b47fa4656049d986832350932164af4b6596835ee5129077d92fc79f8cc81a3b

Analysis

max time kernel
169s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
Size

4.1MB
MD5

7b3d5b14bd5c827acb0503652f7cab8c
SHA1

1c60fb9b61773b4d26954ca45f1923d46fca10b6
SHA256

b47fa4656049d986832350932164af4b6596835ee5129077d92fc79f8cc81a3b
SHA512

fd009fa1ffa3d64c738ece8247cd50a02e5b2950e9333d08595fc156944725527f208679a09250e79bcfe34ea2935bed2289172de31c8a2c392b2487d140b25a
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMs:9nW

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
2708	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\K:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\P:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\S:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\G:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\I:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\R:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\Y:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\E:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\L:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\N:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\B:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\X:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\H:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\Z:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\J:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\M:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\T:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened (read-only)	\??\W:	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2756	2708	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe	29
PID 2708 wrote to memory of 2756	2708	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe	29
PID 2708 wrote to memory of 2756	2708	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe	29
PID 2708 wrote to memory of 2756	2708	2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_7b3d5b14bd5c827acb0503652f7cab8c_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3185155662-718608226-894467740-1000\desktop.ini.exe

Filesize
4.1MB

MD5
096c487c90af764fc187b5b6644dde4d

SHA1
abdff600a6b0c3714efd042ccccc397d9af373ee

SHA256
d2396b65ae6ce760c2a0714bd9564205a87e096be7ad6be4c92dcd4ee20b1298

SHA512
6dcf96b12e3e7c7d65e4465209964f7281b99fe84f1085fd416d6b0738974ced51c2c4421551584b1b4ac34a9c7b46af085822bb6950a0d887cd1a6b2d6f78e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
66a4156871007ef2f12e1538026006e4

SHA1
8fdf7cd644d59761ce16b07fa6c80b110a1b717a

SHA256
772d99192d19325d97d73b3ee120a99907c5bfc3771d2124ab5d47e7b9523386

SHA512
73a21b17d279b56934e1597bd4b6868146a2fa21e69c6743054e4e7957d21046addd537b424e0d0a54432f19beec5c647281413b3a34a291e52486549a8ca5bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b3f636db4845ab01f17ea3c783e482cc

SHA1
22d15665ae70d6f55437f6a893dfa3d70c6b12da

SHA256
94e2e67da0a0e186710f84e231a3c1f2f48d61fe5ef23e002c61008b768e2ec2

SHA512
0f8ce396e6444b41f542e89cc1db04c60a4ea2520f962a2e0137dd9d49ebec7046ee9d0294b0982252f8cac7d1d4532491a1219743fc1813aca3d63d6526069a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7fe9b13569fcae85d172526fe443b852

SHA1
cac07d3507cf830f01450179219a5b5c10a51f86

SHA256
90e84385112e19d433a3750b14d58ca72a22cf338801354c12e1852048189371

SHA512
e4d4c8dcd24332409a7cdc174196ddca365a0ec9dff431da6b30e389b165fcbf7343e2a3eb95fb0f0660754696ab0b467f727689bfd9b5ce438909bb3df37e7c

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
4.1MB

MD5
a66e991d3dfc6aa873c9b5cde808a748

SHA1
b6266d79f58768b89d28557b03ed521c6732ad32

SHA256
70c5932fab0d1a7de6e65441923656fd13b3965b248ab8a8fa653811d8ab237a

SHA512
55f35e10b0a05894b62f08c24860a8f63b2ee522c64d75b1b6bc55e76158f3f942f9bd090c78e476f6f81adca73c53e03e8f278e117ad3d97e57c78fc1dffb63

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
4.1MB

MD5
a66e991d3dfc6aa873c9b5cde808a748

SHA1
b6266d79f58768b89d28557b03ed521c6732ad32

SHA256
70c5932fab0d1a7de6e65441923656fd13b3965b248ab8a8fa653811d8ab237a

SHA512
55f35e10b0a05894b62f08c24860a8f63b2ee522c64d75b1b6bc55e76158f3f942f9bd090c78e476f6f81adca73c53e03e8f278e117ad3d97e57c78fc1dffb63

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
4.1MB

MD5
a66e991d3dfc6aa873c9b5cde808a748

SHA1
b6266d79f58768b89d28557b03ed521c6732ad32

SHA256
70c5932fab0d1a7de6e65441923656fd13b3965b248ab8a8fa653811d8ab237a

SHA512
55f35e10b0a05894b62f08c24860a8f63b2ee522c64d75b1b6bc55e76158f3f942f9bd090c78e476f6f81adca73c53e03e8f278e117ad3d97e57c78fc1dffb63

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
4.1MB

MD5
7b3d5b14bd5c827acb0503652f7cab8c

SHA1
1c60fb9b61773b4d26954ca45f1923d46fca10b6

SHA256
b47fa4656049d986832350932164af4b6596835ee5129077d92fc79f8cc81a3b

SHA512
fd009fa1ffa3d64c738ece8247cd50a02e5b2950e9333d08595fc156944725527f208679a09250e79bcfe34ea2935bed2289172de31c8a2c392b2487d140b25a

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
4.1MB

MD5
a66e991d3dfc6aa873c9b5cde808a748

SHA1
b6266d79f58768b89d28557b03ed521c6732ad32

SHA256
70c5932fab0d1a7de6e65441923656fd13b3965b248ab8a8fa653811d8ab237a

SHA512
55f35e10b0a05894b62f08c24860a8f63b2ee522c64d75b1b6bc55e76158f3f942f9bd090c78e476f6f81adca73c53e03e8f278e117ad3d97e57c78fc1dffb63

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
4.1MB

MD5
a66e991d3dfc6aa873c9b5cde808a748

SHA1
b6266d79f58768b89d28557b03ed521c6732ad32

SHA256
70c5932fab0d1a7de6e65441923656fd13b3965b248ab8a8fa653811d8ab237a

SHA512
55f35e10b0a05894b62f08c24860a8f63b2ee522c64d75b1b6bc55e76158f3f942f9bd090c78e476f6f81adca73c53e03e8f278e117ad3d97e57c78fc1dffb63

Download Submit
memory/2708-53-0x0000000001E80000-0x0000000001EFB000-memory.dmp

Filesize
492KB

Download
memory/2708-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2708-1-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2708-3-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2708-5-0x0000000001E80000-0x0000000001EFB000-memory.dmp

Filesize
492KB

Download
memory/2708-6-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2756-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2756-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads