5ebd6fc63a9af36afe50922408496301da362bae1a9c7bd7b3306315f9dd805c

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2023 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
Size

3.4MB
MD5

16f9bd46e47e0368af2fc86153ca7cf1
SHA1

d949cce77a56bb9b68688e8d77f52519ed7db37d
SHA256

5ebd6fc63a9af36afe50922408496301da362bae1a9c7bd7b3306315f9dd805c
SHA512

1a1a7652273349b1a517b3fe696986c22277d375ecfead5ea3975cccf8fb6ab7df22d8a540fbecc8b1b62b117ac26f021ea32eb1eb7e4debcbef47e0f980afa2
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMS:9nU

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
4664	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\Z:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\I:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\R:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\S:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\O:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\J:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\P:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\E:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\N:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\K:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\W:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\H:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\X:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\M:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\T:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\A:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened (read-only)	\??\L:	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jfxmedia.dll.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\flavormap.properties.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.INF.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\wordEtw.man.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Office.dll.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\THMBNAIL.PNG.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-pl.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-filesystem-l1-1-0.dll.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jar.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\PREVIEW.GIF.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Keywords.HxK.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\default.jfc.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ODATACPP.DLL.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.ELM.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.exe	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4664	1996	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe	85
PID 1996 wrote to memory of 4664	1996	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe	85
PID 1996 wrote to memory of 4664	1996	2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe	85

C:\Users\Admin\AppData\Local\Temp\2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_16f9bd46e47e0368af2fc86153ca7cf1_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3027552071-446050021-1254071215-1000\desktop.ini.exe

Filesize
3.4MB

MD5
50b201413f6163fd073a1e160a51cefa

SHA1
79a7e4e3027d96240fff7cdcad7cd0463927fe97

SHA256
5d42560d4174c7bd10e28ca7108c1f9ce8a2adb13d2e61810e10d8b8386f9b43

SHA512
f4f687b6b5f81b42a9c3ae30641fe506758921362fcdad3b45b0990cd19e493fbd4a1a9d8216eaa3dcce6c1d8ab38b259ab9b17da6268acde5b3f8a34cecd369

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9c0e10433861f5ce472109e490dd4886

SHA1
12fc817e56d02c7809563dd119c740085d9f78be

SHA256
f7a2b31d4e20294fb6fcccdc33f13f32509e43f0d1ca87bd6ee3ee4b4bcd57e5

SHA512
437de30aaeff5444683878ba67180774e581124953cca03da5abc2677b798736f55c7516ce55d3c5ea230d4fde1c8fd18d7b5a505151226abace034fe1e5c153

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3678f03837e859fdea04e53e6cf85f73

SHA1
f74630a62b1faa25247dfa7988e667a993045c54

SHA256
b043fa1a9055174d17fd219530ae84f5107d69d70bcc79978198cab762728cdb

SHA512
e0bdce275bd8306f75f6eae39848be66816d9443b778ee65f462b3d8655bc4812e260f97d806e8aab07519c5c77b55ad99f09ffff46f6d2726c454787e11e051

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
09c434c131669c3f206ec7ee3080cb89

SHA1
4d472676b1fa8dd27cb3d76753f232b76c6b6baa

SHA256
24ef90d35d37f18484a507c1b903456a61c7c3d4c91007a46d9965aca2feee16

SHA512
94bb6aa71cfd72cebadf20c2fffca460e3ee6114e7194ea2a52c429842d01a24243f136fb4a67f120dcf8ffafd8a7d861d16091d77a11a11e6c7d98a8c3781eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7650ddd49c22c81d91b15515bd25ec1c

SHA1
ecd24ddb2dd11b7b3a6d17e9998afb827cd9e72d

SHA256
62d8bb5341ec7a30fd0e8d9759c0d64ebe34ddb95d653667b2864d63739b80de

SHA512
45f259fb0d6de5c1c4efff404017e708611274c89db776a81a766999711bdd868945b1b6f38e2611dee8dd219ac1cd27fd42159905ab9bbc66db3b4bd3c0efca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
caff838bd4fc7326bfd6c3e160a768f9

SHA1
77e5c5b05be5bba80f1bbacb6f9267a47069730d

SHA256
6778c0a21919a5b6c730d860ca90c5a76f062c40cee46cc99f105682958d299b

SHA512
3ab958a8ae6c6525fa11aa95ece5f9bbe15287c8a53e3fe5511634bffe6d364c855cc249a33fd97bace52f5bc35b366243d8e166bc64cc7b1225f3d7f8fe7f0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0e7d105ea5d162801dafaa61a7eb4e98

SHA1
9b4367fb79b2713e31b2c2de8202161934451ee6

SHA256
6cdec29c6eddc003e1d92ed5fd288d3eda0670947fd38f08a4a0d73715d3eaaa

SHA512
f825a32a0512f101db99dbdb50209645dc8d9d48744e8da191ddf477d7e854056f8e9f1264e58770162c5d3016c18c7e171e46466e9235c4764f12cf975400e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e790a7cff8d19f27978a8e4b900139be

SHA1
e96486cc13add04a3a4cef110b71553405043b32

SHA256
50df4f7e9691a904d70be89863251dd52ee2a301ad8049fe34f0b96409635956

SHA512
88d3a6cf0641e7210ea17d9fa0852264728eb0f0eada738e80206749acb1a238094ced91c834f3e1c3e2a91629630a3f49cd7b5c473097db0c611298165712e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
df07a4ef7b5e97b199895f0049f143d2

SHA1
ac3a22e0d7941f97ed9f83a5bad7af327f40b19a

SHA256
c0e41434b1714d048d63a1178f4cab7050fc1a3caafaecda5499959ed63a1911

SHA512
0831288b3190fa2fc42ef741aac4a214df6505b42f5084224d5f03a7170b0b31ad73df3ae1786d112b92f660cee78ddb7db3616dc9bd14b51627c3574ec81425

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
46884c2e722603c949b1469e946dbe4d

SHA1
64462b65aafd1c6d2719ea14540364805fb13d29

SHA256
734e93e7a6ee778550b3cd9208cca939763ae378ebca617e25296c34671b0721

SHA512
969cb6919251a0dc04ada0c8f04b5f8f3d26136768104050bc3383780ed623048e03eec93b19db72d2f08a3532082359bb3b4c5770983414d120956b7dfa3338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1ea47888f87e5be6ce3acbe94f2f47a5

SHA1
aa59463ce84250a2e9a13167739f5bd17deb0bcc

SHA256
705e3005341e30b7347fec3d75661592ea9ce8808a18159cbb1fabda636c5c61

SHA512
6977fbe3bf2c84ac5f7a00e42ff7aa20bdd14ad887963353b9504982c1d8ea07fbf7fbcf9b765ce01f02a36ee12b3a0450d6d2e830e0c2dd0f7201872283c12c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
cd881b47ae297cc193ce4a566748d5d9

SHA1
595988a80403a0466c9d19efbcf57f794a3f12a6

SHA256
dada4058990441c29ceae08dd7c39cb19bf05f641806ffb1a865b0a8d008f33a

SHA512
883bc759beed52c8c5eab3270cfc6f77447e5592f0a740819c20c42e94de9eb4c4671610429086f45acbb64533c41d6bd39c47c269d28a721307dec90c1e0ac4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cdcf612e2eb9a80d8e5f0929b375d82e

SHA1
71591921d00af31b88222484424e2afb9df685d1

SHA256
e7595e6a0dd07071e472dc94e09f0c25deffd3e2cd54d70dbe66f6e222c20c91

SHA512
46ef9bbcdf0784a9ea1525d8700d9c64aeaaf37aff790c8702da7b011e5c0428b8a8511ba9678ec8d6b0336bccd37b3ae4292edaa0ec27547dd46d9c99663993

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
34cca6094754febd4ac3d5a0fead2e5d

SHA1
0c83d976be869d84b679c16f372f80799384a539

SHA256
196af5f178efb782742ac6aca37d305455afabb5994d36a021843f633b8bdc39

SHA512
5455cf18ea0fd0c1af11e8e087d33c6cf28a97921ed402b81d72c13eab6d03a9c251ee2bd77bb0309cf4a1cdbc9775faa1209e30311c475f1b9ab58928e3a74a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
78fe442d9bf74c0f448973a363becece

SHA1
74afa22d26b1e937094ce8a8e79420650bd1f1b8

SHA256
0e053438242cb953b353bfaffadc2fbafa189ac80261e7f79437cd37d6973ab9

SHA512
77ab45db6f4c0fdd6713f88c83dcfc89443bd84302baeb31312a6ca186a0086d5e8ad7c3abb80eea58d538426531dcd559e379e861d9641ebb19da2af17b7fd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
30855c34f4b04b23ffff2de1ffd6728c

SHA1
ce9f8bef8ccf87e641ee32e462f4a4f68553a9d2

SHA256
da7188959f3e66597495c82fb06fdf8945f273fc4ff00ba5c5ac633e103b01e9

SHA512
7928c9914af5f4cd64a41355a8ea65235cc7c1fe89793971ed1ee093c4f714fa10664f8c8fc70e32cce69a75764f34cc4a9d34c84c66e4065bbb9ec8e8c824e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
94d7cd23edcf63e47599fcb4e5dc4a46

SHA1
304f698af62209952bc82efd7df32853f0faa1cb

SHA256
0a0ae14780edea14749d9dfc33af3adb2c6cc8c1c4a29e05846ba3b22c92221a

SHA512
972689482eb90982fcdf1eb4a847c659d41c364d920b780acacf91fc1d95987c62205a8dd936dd62a7469afa24a67ecb8ef48287ae8a536ac041a4cbed7f9874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b586d064714b9bbd8f4bc617548431c3

SHA1
eec05b66ac058a16d5600ffde3798caeea0d6546

SHA256
8bf883245b1f948f87817a1319e582aec23e947777cf6e208d0de1531110700f

SHA512
d517f23c0c00cf16acacb2e370ac1ff0ba2a725c4dc6098f1df7dff3160c115ae4ed6cab0e0e62bbb0d84572b7f7114e20bb3d6496d85bb7350bf2d941318349

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
543d22c2ac8606b77a53668f090102a7

SHA1
90adb973807011647a13ed042a459bf845ed6dd5

SHA256
be2124c5dd2957359bc8ea372cdd312dd561a42a41e7064002f817af6292f22b

SHA512
25197c208bc2af3f9e644bddbeb8e265d5cdd61ba700f1c6170d06b54f470473c8d64bd22c28938166e90d66e366f51316664621a3285b7fc434dd0a70bf4866

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4050856f3af332770bb1b20b47271b28

SHA1
15e61c9498f2fac04e3333ee022fcfd8e915479c

SHA256
9e4608bd8388f6b29149ee760a91669b13a6547ed7e4653dda0dd59e6304edb0

SHA512
e2100fe03c84f200c83464e7463d93021788f87b0ecaae5f52bdd1c714c8f0e773c1481cfef7c4b703f85791aaeb5ff8dd2664f770a07d1d3b8f656b01ad7495

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b4d76067feecad88bd8c0538ddb5492f

SHA1
2c0be5cc4bb9a3d913479ec4f4213c6659f0e30f

SHA256
007cc567f68963765a58a3f47eef6f008b4f5aaea29329356878d84787f49518

SHA512
f5953adc4926fc721f8bd95f1192dac3ccc97e70cd62c6ecf624500e268dfd5f5f1dd8f07b635cf1cead2962ab4eb0eb54515012e42a0266276cf3b5922d1e4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
be11c36559cbd1c04790293058493a37

SHA1
ba773c72746cf5ec0a3cd4529433cf30b2dae296

SHA256
4c42ab2d736c2e5f56ba60fe35a7c6c071681582436d27988a17b85908913d14

SHA512
f81977403d58604a825f987128c983f47f025fcac1fc82193db881f8620e9d99255374092364d35749daec2193a8047d3f6ce1a1c185f02806984ef9e9b325c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
afe09c9d02fc1fd66ddc3b07a71a3141

SHA1
867fb791258db4d124a9339df48e5b299a0b1713

SHA256
012ffa51522daee781dbb6d13da812a11bb968f61dd8f0eb9fa87961bc8de650

SHA512
db5fd7d060d069064d41a736cf7070a6198163dcc2a2427a2eec0a00becaeb7ef14cd72a115c3ad5171323158a2250695932e286b83b3ad0c225b4d9406edf4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7201388aef43f99295a3b3579ec6b275

SHA1
7e72d6e4f86184669f2541e111eccc0780f7928a

SHA256
6e4d3c8dbec38c473b2bf71fca3355707249d3069d68541e4edc29157c6c4452

SHA512
339fef63aebde47ab05e8a4f153a30ccb791b9e31467435b5a1f65edfc9904f5b46d7a269c3b82c96cc2432588cb587e7c2ec87d0f07308938c6fd913eef50eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
aceb021464904ce67b0ad27c2fcf7435

SHA1
4a74fde2fabf360d8ec724a4ce595b9f17830e66

SHA256
6f6a1b370128e1aa3b708b5755d5a2dbced01bad113c933edf520b2a76f07bdd

SHA512
e5fb0327e360009fb391cf6fb1605ce8fe8ba458a2f40504ac4f2cf395a9faf0b3ae64dca0d861e01ef214c113786e128dbf86e8892908fd7df2fbaed2e66a16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6c8c1b0e5511ca57c6b6cb9c449a0ca0

SHA1
8a4635adeeb5239ee3d86155bbd8864d37944ea3

SHA256
b75da207bef0d23e9b563efb15d236bbabcb09ff6a1ee8bdba1b3c8140a3cb9a

SHA512
4f7ce7ccb0a2feb43d677a5a3ad7d534285624d8a23b6548c0dfebf7b63d83ccbf96bcba76a9add011180ab7b7aacdfec8d7eeb5b1dc7aaea1ed8129c5d2689d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
513e543dff41367a8134e98df7694934

SHA1
17188082d6528731e2e7f586d21cb111c37e996c

SHA256
456fb0f2e17783e1a481f19e34a6ed9e87890e696a6454e0142da6b9ccd5c5e3

SHA512
c6e0a5079314bddcfc8fecd3704e651867480b5bd57e17efc77b7240056b9fcc8915d9ec50a9b16260ca73018b152263044324adcae95e113906a8dfe3667b26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
897538dbef2b014d3c6eed47cbc0d496

SHA1
d12f1e228ae524538964af7ad1f5ab1b74d01aac

SHA256
db5ab4a44b6116723fc39602aab43d445ac0c67a9d80b7da1c8a1dfae783827b

SHA512
a0d644e7e50d4437a0900bdc8fa13276ed533711836bdf22dd4b199a44903437176d3f8d1995a249cc098fc65103ff39e8551985409c71c4e7ee0745703be004

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
12fe16773c54ea5af92e753acd0ba5c0

SHA1
bf0d165419b7af17829ebe6b02069ec672561ac0

SHA256
f5823682fef4190581020a5c1aa0f16463830cb932e9c233e35ba4fef7bf07d5

SHA512
c6615bf5471d97cf74dfcebb2f47b060d5b8efdde83531c4c0be09aff68038b75c7929d5fc91674fe1e4e64581c6904daa85df9de55089af4352f4641e66f43b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bf9babd96e298a293453378d4e892485

SHA1
eaeeca63318339e10bbbdebec46d4f03cc44570d

SHA256
fe9d347111990594091e09f767e73b832ca50c9410416ff54d650e2b010ec543

SHA512
77025113ae3c00e04c8b282b1746f7210138d63c267c789c6d952dbe6f7f572b9c084c67c5e31c123a259af3d3d2ef5c5d3ea4bd1c31a2154832aba34bd02ae7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c704ad7f9a85aa149bc67d746a723ef

SHA1
b07b84b5674bba8c2ffe70a24f9b1f871e92e311

SHA256
96292c97388641960a4227511202cd64829f50a9bf55b4430259702c1295360a

SHA512
c2dfdf9cb5328feccc7d80534776558a6031415179f9183d8bbb22cba5f68a9f3acbb8ca4b4b91bfafa530e0af040ce7d97ad3e01ec221fb9943a6cb7fb41700

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
039b6c721348771eeca1a9d07ddb449e

SHA1
646458bab16d244f1293f3d9649f1d44ec18a31c

SHA256
e887331b615f3ad73beb4864d952d214654a0029d4adb624008a7ebf8cb6894b

SHA512
5d723096085ef59e506442207f99421517022cfb9693eb0c8812543c0b2e71454f9242302c9cf374ffb62766e67401efa81376460193111a33d0b50ade5ade1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5a37bed8a7010c9d43c5519227cd7461

SHA1
da9e7593dce104f2e4873f58afb6d7ead2a7a3d5

SHA256
542cb35e2dff14fd65bf4f10e3961212c05d63003c8a29e095ee4b822c88ecb3

SHA512
b162511945f5261bd93089548c2c92207060b547bee14e0bbd69a266ad338487dc89700f4b2544a467cc78003a434029906953325d53cb36e5d198d4378dda40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d8a2c2c865fe630e32961a72d6395fc0

SHA1
bcf79d56e0b2e2dbb38928940d9311e0133f6ae0

SHA256
788d8e4afb9c3c71f45ec3755092f1e4ddb3a2672b4801983403cfbee087ae88

SHA512
69cfc42ce037e365e11977c57ba0032e3fc0ed7d7acde20b830579317d52972173199a6c7fddc5b58a55d34ed0af6ef8978d50e6deb4f51c0f1273f01fc677a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2b8f44e9dc44c183f5b81de6fed84a7f

SHA1
51c99de9e82e4cb442940f4b714359c76d2845fa

SHA256
c8816ba49be0609b7e6971ce10c2e8994c272c6fad39f992cf18bfc1cd417a30

SHA512
59af1c4f41c4d17393d8fa4d9e12e91546a9e9825b500e90c5c0194933f69d62a74ed686402889e59f6ab8536240e829e1bd5bf4cf27e8170e993ac4822119e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
381cff11714fbd0ae667b53b735a151a

SHA1
1144093ad8e5c40d856117ab4e115766403b6d0e

SHA256
c725cd50e98a38fe2c1645e9e0ae8c93c32ed8daee23ebc29b69e5eeff43c8bb

SHA512
c4c95565b711ba1ee2e35d312ad2c1b25c7b1539dcb92ffe806bc82ea63cef85938a2b06badd8235a6df92a0db21c00ed86cd72eb6f9e40f2f7a9ee1c061ee17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
030a1e761dd9b16b2663025228fc92ae

SHA1
ddd1d62374670ddcaf490972b0bcacc93e818939

SHA256
18298dab574507038745977aafcd675bb40af8424bbb1371ae39bb8573e9a35f

SHA512
98c9b26f59bb7ba2ce47faa2f1d19c084a94e3dfd95b02858c96ae7aab6d2088a6529d307bea4e8b3a32745db29e738e869392cbfdd140636421ed760b21871f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
048ee86e1026d39327f6c3214c5260c6

SHA1
22a4b379deea38a3668d9678f9f04e0a13df497d

SHA256
3617916a0a4504f8286ff512bfafbcc28bfbbd37086c8f3fbdbb3fc8689cc3a5

SHA512
2508c55fca14e4b452c52fd13dcd979f97ae7face1a6bf67e473ccbb551703190e097880ed7882b573e3a13a89f16c546133fe7a8046c87b2c53180847e5f344

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c13dc2c3a10afebe0e9b30b86075c71b

SHA1
4b28a9a107012f25a6e80ed859fd8da7bce56888

SHA256
8e004e365645cb93a8e5a9e3ef291edb3c7f675a102a0804913100327b1aef82

SHA512
0450d426a2231afb028e15f1f9f91dad641c867ed119a7efd8a87aedebe67bb3dbef8f22336e37a248f866f1d5e9d62dcec4e3d65021aab63ea87ed9834c1223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
271fbbe00847933bd2a973a54e73c6cc

SHA1
84efddaacbd08a119107dd8369201b2abf696f7a

SHA256
7c6698cec3331e8fd0df7440ea44b4f43aa1d0480968a5c594c4febcb586110a

SHA512
ec18d62bc66e13be4649f26f03f596ee303936e02ea041abc877ceb255b1fa51b108d38a02a5edcea88c202f3e67e2e53ee8819b93fc5bf6b3e68d255f9eed0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f5343e4254fab91931f8a5cb0bdcc1e9

SHA1
58d7b4377b5ddbf27b665511b16af1040171808d

SHA256
825721e55b38848c979debb36a143345c79a244d881e278c29312f7d055bc3c7

SHA512
48691056f1602c8824210f3a5834321ec7e30b6d2a1c4ecdc2ac3712e259b98d4dbf5269fc7f611b4c23faaf9aca3610b91d0ea415d3a320ede5f8064305ab1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
434874d619a4575118d9cdbaa1200e5d

SHA1
525b0874a4b8462ecdf17f47613ce255e0646e9b

SHA256
e308c3522eb6c22540f1ac499dc9bad09f1dade9a8490b1fcb0b7a7ef7b47f8c

SHA512
5ff6a9363353bae6496165b1b8a3b0478f80980d6a5212f2f106d5d74534012f8cea575585b70705d87d347b676e6093bb9280c74b74fc7c635bef17b8622740

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e0795d108c4e1fc81a2e5c25ad4888e8

SHA1
13f6e222c0634c19167a73b33c95518b9d347719

SHA256
2f1eb60b5a6fe0ca5b1f1aed50319edd22851d4ea318a0c6c18914699298dd41

SHA512
955c1dc990f4d022fba086b4458160f5d754765297670fa20a610412a242eea1034d54df6346cb3b12c5d0afe7ea71cc9b1bcb5a4fe28ce7828ec53fc34c4b81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
28c563e4a142c7753b4efdfe44a762fd

SHA1
941c6f969541bbced3dbd3a188af66231898e65e

SHA256
ada8ca2f71ca99e49ba203306daef22dd4e5d4c674fea032ef1937f7415ae975

SHA512
76fc82d9754d0313f0cf800332f44af5e70764af92ce6acb619ee74410ffe425ad88bc322520ce1fa7ec2e328f9d867a0669e24fba0120d187aa7a74d508d320

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5e2ae1ea40657aa689a1041bc45ece5e

SHA1
22f86324e2bd64f898fc366838b92535962dcec2

SHA256
abc39b6e1dbe8c6a886af532accc1067a0b23fffa01035e8e820f97db82268dc

SHA512
3091678cacfbcdd7c0fba0fb71a0992d2e3e2965b8ed4a42dd3873af2482cf19b70804267e500b64844a5d593b371070475d33bda3c9e32d1d9645eac213c9ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ddcc4d46e34a7229e45cd317c4bb9c05

SHA1
d39d57eeaef61c16353eb592f8ff618f804de1a5

SHA256
26502971b163d0b82107b96445da9852157eeaa86f50b556a63cf64de0290fa9

SHA512
1f84828adea3f65501b34d56281cd67c238e9c30f3948b5283e1dfa6713251d413037bb2baae1835deb1b7e3a1eb8c9756b4848188a8c088d76cd135d27e6504

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ba288cb62a331a49d2aa414296f0e563

SHA1
f28f257aba8b1a23ad4abd605c444fac65d98e24

SHA256
0b9c1356e4378c30138c989c34ad578786ef8d2359e13b36bf512c585e749243

SHA512
ea65906cfb1adad41e8cb26f6e4112cb2e04df5a94cc87601f460de15c1162d6639976089e43accd733884a2b07ccc5cdf4acba89746ebe0e10c858b570e34e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b7cb12c57966fee467580d4ad54ab885

SHA1
18de3c28b4ee7979e4205dcce7b66ab0428c513c

SHA256
e5519ebd2e354d120de0eb9396a420a7305bed0e9c7f4cb26a3bb4c877cbbc80

SHA512
631c53f41d14930c98d6b7f2ba0ff1c7d1b3935cff94d3b6dde00f8711db905216519fa833508ed6e07a4ab17a0002e5511fd73eef946f87e428e4cc4ce74a51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0de3988624af419bde4f8d3cb803175a

SHA1
6994db91c42669ef6813eb164ff54f07469dbc0e

SHA256
fa9a3cf7374a2b8e117f60984969b403858ed7fcc18af4c57d15ade5b7216c96

SHA512
425a8b0db162d9e1b7f52a0dec84e51cf720792cb718d5783b683e40658bf2eb619f8f03f4beef2b2de071bbfd5cac8bc8567eff8c12e021dfc565c57b2e75f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5a0eada08e5d668dd2c731f6a6555c5b

SHA1
aed1509789633019c302db3306c2fe29f4e3f273

SHA256
c955f57e0cbe88543ea95525bf3bebf55162a29a0c3e6676d95d7b7bb4e0c813

SHA512
93bb7b1708962a5fe84548908ef709d045253908363e8a8fe4a2b455c94d4642f55ebd8d7e9eeee1eea5e48efa8c37a845958961a5f534ac5f54b154aa9dafb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
776a59adb1e20f2a66ef416f40d285c4

SHA1
2db1e6502342c260f19d48466443d5b215f70960

SHA256
906b180d8ac3f688771926260f3f102bce4bf39b5f2cb1525e019bceec348938

SHA512
dea63c3e69da7971f359dbdec3ce9baa2290a94f28423d62939425f1f9d23358a8e5fcc3fafc897c45b001094f64876877b1dc69445f80d7f1cbe5d012c9cb4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
9d992e3665fe291a9b8a1849fee92f81

SHA1
0006f4adbff120e25de8ed44f96d0e7e4756e594

SHA256
4141f59e146f9d19739bbc060857d07415f60ba71a0fa73e4e19f75ac5b5bc47

SHA512
ff38c8d60f21856b1f81606b752d9ec26269d06876946ad70fda3917a977cf254fa0c54590550a4fe842cbd80b5a51761866d1ea78a208397abeee3f59344212

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
862196c018ca75972d3941cf47b3c5be

SHA1
59c41f778b215273238414a79a14bf9679bad1cf

SHA256
88a3b5146308fda90ec8f9f29fd497e353f2d4e83814d0507423870c74843a60

SHA512
bf140daaedff88e547d44e359bf7305be535a1028de9ccff17cd81af7275bfb030527c0108ee4c0484fb2173b67d8ef147262d8f17cf79a828ad72fb1db57240

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fd6dd7577e448aa321c668f6ef615b74

SHA1
3005da08beb0e66ae09c1fd62f425f9f0d3da3ad

SHA256
1629e69230ae71fd95dee44e53cff954377bec01af80a8f0eb498ff9ace2c8d0

SHA512
3727a32d59a86ec1adfe3f93ac141bae7712c68c1845546fe66c06b014b7a6c1ed51da76009a5caf30cda1cd128e8b949b1b308e7cfcc983b1deb523f7466494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3730bcc8b038bf2d40bcfdccb5d7d697

SHA1
b1244674bf07a212c718982b22b5967b4aa03808

SHA256
96fa063db11ab0d920a8989be9da1d840ae6e2c8be1c2fe2465f263661752917

SHA512
e7965b86069359b61c29d70a5e74c5a9bfe89de915a1f1bf667865a193bbee2490baf415fc5771dd727c5302e28f4feaf18b5d2a662a9670ecd3d40b822c6233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a14783031db66ef3bfa25edd86462523

SHA1
8492aab8de98a8c6607c6bc2d169327830b5ec8b

SHA256
e8b3ffdde5cf4f954a8ec1ea77613056b7b17ac89f51199dcc6630c8b16d3d13

SHA512
87c5d21d14f7a6e65d88a2aa98c23816b716749b6b8ece58059291f576094d32c73c97450a555e2a404c3db9316c32af459d024706a8dda590efa6638d3cbd3f

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.4MB

MD5
a91520b8218039371bda6a6dc1339ae0

SHA1
aaedeb32991d3f79787c339752c35fb58470a591

SHA256
9642af1f5d00a45e9d8f298fb210cdf5e3ed02e714caa17d27b06eed9e651e38

SHA512
f5d7cc384164af348bc8a8a300565cf55c3b0bfa64ed9f108e00de35b9493aa0591eefe2fb9bbd5e66670006fd7409570b77c6750ac92b5998fcc0947d7a54f0

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.4MB

MD5
a91520b8218039371bda6a6dc1339ae0

SHA1
aaedeb32991d3f79787c339752c35fb58470a591

SHA256
9642af1f5d00a45e9d8f298fb210cdf5e3ed02e714caa17d27b06eed9e651e38

SHA512
f5d7cc384164af348bc8a8a300565cf55c3b0bfa64ed9f108e00de35b9493aa0591eefe2fb9bbd5e66670006fd7409570b77c6750ac92b5998fcc0947d7a54f0

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3027552071-446050021-1254071215-1000\desktop.ini.exe

Filesize
3.4MB

MD5
a15dd69e4eda348670bf69ae16ead618

SHA1
5816b5843936572f2c2f57af02ae7f5a6793fb36

SHA256
82df3a92e482d6d8182c5fd3e1764130eee9132fce5360265ef9bdac4dfd3f95

SHA512
2316a2f2ea6ac0e0421c81e10a8fde7979a568d6432f7405e64b9a5cc310a71615020a0d2dc54f264a2110fe895c8de820003a2e3656332631c940af9ae612a4

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
3.4MB

MD5
16f9bd46e47e0368af2fc86153ca7cf1

SHA1
d949cce77a56bb9b68688e8d77f52519ed7db37d

SHA256
5ebd6fc63a9af36afe50922408496301da362bae1a9c7bd7b3306315f9dd805c

SHA512
1a1a7652273349b1a517b3fe696986c22277d375ecfead5ea3975cccf8fb6ab7df22d8a540fbecc8b1b62b117ac26f021ea32eb1eb7e4debcbef47e0f980afa2

Download Submit
memory/1996-164-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1996-220-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1996-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1996-1-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4664-246-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4664-335-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/4664-6-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads