dfa4717bf876c2827b5ac479db3e79ccb5e66c1628372cc6f7549254828e43bb

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
29/09/2023, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
Size

18.5MB
MD5

c9a2b1577b0c3407573e1931785c3890
SHA1

5890a6adab848976960c385b573bf6a49b52b713
SHA256

dfa4717bf876c2827b5ac479db3e79ccb5e66c1628372cc6f7549254828e43bb
SHA512

da252901be72b184ca908b0decf3a94b0065965367dad1ed622fa77df511aae494a74984eab3c6a67c2447c2caf2a38590f5bdf06ef7ff5d743fb42db9909796
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMy:9nwngnwnL

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2952	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2828	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
2828	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\E:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\G:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\H:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\S:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\N:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\Y:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\I:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\M:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\A:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\B:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\P:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\K:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\X:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\W:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\Z:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\O:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened (read-only)	\??\R:	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2952	2828	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe	28
PID 2828 wrote to memory of 2952	2828	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe	28
PID 2828 wrote to memory of 2952	2828	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe	28
PID 2828 wrote to memory of 2952	2828	2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_c9a2b1577b0c3407573e1931785c3890_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-86725733-3001458681-3405935542-1000\desktop.ini.exe

Filesize
18.5MB

MD5
5395cc56625db9628c754f0682ee88ea

SHA1
8269743bb4c3a6443e27aa2e34a806bffaf3d49b

SHA256
308d8f3a94c321b9774ce2f1c8bec2941e91f442f9bd49311e3f3f6ea2c1087b

SHA512
e69b2df8aef13e98200431194c2b6e92b95202776d00eb95c71faf08dec3728bee1b67b696c0fcf7862c8e54cc0b36956a275d3aa84ef3cfee3511b6bb4b8f3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
783a8810f74720bd882e33b9724b3f01

SHA1
8f1247822ca70de94f6a1413f7e8bd27c9a19aa5

SHA256
6b716712fb60c04abf11f152ffedae09bc14762cf203a004cc0d10b6b3f49230

SHA512
c588977396b1a49634d60702808cb7870b0c1178d9fdc1daf3239de1c7c90059549cd24b51c1f20bb157ed963296fff17cc2f2b9490a3142b28a00f738aece77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f75937082f034c89a00577488bace911

SHA1
ab17124ac7c167a343261a12bf129396c01edd59

SHA256
c2f61f095f3de08620d23992cb53ec8db560b95d9eaf6443ee8318858da85a12

SHA512
80e7bfc95949fbe1e1a5dab1c805d35fce060a1c5c7bcb17d45fae890002636522e76eaea7537393ac5b5afcaefa08b4545ffbcad269f05a4cd7198561fceb97

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
18.5MB

MD5
025994e09bf83105f44f42d228a46085

SHA1
4a0fe4730931cd7491486093df9480fe4b8596bc

SHA256
81634bf653d51929e5783b423a7dc0593d583bc2946c47a276788e355801097e

SHA512
8245991c5771c04851e861a2c6a4774d1c4729a56d3a7ac0fde2374582a94b9352de5ebdfc317abab8f9b8a41cba5144a3e802d6c0db338ca00b68cec631f1a5

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
18.5MB

MD5
025994e09bf83105f44f42d228a46085

SHA1
4a0fe4730931cd7491486093df9480fe4b8596bc

SHA256
81634bf653d51929e5783b423a7dc0593d583bc2946c47a276788e355801097e

SHA512
8245991c5771c04851e861a2c6a4774d1c4729a56d3a7ac0fde2374582a94b9352de5ebdfc317abab8f9b8a41cba5144a3e802d6c0db338ca00b68cec631f1a5

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
18.5MB

MD5
025994e09bf83105f44f42d228a46085

SHA1
4a0fe4730931cd7491486093df9480fe4b8596bc

SHA256
81634bf653d51929e5783b423a7dc0593d583bc2946c47a276788e355801097e

SHA512
8245991c5771c04851e861a2c6a4774d1c4729a56d3a7ac0fde2374582a94b9352de5ebdfc317abab8f9b8a41cba5144a3e802d6c0db338ca00b68cec631f1a5

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
18.5MB

MD5
c9a2b1577b0c3407573e1931785c3890

SHA1
5890a6adab848976960c385b573bf6a49b52b713

SHA256
dfa4717bf876c2827b5ac479db3e79ccb5e66c1628372cc6f7549254828e43bb

SHA512
da252901be72b184ca908b0decf3a94b0065965367dad1ed622fa77df511aae494a74984eab3c6a67c2447c2caf2a38590f5bdf06ef7ff5d743fb42db9909796

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
18.5MB

MD5
025994e09bf83105f44f42d228a46085

SHA1
4a0fe4730931cd7491486093df9480fe4b8596bc

SHA256
81634bf653d51929e5783b423a7dc0593d583bc2946c47a276788e355801097e

SHA512
8245991c5771c04851e861a2c6a4774d1c4729a56d3a7ac0fde2374582a94b9352de5ebdfc317abab8f9b8a41cba5144a3e802d6c0db338ca00b68cec631f1a5

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
18.5MB

MD5
025994e09bf83105f44f42d228a46085

SHA1
4a0fe4730931cd7491486093df9480fe4b8596bc

SHA256
81634bf653d51929e5783b423a7dc0593d583bc2946c47a276788e355801097e

SHA512
8245991c5771c04851e861a2c6a4774d1c4729a56d3a7ac0fde2374582a94b9352de5ebdfc317abab8f9b8a41cba5144a3e802d6c0db338ca00b68cec631f1a5

Download Submit
memory/2828-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2828-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2828-10-0x0000000001E70000-0x0000000001EEB000-memory.dmp

Filesize
492KB

Download
memory/2828-52-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2828-59-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2828-69-0x0000000001E70000-0x0000000001EEB000-memory.dmp

Filesize
492KB

Download
memory/2952-11-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2952-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2952-72-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads