bc9761e636ca4473b8baa473b3158906a7b3f739abdb9c5dd78896b148cd605b

Analysis

max time kernel
200s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
Size

7.8MB
MD5

ab2e25cf91ce1954b19e1004d4e3cb05
SHA1

bc848d40c299d9de88e41ddc780658eaab71a8e3
SHA256

bc9761e636ca4473b8baa473b3158906a7b3f739abdb9c5dd78896b148cd605b
SHA512

075085b6231c55b8a5fc2c8180770189f8d5d8ec95b4e811704501631450816d27347aa90184a028e4e54a9373481efa7ba60855d62ea9f81b09d0935b1b7304
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMd:9nwne

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
4632	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\K:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\P:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\W:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\L:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\J:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\O:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\S:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\T:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\R:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\Y:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\A:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\E:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\H:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\N:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\Z:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\B:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\G:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\M:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7-zip.chm.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Program Files\7-Zip\descript.ion.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Program Files\7-Zip\History.txt.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7-zip.dll.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 4632	3060	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe	88
PID 3060 wrote to memory of 4632	3060	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe	88
PID 3060 wrote to memory of 4632	3060	2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_ab2e25cf91ce1954b19e1004d4e3cb05_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1045988481-1457812719-2617974652-1000\desktop.ini.exe

Filesize
7.8MB

MD5
a17ddd1debf645385a2021dcdb114d22

SHA1
1519348e7e874bebdb4e152e97d5e891ee6a1deb

SHA256
76e80105ee1deebe3d6a9d3cab771cf062509b4f02b6829eedd55e7fcdaea386

SHA512
6cb671d87ec58acac606bde6e9a1d56087c2d2cbe6f0317bb2720bddaac628fd604751ac04bae6a487a8a308a8542af60ed9251c112d47a486f66091223464d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
07bc2e03cb2a5cb89c5d22443d61a8ed

SHA1
3a00be4f217b513a2167e1bfbd301e12de8d3587

SHA256
c91a53ad70868bf56e7e148ab1d8b05c2ad3acca13f6a6e12716c65b0a6f082d

SHA512
341ee75fc6af2c08e482f4b92e0c93535ec31f3202fcae868372940461820a28922c310140671f9e3f29a416cd9ebe8928890138e6fd5137da211d19f7ed4f7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c1889025cb79f52582421dbfefd13fcf

SHA1
cc78ce28d90821d70d8dba447c6c1b6798dafd4d

SHA256
b45fd61b96df1282a5b0b411a2651a49f6c5570da092f9eb84947327df5f35b0

SHA512
82cdb5a21f759439bbc95e6d3fc699932d8e98d60c48f3c1710fe93ce94d49968c183a591f4b6320b36924ace6243dc7eb58fa4991855d15b46845809e42772d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fb5afa7cdbb99ef9e7619aa3d1a083a3

SHA1
3a46e91f566cac2b49714a69ee1eed2e160f064b

SHA256
27b4a0bf186de952d23324aa6c998fe708abd7511b0e1b9bc36b38cd596058c0

SHA512
2f5e151dfe23569881051aa24318cf09416324c33c331b863c6380e4c3c6406bb59a3e3e6c5de7b6ccf75da72aa5b7eb9ccdd68a554bb48b3d6a4670b649ca86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2096bc59390685477ebd959f4f6d0e15

SHA1
651c650cb2ad1feb1db8b89b09881bdfeef78605

SHA256
84fa53a5c23a8d323b202957bf528ccc0267a0af132ed2bdb826ff4a21808521

SHA512
24bccf9c8305bec53cd7a708f8177ef9f4d587cad4cb59f4380b4d18655cabfd1c563404036307dd59249468de4c2d87d4dc2fad45bf9697346478d3bb4b0c75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f55e8d3edd3aca7ac8aeb5f394a9fb58

SHA1
440bf835dad9a2f93875d16e4bcae738605dc2b3

SHA256
b939c3783fca1f534c25f6f5aeabea965afd9742027d4c0f8cd382e514c357c3

SHA512
7902e12c8d9d4977f75a178c301fad989139ad423a4e1e5ab92add2b986aa072ed9e6d0bdbd57dda99d3992eeafbe2d8296bca8a663c26ef2e92f27d7c9ec3f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
257a55f9cfd3d9eae88a965b9864c41c

SHA1
af8c66df41018be726fd2d6071047dfc5015253e

SHA256
806368e196923a20a5c68fc781d67d180421db8ecc0f6d34ef826747b564c4f3

SHA512
f7a88a1955d7d2447aeb6961437b9ecc0207f91f2804733aebf7f4ae4fd5e76ee61ae932e4696c8a48d86c41c2976332318efb5c5ae2350093397486b2d73c8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ebf23da5c44627e2f730c3435d5fc3f7

SHA1
00f46b9eb73206501967dc2894b9a41d484630bf

SHA256
247537c863c63165cd01fd29cf5ab663b8df5961fe0bf7d0b7ee68a3536a8024

SHA512
65fee6857b10490749a8b55b8d8c6c18c0a122e990b7f668602e828e125fa374e929e98a107fd6b542cbbb6cf79ebe7b444271f08bbd406430f4796f625ccb8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2df066197aceb4974f566320717c6bc1

SHA1
410ccb14cf987fd487d3c9f2a3c6c9ea4a72a73a

SHA256
d45087eb677c9a54b0a2dc739ba9e9bb3fc552454087eb9250a0015cedcdb7a2

SHA512
9c9d15238ac65fd149495b4079bd88be80720ac6505ecfabb47a07f4beaf3a61bb78651ac39abb9a866f79c09cea53099bf81f74f2c490c80625032a759f686c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
83d5d2e3b3beef2537bd3c77a7fd610e

SHA1
199a6cc0116c7b0ed90fdd61c378604b9d0d6bb0

SHA256
6e468e13cff5d295c0096214ae2283b47e570cb775d1f4fd67dbb058bc48d82a

SHA512
02ed7de7dbc9807b20df1dcdcf247a082fee98bd8cb0e4cb5b42e9e6e7089ae287b65a3c5ae30fcbe050210a56185bd42be73e80aecf09484feb5362292d3f61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f5cdf6e1d8e6cbcaaf5ba822dd2314b1

SHA1
ffa3a687f7c8cacccb4b79529886b61cf0af02d6

SHA256
3d19b2cafa0068eb57e1ddbe93b1e74b68c932c6d228cd90f7df665e3c3173ce

SHA512
1f58da93d269e055c84871ee6596746f879949bdf096a38052774fd756ad4acb6c30904697447070b19e2e91bd4345725c10b1e332cbbd65f96b0d16b7dd02c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5b92f6ebe5f31795b8fb8ca786b7a844

SHA1
f47a6efe591d9214326d1c6232f17f9ddbafba36

SHA256
180ffa7d5685129e2dfd94bd4f0d9de2429506b46ae80c0f49d2499d2065dc1c

SHA512
c1451b0c33eff62ed05ae9dde719ca2eb3dbb195013cf0527d7ddc74fea8c8e844bf5bc81c68ac863fbc6f9fe6a892f0c5fbfba6e5d1a55139160b91245b51f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9248051e2da60d8a776c5b57fa84dc51

SHA1
e968cd5f6875948b5c98d230754e292957d0d3f7

SHA256
02e675fd7b3215a5fe1b161b06da2f7ddecd435ec029379c050e25f11485376e

SHA512
0bb33a5562ae67bdae890d3f3546b4f16bd078436dbdee83c40fe84e7bf72d410321b42f93221b33125e47fb85df4a472d87cbc70476f7e309ef4cf45da111b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a27b6d9c84d0e088136140e33f54127b

SHA1
32d7bd035d19e7015f395f017a7054ca2cdf8fa0

SHA256
427486eceb8b17f332a78966cb576dfa79113fd9024ffcd2106b23f5fce39460

SHA512
177250032f7f371855b0a12c1723e56b2a709b329097a036f899999431ba3bd954636b818b160956c12c63b32cb4a294d9840159aa0abed1da20cbf234ccbc6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
670938bf4310bba08a6577913c561c47

SHA1
60d6b1a88aa02ee563dfdc93dff08b4659b7af18

SHA256
a4b7cfb4c283bc69a8a37d1f158e9c6231f591c4ea4f2b9dc0ad1a8cecdc009c

SHA512
492a3a7b6e5022f0a2243caf5208af99b5636d951b5f49fcc858aa34902cfecb7bc298a245f14f46b708ec556cf037f2b7c31f7b48345d3a4926129886ab42e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b8581ab8aa578a9102ddd68f31131862

SHA1
b0a8efd9d27b6308e62b0bb40fc433c270e87235

SHA256
c0b07746e5179a753ce8c0d8f2c79d18658ea239d200956b15354e7464e79fbc

SHA512
f5201564a9debe6b69b729d777022575ec0af8aaf6f968eeac05d13355342231a08347b81e3524d53b4f4e15f3999c865c80933ead1ef941a05854a323d7c5d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bd43e6e283de8c1302ae452958637bed

SHA1
e8a2ea3f77ad5eb464da628a7e8afaa6f7493268

SHA256
92ba0852545b6bb58cddbecefe63308e6c52352da997101e80f378cc1c21abc3

SHA512
1d54f3c0c6d52745b84e49694c6889e588287dccdba8746281a5b5ea23ef5a3656d84e127852dc8118ff230307e0306b4943ae8325c1eb01426e08ca7c37ab04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
71c5a597f847048f91607669b02f0d23

SHA1
1104d9c68f646e35add97ac18d59627b07d9483f

SHA256
34579902d6db9e6981829a779e4b76a8f0ac36561b06185fe2c5759200f7f9a9

SHA512
7bc8fd217b54b225a8bbc0afc6204e87b87191f5492de3357e31a98a3940df1748bc54d53035817dcb45ee63edd24c51360de7e5d3a3ce6d0262f756a5d3e2ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4af3e40043cf69c46aa606b1fec26532

SHA1
1d3138d93339fd909283ca212b53f5c923d71844

SHA256
c9878ee5d1e7ec0f152fc7e8c280e73e74f6cdba385e34978a80f223dd04a57b

SHA512
38afcba33ef8f5d67340bab71bf76271e2cbabd1e4fd002e2709d9b4f5e47606a7acc132e14c05358602e5cd6f1ee38da7005630c68db9856f7fe15ffd5dc23b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fb8755b55e5ef841c46679fd41916885

SHA1
103cc4eadba280be2161ed25fa2f9519b5d0883c

SHA256
1563fc2fb273d683fca4d81357d974d7185a75f8cca0f2598ed4dc608ed90e43

SHA512
165ccccca8f7d75851601bc7ec922c59c2a2821a9bd8b581ef2ea7979fa9d861ab0b79bb0c09d56fc97bb15b60fcdfd0bf3c21b420c6978b57fc004a22aab000

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bf14784baa74fc15011cb8397ae43c34

SHA1
f504f95fa0825827a010c84eec2c8ec8e41ac49f

SHA256
b83ad1c976d505b08c25eb4a020b392ffb72aaf16f1c2990dcaf9a848623b2c2

SHA512
ac184738314e7b8efabddbe535547d677103950f10a67b81234f5f0f5f72b43855bfdd2a0fff713b497bd0e2fd083eb2ad0400865490c95053836e17983c1565

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7a9ba5d4a11e5fd450347d3cc7cad051

SHA1
f095816266fc6c021d06fb3e2b743899f4f8262d

SHA256
341a9a1214e96d133d9cdaecca04ed494e5b15193650a49b5afdf89e5956e0cd

SHA512
27ba2f4d087b8cf1335974337fa1a7c940b0fbe60f22aab02b6de163081d2aa00afa415c640d8ece9a624c752c066f428074b901293ccfad446a5a5ecade1afe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7a9ba5d4a11e5fd450347d3cc7cad051

SHA1
f095816266fc6c021d06fb3e2b743899f4f8262d

SHA256
341a9a1214e96d133d9cdaecca04ed494e5b15193650a49b5afdf89e5956e0cd

SHA512
27ba2f4d087b8cf1335974337fa1a7c940b0fbe60f22aab02b6de163081d2aa00afa415c640d8ece9a624c752c066f428074b901293ccfad446a5a5ecade1afe

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
7fa73f041f8298c8d89fc4494bafd149

SHA1
481a04bca719f2b1a164687f1e2bf5c67e7d2371

SHA256
88e4a8eca9cc1fee0b639f14a6dfa85ebe04a9c6fe0353c97fc89057f2788627

SHA512
670710ae123219f5e6ec43319c06d8c04b4208cb63e6cd87b7ca988a9d1edc896a87b9f055f058b8cd0cde971b6f0add9d2161418adebc9015275ae8fef0816f

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
7fa73f041f8298c8d89fc4494bafd149

SHA1
481a04bca719f2b1a164687f1e2bf5c67e7d2371

SHA256
88e4a8eca9cc1fee0b639f14a6dfa85ebe04a9c6fe0353c97fc89057f2788627

SHA512
670710ae123219f5e6ec43319c06d8c04b4208cb63e6cd87b7ca988a9d1edc896a87b9f055f058b8cd0cde971b6f0add9d2161418adebc9015275ae8fef0816f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1045988481-1457812719-2617974652-1000\desktop.ini.exe

Filesize
7.8MB

MD5
70d10bb8e547c1f7f4a83ef5c8167d8a

SHA1
55190129c660ce4b91a96a7f8bda697d3ad23ddb

SHA256
bdda252322f6e4cfaf5fcb93e9717982dfe9e09da1f0a5f4eb64a22e7d5a178b

SHA512
296df45ca25e4b0338cf7c65813ccccf6cb248a845ede1250f140566508d2c3a80b6c3824881150c34573a12570206173c769f1d9d715669c656c6f2edbef126

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
7.8MB

MD5
ab2e25cf91ce1954b19e1004d4e3cb05

SHA1
bc848d40c299d9de88e41ddc780658eaab71a8e3

SHA256
bc9761e636ca4473b8baa473b3158906a7b3f739abdb9c5dd78896b148cd605b

SHA512
075085b6231c55b8a5fc2c8180770189f8d5d8ec95b4e811704501631450816d27347aa90184a028e4e54a9373481efa7ba60855d62ea9f81b09d0935b1b7304

Download Submit
memory/3060-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3060-1-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3060-42-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3060-49-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4632-6-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4632-58-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads