927310d4a07260477232678066ff53cbd2ac76c82863ba19ea7af8ca1cf63576

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
Size

20.8MB
MD5

1f0702f557828bfb7d885081eab158d6
SHA1

373ac2f11f2dabf51fdb6e5d351c2770b4d8d72e
SHA256

927310d4a07260477232678066ff53cbd2ac76c82863ba19ea7af8ca1cf63576
SHA512

919bc4695dc98387c5c306227081114ed9133165f9c6d4df9bcfc0eac0378e19a92c8f0defccd87f3426d7deeb2ad163d23e2a444ee6ddf996e406619a1e4803
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMR:9nwngnwnBRk

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
3852	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\L:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\T:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\K:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\I:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\E:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\Z:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\O:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\A:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\N:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\W:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\X:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\M:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\P:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\R:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\Y:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\G:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\H:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\S:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 48 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\be.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\History.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7-zip.dll.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\descript.ion.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.exe	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 3852	224	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe	83
PID 224 wrote to memory of 3852	224	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe	83
PID 224 wrote to memory of 3852	224	2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe	83

C:\Users\Admin\AppData\Local\Temp\2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_1f0702f557828bfb7d885081eab158d6_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2344688013-2965468717-2034126-1000\desktop.ini.exe

Filesize
20.8MB

MD5
2435756cf0b74e5ab4c5929c4d816582

SHA1
df433fa629b07cff13966346af8c64f9d2178bff

SHA256
2162c687b6bc8ad14f95fe1f54723a8daf5d16bd61442a1af45d98663528246f

SHA512
22540d804fa928bfe1f33e600cf1bb2427c79fd2155bb1b8d34fbca1d89cc1ed302791ed17f34d9bb2113aae98287b3d729eb5763175953bd0dad50cc7cf3579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
f3686378f944f6a4d737523bcccdd037

SHA1
cb0cf22731dcafb612d8e04957bb9be773c100b7

SHA256
5e0526b1438c5a51d5d215a864922f9bb693b2a456de74fe70c0bf856a284da0

SHA512
0b71bc964523939f6c4487bc4912007d6dffe536d8fc96a7e98379ff0388cf8b8f63e678f4614ace81b9fcb1deba5339114b2b463df64f9c761248022132224e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
13eefa7e5bbf405c27c1f867c5af13b3

SHA1
a6df0bfaeb72f2553dc60e0793e03c50cfcee3de

SHA256
b01917493ca97677b40c80b074ca3b75f2740b4138b0227fe696b2fa72204b78

SHA512
6c620185be304e1de87b5ec5e6dfe8d433f1a9940c986cba9fe87a28aa7d893f4fb187d9f9ef3f53b2db1c6fa4b0e5fcbadec5253306c123c8d7e45fa55f5f98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
ec42e27a0cfa2e5c49b79352b42715d5

SHA1
a3d6f1a409a09f5748dff16b4c663ae98d1b2c23

SHA256
28f8f18cf1b49d6ab136eaa16a59931e673d9e5cd474332d8064f7136830411d

SHA512
40f143c427b0ad38e88ae6f14a1fb46e3b7b844961d6ac88bd2c445824077d0b028d04650f33c9b3b824225f2edef82f830c20c60a4f80af60eac7fe4085b5e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c124fd5bc87dff59d376d4013c16ce3d

SHA1
33273bac8abeccb423cb4dea87e0608582a3fe9d

SHA256
221c31e5addc474b9a3c1a76fc8f9cd10310fcbd6ff2680de1b07c3a03c1f65f

SHA512
3736598a1a78770a8111ee9c6584b4ab669e6f39308055fcc7cc11f4bd07db6b5484fde51639a823d4913fa299e81a5d4b9f7aa04805292b79e533b650cba4bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
5c22a0c751019065647c2176666c31ee

SHA1
906672da21c5f13a98d9913a56867fa574ca977a

SHA256
d9415127b5145cd5244066d4e99b2e4ca8b47b4c7bf89c78704be02af8599cdf

SHA512
91fc3371d4f936345974964d43f9badf86c6cdb75fccda2785104017d9823354253db24f82d6347f220f24d6490e6dd1fb7b58a99dd7f8fcaa4850958c127c2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
58f91c92a2e47d0766cfb874244e591c

SHA1
604c251c2d5c4c84e661e454680891a943dd8478

SHA256
c39bc96d12eb62d213ba5f690e0350e9e31ceb0915f362d09d1879f943494405

SHA512
2c23f1e07a955a08b5b76a71ff0d5f5a5d650cbb2826216ccd8a4a072333dd90273cf76d4f6ff394553026ccbb67ba67be585b79cf9cafcf591ca454cd3615ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
9d6920ac1c18baadac91d2e05f00defc

SHA1
de3c3a093802f7ba82c535938eaa4d28d64b2c98

SHA256
a1fae0f6a338593ade92ee510888c93fe02eff31734d1d2e830b19a297a7b94d

SHA512
6a7e27f8c1775fd20836a23462413af488f948f749c0128c425f662afdafc6515c5817502d1dc13ea1d8e7ac47392f3faf2beafb5db232ef1539a1413c282e45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c84f07eb89c4862bcc7c57ea63e7ef6e

SHA1
1f45920306feaeeb312d579e6299cb7703ff0c0d

SHA256
ecfda06b6efca639e37e560b402e82e1861b125b92b3dd4fde3f20110ea5bea7

SHA512
92c167f66f4727fdcb92fe7965a00b689666e5c096a182c475f53c9ab0a2b1a67887189f5c398f9d800ca84e03b007065c55cc1833fa0ea373414657c4dc87f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
1f481d375d19842616c6ec95e04cdd63

SHA1
74c00804f846c35d49f2f6231bc87d387defc623

SHA256
59ae5d4ee0bdef07225f9a402617cfc4a4dcda86adebb90d11b99eb7a6fd3a53

SHA512
293a4355572e7f6f0ed0cc9a6a7a7ab78bc481958060593b578b6d22b37f2401d07968d341414d1a742c2844909f3a1604f00f1a3a591c354337039213503bfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
78012b369e004b7e602e52bed840f42e

SHA1
f7ab6ad99baa88daa7e4fe826292c4175a426b64

SHA256
538ac2f53d1886dc75b33dfb12955a908adbcbef6f2d8df17bc5a02a3abfc502

SHA512
124f8fca0244cf3b4a846899244e3ef88ada80ed789a1aca0d66174020a020cb6ef20a0906f32dcaa5d25f2f8d26718ca0d22eeb84979b5c96e59fc190ed0e2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
8dabf93359d5f102acdc6ff47c83d5aa

SHA1
66285a3137f233c2f12d98d011fdc98f0ac4ef95

SHA256
c7fa031752fd76e826d6be5f27f8a03ac3f24ed13e12e319fef7e56b85de8d1f

SHA512
d5d1ab3d2f3dfa6895283572d257957c7dc3823f513c7d542c2992be8f636b694b1eb69e72388d69ce9e40123fa8ca0ea2bbecba1d9bec6f6292eaabde8282bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
504db1aa6a47717bf2f353cd977e6daa

SHA1
76eccfc2ac47e5c9ce2e46dfebb2547be3ac6a58

SHA256
a9d40721be5bc2e823da2639202b851bae16b7dce3aff933032cbce8d0350cb2

SHA512
363db3884d3771b9663baa16edf50fd37bd0803fe1483042a8b77e963a058910499c6082f09b69642ec7d03d62eedb7ce37765a702cb7040f10ab6c10474fb49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
c16213ada306e75e0b9455cf2ce81aeb

SHA1
63470777be0e99eff9a156a6ce9af5c458782155

SHA256
fcb2c8a318d62d0046b17ec92e731e26982ec1c9d7e768b1842ab905b78c9a5e

SHA512
9465e4951fcc76ea8a4cac7f04784f5710c67cd62ca4b77c33a0d606998a9c2f740bf42d4607807b5b1a811fbc1b5002176d2f60753e89bb4214bac89c8447cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
506820169a3ea58cefd97c2c27b96c93

SHA1
182facda0a54c6a06d0bdc57af0ee0e7adc75ced

SHA256
513af56420fadc005d0553aa72b0a1af6a65f07253a6b4009ec360997e498455

SHA512
bad805c9645402b93ca2d7cc89f0104fd2b53cfe1e23392d2ab3bdcb5f6eab85e7d4be311f21c82a4b63bcceef6e93a0e390c1ae1cf46ffc7a6534802caf59ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
f84b40b5852799c8c78ce4187fe163c7

SHA1
315ad544261db388624fae235b87c8ea1ff17f8c

SHA256
16459881241398ac80c42c23bbfb556fe2360ab306243bbd5d3af54cfc346d6c

SHA512
7e7cfbaaf3ee943659c1b9a496bfc76948ed3201a7d50c5f896ef5dc3d340f30b4da3a54568e7115b50af52a5e9a5691b64132a2809fef1286383d5681b5299d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
71a4fed837dbd702c52e6004ee9e5210

SHA1
ab5da77980cb3212aa3bd6368d54184a4c6c2e27

SHA256
ef346734afe55422d508f745899f93ca2cfb5f7a0aff35e792bb4ea6e3d38971

SHA512
58fa5f27482a34be9e895d7b3738f78b53519e6768e0038a78f7af209fea7ffd18e6b7eb588f1dca3cadc92a7839d1a2c5c50635478bd304b7769b14ed5f7491

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
617ced154ecf1683df40955e381e7044

SHA1
b74f313789ac62a62868bfa94fee3b70aa7165cf

SHA256
3240f10bcea0557bf10de1a791a07cee37b5c694aa4301fb64866bdcb361b186

SHA512
3496703bbadb9a0f740c76d9e694fc3909108f7a7175c2d8793d77b2dacf21c7bf5ae65277493f7f512a591c3c4cf92a1035e1f14cd32eba4895e9f1c8b1ba77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
14f328d13dab32a9331530f05d0d6771

SHA1
89a25e77233e990462511bf292e2c174bcd1b05c

SHA256
81deb34b75ca0327cd774c31040967075f1d275bb14027f6cf416f402c35abc4

SHA512
0acef1918dd8f6335310a189563e963254c1b424a8c71d955edd2da7446a8ebd9513ff65e7746f98a87c94bbcc05d73e18ac2da2bc8edbbfc258c3a5795886de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
20f7b64cf541744c1edc3ebf4cec82c8

SHA1
5ddc99a47984ab7868ea80f5523076230e0031a1

SHA256
1ee0e9d171b23a49b782eb3ce43ef2c6e62011d9ab285c528423c1fe4be105d9

SHA512
8517fbf3eda701de3b198945d80d8bbb0340f47ea42959367454470eecc8269d1465095a9d69d922844cbc6c3367f016c773fdc2ea6f960959ab6602a5fa5a00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a63bd96d9e2415477a3c442ed9d08c63

SHA1
184fc54467bb3a75432b6fdf6aedbd4c360d2776

SHA256
aa8dfb9ae14fd70affcc5d246bdfeaeebadbb39b3d2197531ea4fbce8d8bbb7b

SHA512
31fcbb624bea2d0a74a554e4dd4a5752d56c59d8e8a779bfc55ba557ace5e3f596eb835931f0c9bbe29d337a5ee919b7144fc4431e3a437a11d4191b371a1901

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
30e10c7962a56eeb93cec9d8504e4e15

SHA1
7b843f53f4dcbcf7cef579385dc7f075239ed467

SHA256
6f76c656d8ce1d6c66c922c6666db946e19bd7a8ce6d641a8730794c199dc1db

SHA512
aafba63b3fd41c32bf77bf5a0df59e2fed27d0a4ee7e57a13af2a8ec2da91f6a42a2a2d94b4ec08a510fbf078ec49929cf180a165511930b85f83b3ec03d5ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
2c88bef6fa4e49c47c32ba7c7f6772af

SHA1
8bb95f995c45576139be050c2fcbec15c71a9a9f

SHA256
28c95fc6cc72309cc34902d5d15db09bc623cf6469afae4ebddedd19e9885d8b

SHA512
9bb7ee184dd4e0fef06a6323974ca5e673d7dffea1b3f0c2db10942922f9c466d1e8a394deeb14da9acb5d5cc1e7cd0031489dcc3d2b1e34c2ab3e8e9fba843e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
03bad43ef6a4b790b164132c4e8b4ee9

SHA1
21300e4e7cba6e0f0c614e8ba3a5897a4f75a077

SHA256
de908b011aa0e93eb5c23e6e3c05d6ae44353c85f183476fe7385b452041d3cc

SHA512
b9bf1807727c7f7e6ef9b2fae707329af2bb4dad087cea9bbf9cb91cb72e2d2d60b4430073de4d9383b18f961a91e77f35a5374225be010884a9b585d3df9bd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
5605b6e401ac6e07d59e22317a1e7c05

SHA1
56fb5a940ff2a6a1d42b307bccdeb61443cdfeb9

SHA256
abfca22ab71218b72be3b1dbdd1e58a35bd999f991ca5a79d252eb471e32a0fd

SHA512
f480cb87e23c4934fa8a946da3335b2ecf7ef8729e1d9454164664a020c1ef56ebf879bc4d3e61e3335277e87318d884f3a70259367c54d32f4ea8af0f31b8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
39639a5ebce2020e00b81261ec443adc

SHA1
f16ba93c8b1952eba5536ace577528379f46eb11

SHA256
052f2cdf0ef2265a38e849298273ca3d791ad0db9bffad9c0368b9ae87a77980

SHA512
c4623f165dd638ccbc6ead5b25c7645c63f2d9fef829b7b455faebe3d4b0f66358909875000ad6013dc251b65c4f8e1b9fa738283fa5ad3d8ccf12b5f2d467ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
01c18aaae879aa77d864c1a858b9d038

SHA1
87b397a705eff3159c14bc51491c88f7a8994000

SHA256
78346d36395ec9eac0aaae0d8c8fa62b2c442c8f408555810714a3c14ff730a6

SHA512
ff2fbbcafacb82fd6228b056b354fbca736614f5bc6f859acfd21d252baf384105c05c1a71a5db67705352170fa7466a7a7a821c90dc106bb605a7a7409468d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bfc875d4bcfadd27c841520bf55f1477

SHA1
f0812fc02c9ab0072bc375961db25f4b3dca3f26

SHA256
fc7b103071546912a0b0aefc82db640a8e18ff6a8e9085407216f6dd5a3edc39

SHA512
a5466c521c8a2fc5454472fec480f8f3055702bfd2ff622cd69f99d835436b7e788dd2e4ed86de81db0d3fa8a6e3979cf2e83d49bd1b011300abb9bdc281d461

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
d4af245cc0840143730e0baee56a6191

SHA1
22c44d564d327180d638136486c5a5bdf660f5f8

SHA256
16cbbed42c44f5910c859a37eab9018b91baaa531a7f652f42185a0ea291faf4

SHA512
b18c5bb36cf942a83ad4c0d0da7e0e431ec1816c1ee30e1a261a695f6c2d0116650e6de90224d08a5fe5923493500c8297720baefa8bf5defa744a6765a86ff7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
093b90f12de9be22179c0cecbbd1abe4

SHA1
2d967f93acb6f28800a13532a4921512f76af6be

SHA256
7bf54409802108c0ff908d00c543284d86633d555f7467643c620f040bfce2ee

SHA512
61f0f18a530b77d9a5b541422dac5ea3df3ba4b6cf5cc402f75c32f9df707150fa35e75c3109510cc7097fb54c638b4bc73ff0b25deb1d25e4cf98b2225d3292

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
254ad08d8ae707ada2478d4b37f783bc

SHA1
02cb7c38abef3d7df403010e04ba1e83ff118685

SHA256
cdf7aa903816483d8caf7a6a560119cd78f8369460ee631fccda70d542645207

SHA512
5b306f26b3c80f6abeb56a1621892754e832c45b7d06f2233818260cc0dd8b344c0d5369e625656cf16b55eab1efa15cf09207740d95753454ec0e5855605dfc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4c55be14c3be4f2165377ee71b88d521

SHA1
db1e726f0af643659b63e18e428b81d0e117cc0c

SHA256
6b1074dd0491fc2ec55b51ec364f1b68c3833d5a51e43b43b96332a666169396

SHA512
1116b03777ea2497c23d2a9bc2a55da9150fdacd5bf795cd227ff1023f8044632c1212447ed3f5307de1d5aa0fd3682a6c137b3191b55b7162aca82e1f3231fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
26fcdf822c5fff17f939182ba7a35fce

SHA1
77aba185dee6cb36f100fd08d94f0673d6c20d9a

SHA256
44b34db05e36d5ccdc8637f81a72c45882148b1de31f649fb0c25a2d2330ec9a

SHA512
1bdc1e8b6f18a6023ea977317ef65be803956de3b5474f3dd339acf57b08dfaab35288ad6e39d8412b21ec92f199bb233d05d9907da83483f0b73df85fb1cf13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f4e3834a4dd4e22e2304adc58d76d104

SHA1
a0229a59a61be9f8149f4582db50adfad60e8be9

SHA256
e62dd61cb11def69d21e930ee6685d78f42ff87654bd7b573aea580ddcc2b6be

SHA512
676bb5c1aff0ddba38baf59f5eaf818d50298e889393031ca83f3624e057543b1899cd3c6f5b7702853d60189b2e65ea2da7aaeb089f0eb6f36e1cb2c9cdf3a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1015B

MD5
49f2df1eb1f9142e2f12ec5a8d63fdaf

SHA1
57f1a47682039dc4b345a60e62a79f3737199246

SHA256
2dff22880ee0fb313b7627b698af4fec6eb682c29e4985dcab73f36895c20bcb

SHA512
63b71b68fe79106de6ab061e320c960adbeaba64d6d45bf37df8b03849950a50bbf55dc69aa8beb9e5bb128c57df44d9b1b4aa83c920e492ed4e36733391d9ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
06aed083a75ab26bd544392b7e6b751c

SHA1
797ea6473aceb2727e5b02268175e799a9063867

SHA256
283b5e3eb62060f96d1ee68cd7fd409439e92570cf783d8421735de87a2b16a1

SHA512
e1df131125cdd3c06c1a04ed764a870548cef9c67a5cf907ea0429c137d88bfe382f988b56c9889c679a43d09f8388c59296aafa94d113614fea1cf30f59c74f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e85ce7a0ef229f34efa88f89ef4eb77

SHA1
389b278d7fc6d63e0b9cd3436e64800fd0d5bdbb

SHA256
d7895c800dd1ef6edd543e9342390357a397c153bf438871de4f5ec72143c37e

SHA512
4fe8cb649215573c8cde24b4f55a5ca7dfdd9aa87bfc3b468f1dca02f4a527072720881f7c15130835ee776a3e1070d7085dd6d5c35befe46fdede0fa20c5dd9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
48eb9d1993fcadbcfecc43bd0df4e72b

SHA1
6b2cfc5e036587d0ec584e9ba10a0af4e4a372e1

SHA256
d67fdda64d1f88699d86408fd8a150b7f34b4cb12918d62600ddb76d8fd13b0b

SHA512
f13efc43262436434df0764656743116b7d2a11fe93225d7567b2995faa81bbbdde6bea8b4e221677c26fa67239dac7eb076c3ecb2dfbde3ddeffa9fb9e54193

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
48eb9d1993fcadbcfecc43bd0df4e72b

SHA1
6b2cfc5e036587d0ec584e9ba10a0af4e4a372e1

SHA256
d67fdda64d1f88699d86408fd8a150b7f34b4cb12918d62600ddb76d8fd13b0b

SHA512
f13efc43262436434df0764656743116b7d2a11fe93225d7567b2995faa81bbbdde6bea8b4e221677c26fa67239dac7eb076c3ecb2dfbde3ddeffa9fb9e54193

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2344688013-2965468717-2034126-1000\desktop.ini.exe

Filesize
20.8MB

MD5
8e53b8c6032575f4a6945e51776899fd

SHA1
c26460bc4d0bcf23f544fa4dcc48713a9c891614

SHA256
477181794ab34151d88c4c3a6759c3c258bbfb76d76b6f01fc839474f6d63833

SHA512
3312a0d21b0761956bb75e1aa11de4a3ecc5a8de14d176b1acca5bc77ba07c9d2d4db68c200950c182a18171c180da947ed86b95396bae91656fc9f3d17e38f4

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
20.8MB

MD5
1f0702f557828bfb7d885081eab158d6

SHA1
373ac2f11f2dabf51fdb6e5d351c2770b4d8d72e

SHA256
927310d4a07260477232678066ff53cbd2ac76c82863ba19ea7af8ca1cf63576

SHA512
919bc4695dc98387c5c306227081114ed9133165f9c6d4df9bcfc0eac0378e19a92c8f0defccd87f3426d7deeb2ad163d23e2a444ee6ddf996e406619a1e4803

Download Submit
memory/224-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/224-1-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/224-50-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/224-49-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3852-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3852-6-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3852-7-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/3852-57-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads