d8041813959504a500c5fd59f7bd4e2b0c4ebdbda131

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
a9fbffb01fce87079637c0bbc225dcfa

SHA1
3f9e2dce5534a9a93e3aef5d1f88cbe8a68581ec

SHA256
da3ff4dab527f1cad77282509e3056240880d4e0aacb1fb3df8fe15d95dd7e58

SHA512
9256794a01233c189bd7a962424ae56546cd7e94322b6ba7524896cd23520c17b7928af00259e6f02172d8041813959504a500c5fd59f7bd4e2b0c4ebdbda131

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
a9fbffb01fce87079637c0bbc225dcfa

SHA1
3f9e2dce5534a9a93e3aef5d1f88cbe8a68581ec

SHA256
da3ff4dab527f1cad77282509e3056240880d4e0aacb1fb3df8fe15d95dd7e58

SHA512
9256794a01233c189bd7a962424ae56546cd7e94322b6ba7524896cd23520c17b7928af00259e6f02172d8041813959504a500c5fd59f7bd4e2b0c4ebdbda131

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
a9fbffb01fce87079637c0bbc225dcfa

SHA1
3f9e2dce5534a9a93e3aef5d1f88cbe8a68581ec

SHA256
da3ff4dab527f1cad77282509e3056240880d4e0aacb1fb3df8fe15d95dd7e58

SHA512
9256794a01233c189bd7a962424ae56546cd7e94322b6ba7524896cd23520c17b7928af00259e6f02172d8041813959504a500c5fd59f7bd4e2b0c4ebdbda131

Download Submit
memory/788-56-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/788-150-0x0000000001E00000-0x0000000001E7B000-memory.dmp

Filesize
492KB

Download
memory/788-105-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/788-66-0x0000000001E00000-0x0000000001E7B000-memory.dmp

Filesize
492KB

Download
memory/788-58-0x0000000001E00000-0x0000000001E7B000-memory.dmp

Filesize
492KB

Download
memory/788-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/916-151-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/916-68-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/916-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads