7a066da4ee12ee941bf942f798ab84828c09f60e05f948dc97dff85d4eac4deb

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
Size

18.3MB
MD5

766570ee2d440ad20d9c66db404aed77
SHA1

edcc78d12e0db840d0bba98f32e55d5bb6705f73
SHA256

7a066da4ee12ee941bf942f798ab84828c09f60e05f948dc97dff85d4eac4deb
SHA512

d1e6d22cfa1c7a6bf9807f2da3d688beae4c2394ef26a13608a5d5046afc9d18253810a35576d924b166f47136e7cd0acdc3957f8e3468a41288cef1e5689264
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMJ:9nwngnwnO

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
3868	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\I:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\O:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\Z:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\G:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\L:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\P:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\T:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\W:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\A:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\H:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\N:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\R:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\J:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\K:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\S:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\M:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\X:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\Y:	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ko.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7-zip.dll.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\History.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\descript.ion.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.exe	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 3868	3792	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe	86
PID 3792 wrote to memory of 3868	3792	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe	86
PID 3792 wrote to memory of 3868	3792	2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_766570ee2d440ad20d9c66db404aed77_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2890696111-2332180956-3312704074-1000\desktop.ini.exe

Filesize
18.3MB

MD5
27d8f08294cd25e08090a49403164153

SHA1
df9cd8afb369f40fe96d6d15edc11473b6872830

SHA256
b2fcd66ca3dd9d87fd3055e26c76d06bbfca1ccb4d70b55ccdfc3ebfe522cc11

SHA512
e7853e8dfcb46f82114bacca1fe48bc7fcdba0497b52fc288f4671d3ed1de3a97314d11d1d7aa2786f144f424156653bf509dba0cc45a4b5f70f1c9219cff208

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
231f9a5b61d6ff5202bb20158dfad823

SHA1
84c79ad22357f7f4d0a4f5fa279106052e7f36db

SHA256
c5a28a23292b2baeca3caf1525172416b01539f90efa389a1e8939d95aa23b98

SHA512
5e2912c07d4b2f56e9d1ee20b54fbd9f4d73cb7c2146c9c67e5c3d1eef18d6183a6e2120925eadd3c1ab3574c2c9e1667d932d01df127e5ebd3cd14ced877452

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5132fa4e333f4aa4f479a9b7ad608b76

SHA1
a6a9c124e74c829c7eb131dda38c9bcb667ebe18

SHA256
321562afa81c58910724c91479cf8c050360ad0c4217d5c97e724fadfb36ff29

SHA512
35c0219faf7d17cef91c18939b788b889703de1ec380544766ba629ac4546858f04bf715dd44ecadc9130d1e8621191ec8067ee4cdff2daf0006ff45022a0ee3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e0154e38682228ac39ffdd27f395695

SHA1
ea25954a81125fcd49cfb10c1da81832271afe06

SHA256
973aa8db78e4dbe40901e0ca7fdd68144f7c6bed3641206ec4367812877c7ae2

SHA512
79d478bb81ec6c47df4f6dcc16dd794168bba70c8dec69f6861f00e53e06bc718aaff6d2d5fb4a46df651990acb143d5e3d9dfacd562aace6750bede51ff3d86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
711ac0d71ea9420c2c3b216c933f5bfa

SHA1
1d6b74d8c0cdf1537f77b65d1e2fb4dbab6d4120

SHA256
8804491413b4d36d4cf0703822a9026b2b7062622f80a0c61639f2129a9e3784

SHA512
be907c066e21867cb28c13194abd6b067a36a4a542137ece58997e2c0c6df08795c8208316985547f6fc52dbcffae809319db9f4590a295f2fccec25683bbb1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4de12c0a385eaa89c4d937fc9d01adf4

SHA1
242e1a295d17cd40cebf3735109c3ff209fef589

SHA256
3762d9fa1d0c302ef67cc558c5081cb2316b5fd7bb8b5733e2a35c2a8fc84c97

SHA512
83498577ed43f0d73262bf65d9e41434bddb4752d0206ed1cc7763d8827820fb7d0b220f284484dd7821835085442f0dc9aaca8d4a8a7cb89c47dc9f2e2d97dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
df0d742bc8e9d1579842759c56bd8652

SHA1
44b1ba94dc0020bcc04567739c307722b4a5446d

SHA256
67103f863d0175d2b07e26a70766f2106cf39dbc226bde24a6664f9a9c6e687f

SHA512
7b87b85e72011f46c0a0dc794a78d0b9b6e853b870cffc95f8b9132abf2c45ffee96bfcc7eee70113efcbb8d0aec38552040456ba1d194655ada6ea43bb1b21f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
19a7d1ccc214b937825ff2151b295c82

SHA1
eae655921d884f9215827b89791192401dfaaec6

SHA256
9eaa82bdd3f8519a2de119f8ac30ec76718ef8258c2f566c8e2f82e8b7dfc88b

SHA512
a8b5f28859ebe41c9a3209fc122be5bdfb18d37c1ff68f5decc68ce680a01ec6b769c20403fd3a10727d7926627a0fe7c57eb84d2e0b27bebbb1f7c435b87e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
33af2b6b267122cd95e7b57fe6b6486c

SHA1
f5cdba266b9c6fa53d55e7155d9eec017623edd5

SHA256
22fa2de90cacbfc7c1f9b63d5741ca3ee053c707c6005e68698c06a77715908e

SHA512
3688226ce2bc403569065cf17e83ce01a7b169a63b825718d67bfa9317f58ac88ea54779a7ad8d0c43b2ca1d1c8533bfb6a93a050d6497dbb1b86e61c1c8fa6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
50eb5f47f65f78a9be9effbaeb2deef7

SHA1
db6ae88bb15017100257159886045b0114c878f5

SHA256
a9cd4ce1ea8baefb5eabcedd706fcfc9e7d27d51ffd8070500f898a1bb7dccc4

SHA512
f23aa809a6812d64a1f5b86580c1998e2c89fba740d98e4cecd64ae063af0ca53210d68f67e9a895200a9d7751078868a08be25a8cbfe9aa5940999b2aad68d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6e3efe1498d74e343385ec670c018c4a

SHA1
680c2e26403e32c0576c1507dec78522089b00b8

SHA256
bd18f7bbc5ac13fe08970a6673e66fcdcaaa6d92e21727402120c987487b8038

SHA512
5642bc25943229a62ef77d53340917e3386a44cabe903f305eb4f8f686788f5c72804a8130fee1fa5b687655a5d7cae1acd0a820b4c1fa0b26b10cedf069eee1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
397fb9ed99ca05585f603e6a2f5f7145

SHA1
0c86e702495f151e63608219fdf874a8d67d5967

SHA256
451600ba12110766b3edc7ee260ffb9f5eefd3b46df1bb8a90d5fdfe7029d1de

SHA512
9f17c6bf05be7af11f748f8f4470981ee5a88f3e85d8fb19fc1996f479d80f6cf9d2a8d21aefdbc4cd0e68120d6470e38aeb8b7319da2cd9d6e1459a3489bc98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3a7de604afcd463a2c8072433add2257

SHA1
ea86e68d90d62b16cd0c5de91695afd1f0c696a5

SHA256
4c60b031dc7986abc813c573b514895f39edff5d979455681336dc5c30fad2c0

SHA512
32b65608f938a46ac73a1235570b5f14a7af395b7aed6d692e091530ce810426ae195a611b7c1e4861287f3b2cac84fffd48b7eed3365705720515354c26bdb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7d6d3e17dc0e6447a7754b6e2a5a7f3f

SHA1
e80956b89e7b7276bd396e3f2a7856c133d52476

SHA256
21b7210d2c239387190333812c360558fbd8759504c391976aefadf3f0c50e0a

SHA512
d35cbb2cdd7eaa5d28dfc44a7cfdcb7fd557ee91653f95feb97a4b1d23e1f3c860d7322ba9d20ffc8a6e8b4d4a2baecbcae23a6be68b43b26f430df6b4a2a73d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
535476149990319efd6b7647d608b286

SHA1
f314f85241d060a494746fb650b1d118f4dab1f5

SHA256
c3a035bc5ec30c2b48109bf2e97c953a8db04afad6dbabfc44906899c89d1320

SHA512
7ca0b383edea78e413e92863bdb060e03482174c30a4d73331c7f1ff4847d5ecc7548bb2a00adc5635bb60006aa03f1bf9fb01e5445c6abba5b2af5662f03e79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3dc576680c17abdf389c3a1e948b712f

SHA1
7bb4cac4b6dbdb768cca35b26fb76aa5f000dcf0

SHA256
6f6671df9b01cdb49b441fbd25d4b3bbefc4b381eb89e7e5f077a39396bfce9d

SHA512
c5d501770e852152920acaeea3fbd585019bd1e0a7388a14fb71fbe92617568e52a16ee37121f9e465f5dcc3ef564ac96a87c2d786ed0b49cefd7a61f3aece8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5c27d62b4c22a06ef0333d1b0cc7e964

SHA1
b21cf1ca0f37607905ae19028beadba653ef52ff

SHA256
3b250acebdc1ea3d390657f41b55bae4d3d38746072d809c33501ac6a7e8cf5f

SHA512
2db0ef11b29340486dcaf304379d001e0a34f5959ee10ad7fce51ed12d3a338c1bb4751482135d29b0d4666c263f9d865a71d08918412a0735c3e7cf061a40f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
90d6438e7a20d81e12bf14edee867dc5

SHA1
1fd1e8cf3f8bbfde22cbcc7a4d280d4bb1e6a549

SHA256
ce9fc3f480853589b89f2f889cb59ba598c0a758799de20cef4961175d7f9a4f

SHA512
651fd1d417257cb8608cdbbfc4dd1704af3c61dff9b1223684571e78204590208d82f3e514ff2ec7687a08aa282c230b99fc87330139f322c3a41c7f2d2e3de7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a9b1c37cd41cde88a313736dee8e7258

SHA1
8686f1c8e34da7dd819cc61b7cc0760b30b0cd2f

SHA256
0228ecbf910b85cb8b5e5a0e51056380390a15d6c76b39712c09481308d65bf4

SHA512
8c76e0942be9ffe1ccf40263c37be4977d77d4d9dadd9bd50c7bcce2f6d4f29dec1e2fb6c6ac00a17c8f703212231bc6a4528de2b9042058882dc791332d967e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
1ac764b5815cb2869a5c75c5e2531e09

SHA1
64515900a0a4e3bc0b4522cae31af7915eabb234

SHA256
f658a017f7523afb0e6650c80da33cbe6d1857bc2126a587347ac6736782355a

SHA512
0cb65467bf78b4d02f4bc03f0e93ba840e45fd3b1b90c57be78d64a1ccfabc837d1cd4867cd3ffcfa68a1a745624ddb98a64db2f804fe76d655601919418bc27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
581e64bedcd3571b859222b1eceb1e81

SHA1
9986ec031ca09e5c43e3efe693fc7bcd429c3d36

SHA256
35ce5b774a918934f041e464c4887c4c9523b37a6ad24f96c866c484621012e3

SHA512
be1f75e2352bc9706048d6063ed5c05eeb17eb910e1133b77ccf7a2d04d090528905b6f8750bf0496922e48dc4f7d06f09e9ae75a3d22530e7af351e5e89c285

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d6adfa38087cce2f73656bec4341bb41

SHA1
9e09f4e30c3d3e03c8b137a52edfe7b43934b062

SHA256
bc0e8a21d9aa937f155cf2add7d58dca94077157823bddb2ddce4303d4eda24a

SHA512
64b493477d397348574bf04c2c4ce8e2ab52284fce1d3ef6bb9c0ee183289c6bf9ea46cd1248161a06b8452c61133ed9ecf201321f167a95460ea3a273d37234

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
03d7b71ea7843d29170a4f4df729a3d4

SHA1
c3b55078e8b5274975ea79ceae057771b4474107

SHA256
370136b56cae73336d17509e9ba37a6622a0a18fff6cf9b0e4842e38eb8d057f

SHA512
3f5afe17cbc9c6f302643f91c7a4da6a9ab5e1b7ee85893af20be51e472a38847c0e43132e167e76c6e5db3838632cbf424b3e50f1f9c2ff5b77a4dee60e75ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
97ac5cd42ef6da79694ccbc94ef38f39

SHA1
0ced23a68bb0860e4e40c7d1ace99f30222fa438

SHA256
8f2ed6259db5c4815a53b341e0d75e7abf4df302eff55e1342612258748f1cde

SHA512
7b954983071d0a42a14f52d94d18041a9feefb4c52021b40925dc14b804d7ade8db9e299564365e6ded7fdb9afbb1e0534827f1335cd76a586b68fc001fe0ec6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ff4a329c6e62728947c6d9b3d6798f54

SHA1
9f969fd5ec386e44ea63a111e154e2d5c0857504

SHA256
899bd3e0ffc683ff1e718827f955dacccf3af1b7f97cd65a9b43a0d7ff3de652

SHA512
b43c4849ad4f45021d686bd7e0c732aaa535c5b3b5c7c6f43ed953df0b16c1d6d552e9c3aa0875fccb51f3fa9a4ac11648e7c30d4dd0f5235b71f2c80a7b12d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
94a2f431ef795aeb73d5e657f17af8ae

SHA1
1f1d822688f74d8517f03799731ec9e3f9dc3d65

SHA256
57631ee9f830c3c23f153263d5dc22b9889e558324d45855591553b97e31105e

SHA512
cd268c04e9537caea5ecc46a3f27b51aa9ee847ea2acdf5b46d7ac8c40a47f7f68f078a94363632eb94f07271ad8696c4ebea938e9d281a649584ed68abac922

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
04857939b24f5d855df3e6c5c0ca91f6

SHA1
dd10b42cd9473519760e569cb78519509f1835ad

SHA256
94b377b314413cb24b0b7f2a10b30f2ca27a30b80f82078436812323b5a61c8e

SHA512
f388443d373993bcdb0052a3f6835eaa59329aca4c1fe9955a042f3cb9956dc83ece972809fd623d758b3fa9fcc1df28c11c47ad0fa5282f36f1e94dc71b4c97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c158e84bf4fa8831cd6387ce20f32c6f

SHA1
2df19d50d5c154c293920e8322fc8c7162f9ba68

SHA256
eeb4dd4855de3fd623808ee96188d8b81d36b22e28b3e5c3164e7c9fbf7e882e

SHA512
d3f2c855bd175367bd99900301d56b4bf3c19615116060327cee03d74b6566c4f3c9a3b671d8f3ff162faa83b08ff813dc399f4cfff8fdca43610aa7a94a86ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0c537af3350c80245afd89b0056fbebd

SHA1
b6ee1ccd65b5cbe87418e3510c739dd4931228b1

SHA256
74dbc2e60c19f371ebbe046a2b2a3696a93d4bb1ce4cb2d5cc37ec0203a0be97

SHA512
91a3624688a3f55600d9024f5a1d97cf64c464421f8ed6af941e472fe799ea61f59fae80efe00b638f8d19539d163d0956831ab4ca17509185d2008449b7bace

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a35d7aad2a8ce876604730bfadcdab8a

SHA1
deaa0f1463c1be2783407139eda09be7ba617916

SHA256
ccaedf337d3b5f6482d362f6492346c2a65b5e443518f6071bd608be4e7286e4

SHA512
0c3a24e13869cb4282e27b3fac5772dc169ec518636cd394d9de312ee6cf963c7241264c35955cbc22a143bee15b568b54bdbb593505bb6c6ca4e036c747502f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a35d7aad2a8ce876604730bfadcdab8a

SHA1
deaa0f1463c1be2783407139eda09be7ba617916

SHA256
ccaedf337d3b5f6482d362f6492346c2a65b5e443518f6071bd608be4e7286e4

SHA512
0c3a24e13869cb4282e27b3fac5772dc169ec518636cd394d9de312ee6cf963c7241264c35955cbc22a143bee15b568b54bdbb593505bb6c6ca4e036c747502f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e4c7a72edc3b4e0dd43f14a4114970e4

SHA1
32f4f449c7b6baa2231c516c16bee79d06466c7d

SHA256
f4d9a87017a9c04a5677f0e0bbea8ec6deed6e9da664afd3c7034a6e9e9f9947

SHA512
3955e02a9050ad75668231531dc3dbd572684329dc275e0324d30d987446ff639f6a97e2dbcce97ce1220a615fa46f2f4945610347e1f734a9cc786eef2d93f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
89455d3898b9b650588a1009b9ea6b37

SHA1
8473361e2546c01243d4f8e8418475bfa88f9f59

SHA256
8aaea936981ad16cfea7b2261ac3fd61abfead0a77c82aef0f17916458e87cc3

SHA512
3ba4998fcc2ddbdfbc2ddfd492137df674b675cd2e685181fe34c2a497371fdf0d3a751d5869a304603268fa8650e5ef554cf231e187fcc26107aac17d4161a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
6c54ec9decc851afd6855fe7c3143e35

SHA1
05ba684c057ff7ca3de97be5f7022edb8bdc1380

SHA256
fc9b6a5bd2906c491fcb092590e5cbfd85f6091a74fa8bc3b7c147067225a592

SHA512
4ba18dcc913c93516a069b5233f3e6ae3ced3c4e842ceb9753b99d532ace9fbe9affd524c38803a773dae906353cb63ad05eb788b66c29d24bce89ff331a1ed0

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
18.3MB

MD5
701eeda0ac2b02bb8ee81a7ae0c231ea

SHA1
14d3c19c0a0cd14a1e7d7e60b9d2c0c0e6af312e

SHA256
6a60a53a75017ce4c2d544d75a4b6fffb8fde65e6db69af5f9bbb95f44b841c9

SHA512
caf030b79284cfc62342045cee082a5ad021ae06be0b6e7a61e430d7f79cc6ac2a9427018d60bebc226a55b27c7c4fd9861ab9b2820afdc7db404a2a2f6dbf6a

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
18.3MB

MD5
701eeda0ac2b02bb8ee81a7ae0c231ea

SHA1
14d3c19c0a0cd14a1e7d7e60b9d2c0c0e6af312e

SHA256
6a60a53a75017ce4c2d544d75a4b6fffb8fde65e6db69af5f9bbb95f44b841c9

SHA512
caf030b79284cfc62342045cee082a5ad021ae06be0b6e7a61e430d7f79cc6ac2a9427018d60bebc226a55b27c7c4fd9861ab9b2820afdc7db404a2a2f6dbf6a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2890696111-2332180956-3312704074-1000\desktop.ini.exe

Filesize
18.3MB

MD5
6054eb9911360f5fae232f29fcfdde19

SHA1
891db9ef0833f533374f938d6a15981eb4d46329

SHA256
811460c07fe5eb2cf62bdf716f69e77eadfc6b11135ce57390f3a453b57da792

SHA512
286e45f1d7dca9a6a2aac665d9d1c67899f47146652da7a8cfa9726a8ad2eadf45b81b9c0b4f2a9ef49b3694f5a2e48ffed436bba40d7d23a1a044e982d5028c

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
18.3MB

MD5
766570ee2d440ad20d9c66db404aed77

SHA1
edcc78d12e0db840d0bba98f32e55d5bb6705f73

SHA256
7a066da4ee12ee941bf942f798ab84828c09f60e05f948dc97dff85d4eac4deb

SHA512
d1e6d22cfa1c7a6bf9807f2da3d688beae4c2394ef26a13608a5d5046afc9d18253810a35576d924b166f47136e7cd0acdc3957f8e3468a41288cef1e5689264

Download Submit
memory/3792-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3792-1-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3792-27-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3792-28-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3868-6-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3868-7-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/3868-48-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads