df03376691e234157541c57b8cea634eeebd1e977c31230c4dada5c3fafa2b4f

Analysis

max time kernel
148s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
Size

20.8MB
MD5

66c766d6eb6d4b35cf5d4629ea86c046
SHA1

15d061b62aa02a288e3f6cdcfee189358d390aa3
SHA256

df03376691e234157541c57b8cea634eeebd1e977c31230c4dada5c3fafa2b4f
SHA512

61995e741c4fc6ec1a4c4cc59c0ffa2c2a4acf0fe735233a185929ed81dd1dfb9dbe8d4e691325a34e98e020142f6579cc4161e83b40227f6ff86b3de52d8c07
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMe:9nwngnwnBRn

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
1980	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
2164	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\R:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\T:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Z:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\B:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\G:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\K:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\M:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\Y:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\L:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\S:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\W:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\I:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\X:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\E:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\H:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\N:	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1980	2164	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe	29
PID 2164 wrote to memory of 1980	2164	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe	29
PID 2164 wrote to memory of 1980	2164	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe	29
PID 2164 wrote to memory of 1980	2164	2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_66c766d6eb6d4b35cf5d4629ea86c046_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3513876443-2771975297-1923446376-1000\desktop.ini.exe

Filesize
20.8MB

MD5
28c05c8f81fbcf7d66ffef868f83ac3c

SHA1
498c799dbb94d6a8ae30b9822af607f18c1ef8ea

SHA256
d13628d2c7f3653ef8e9055269b330b20c0c1d6dd5e592bb70430289d91f53fd

SHA512
2b7c2777b519c8277973cc7d2f65c590bb86e3f9ff7ddfe9e136aa66b2e1531b51cbd7a93422ff89a62e5a8164898df8ba0f095ecba4bf962a222109b6dd1b7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2d8603c5722986b63ab4034d4ffae388

SHA1
b4bab3bec4d3772bcfc205d15103c8aabc5d7793

SHA256
7d61efa777417487ea34c901f0a12d5f347f831ebceb94d23c8369fd101b425d

SHA512
5d6f524b8a73d6e94d81be4d50f1f373323465851237eea54a1473e168f143262dcc51beefb1b0e40a7fc230c422ae905470223c28b6f3192f3f8ed64c36e9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d564939965ffd76d0a9df5d4b5652e79

SHA1
d37cb3e11ceb40a0d980460026f4da2ad72df321

SHA256
0c076c8824343bc5c855d164e2c982f6795379dbb22ef77c2fa446446eae46b4

SHA512
9b9d7be456d725eb446aa0f23ccacd832b9fd884e2c25ca24431eb859244e366a4012f31d10e4bbb84d03efd36e10650b02f4ca583553643bd945bfd384e168a

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
fc94e427e5427314b233e4b9ed784d8c

SHA1
a3f417707e33d899aa87aac5f2cf62c5d355b092

SHA256
47a9e840597aa44b46b9d150d2f80729d7b2099093cb0d7ae1ff1b634f3b9df7

SHA512
7e9c40fe18fa2a63836e713a1bc3a4631769e113919443f863ebc31d70a9a13b825ac08054bb0eb2cd4b08c24d46ac592acfe1f63cf14ffae87a8ad359e5af07

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
fc94e427e5427314b233e4b9ed784d8c

SHA1
a3f417707e33d899aa87aac5f2cf62c5d355b092

SHA256
47a9e840597aa44b46b9d150d2f80729d7b2099093cb0d7ae1ff1b634f3b9df7

SHA512
7e9c40fe18fa2a63836e713a1bc3a4631769e113919443f863ebc31d70a9a13b825ac08054bb0eb2cd4b08c24d46ac592acfe1f63cf14ffae87a8ad359e5af07

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
fc94e427e5427314b233e4b9ed784d8c

SHA1
a3f417707e33d899aa87aac5f2cf62c5d355b092

SHA256
47a9e840597aa44b46b9d150d2f80729d7b2099093cb0d7ae1ff1b634f3b9df7

SHA512
7e9c40fe18fa2a63836e713a1bc3a4631769e113919443f863ebc31d70a9a13b825ac08054bb0eb2cd4b08c24d46ac592acfe1f63cf14ffae87a8ad359e5af07

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
20.8MB

MD5
66c766d6eb6d4b35cf5d4629ea86c046

SHA1
15d061b62aa02a288e3f6cdcfee189358d390aa3

SHA256
df03376691e234157541c57b8cea634eeebd1e977c31230c4dada5c3fafa2b4f

SHA512
61995e741c4fc6ec1a4c4cc59c0ffa2c2a4acf0fe735233a185929ed81dd1dfb9dbe8d4e691325a34e98e020142f6579cc4161e83b40227f6ff86b3de52d8c07

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
fc94e427e5427314b233e4b9ed784d8c

SHA1
a3f417707e33d899aa87aac5f2cf62c5d355b092

SHA256
47a9e840597aa44b46b9d150d2f80729d7b2099093cb0d7ae1ff1b634f3b9df7

SHA512
7e9c40fe18fa2a63836e713a1bc3a4631769e113919443f863ebc31d70a9a13b825ac08054bb0eb2cd4b08c24d46ac592acfe1f63cf14ffae87a8ad359e5af07

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
fc94e427e5427314b233e4b9ed784d8c

SHA1
a3f417707e33d899aa87aac5f2cf62c5d355b092

SHA256
47a9e840597aa44b46b9d150d2f80729d7b2099093cb0d7ae1ff1b634f3b9df7

SHA512
7e9c40fe18fa2a63836e713a1bc3a4631769e113919443f863ebc31d70a9a13b825ac08054bb0eb2cd4b08c24d46ac592acfe1f63cf14ffae87a8ad359e5af07

Download Submit
memory/1980-12-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1980-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1980-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2164-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2164-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2164-4-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/2164-11-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/2164-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2164-65-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads