335d423cbdace888958796c1d23ca98217be3118fb421498195ec57f10d64b1e

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
Size

18.7MB
MD5

46cbdfd8071a9b98291348537f82812a
SHA1

e557e852b7449608764ae50cc3ec25760895bf0d
SHA256

335d423cbdace888958796c1d23ca98217be3118fb421498195ec57f10d64b1e
SHA512

de3f2308df02aeb00d4fa140246de05c80d2504ddca83c91ccd0163b3ca534f0df52b60e012789de4069a6f549dfbcaf90a7e7affa4aabf0e7de453935b4ba32
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzM2:9nwngnwnX

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (826) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
5004	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\I:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\L:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\Q:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\R:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\Y:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\X:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\Z:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\A:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\H:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\K:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\W:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\E:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\T:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\G:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\N:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\O:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\B:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\P:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\M:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\S:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\U:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\V:	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-pl.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.ELM.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\JavaAccessBridge-64.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected]	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Themes.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-math-l1-1-0.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msowerrelief.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-2-0.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.INF.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\PREVIEW.GIF.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUCRES.DLL.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyReport.dotx.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-synch-l1-2-0.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp140.dll.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png.exe	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 5004	896	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe	82
PID 896 wrote to memory of 5004	896	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe	82
PID 896 wrote to memory of 5004	896	NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe	82

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_46cbdfd8071a9b98291348537f82812a_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-984744499-3605095035-265325720-1000\desktop.ini.exe

Filesize
18.7MB

MD5
4825b8815394e5341925fe47246095a1

SHA1
95441037ea5d8c8c24a5a9186d16ed5493e7e565

SHA256
732617267f6cb4c9bffca22eaf65a0f8c45220991d05e8b824e9fbe4d6fae38c

SHA512
252f1e21e01c8d424a061d6a1ae6b505b5aa82a8db6d02eb85dc63e92957104ecf8486124f313378f6cfe1faf33f7c2eca7abb5060a0c480cd3ecaa891ed041d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
364884b7094a166a454f5e084594733c

SHA1
972dece2b07dfc2158b54e2a65cae81157ff8ca4

SHA256
69a9ea2c667489e4c29b395df3f67e406a4353c1b63bf19490718024ee97e9af

SHA512
5dd7c500178307d21bbd050aca68a7cdf59daafb767dbc7b8f0b6b939c89ca2b3c0d73773d939cf3da20a6caaff29f4a030ca6962d7155f32a04fff6c04e7584

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c38f35e211ed02e91e2b7b6ff6eb9e4d

SHA1
c9424a45710d665e994daa43cf5e341cd26d6307

SHA256
d497c328da1be377029cc6bd9cbdde006a8555e3f28ec9a59b422b0e359b15c5

SHA512
27b5fe9bf8033da782faac9412b39c8b6203d1fa75c26ae35e0afbf8a2b62607e77dd8008f9edbf8612da4c680dc1ecfa8e08c35bd84dea32f6091a6178cc3c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7149f0e3c34a0d25001f73414974b65b

SHA1
648a456944ce92433881827b426cf95288e85784

SHA256
2184b446c18ae1bbfb9af6157837c35cae5d07906e8d999e1a96f141e056f9db

SHA512
4c2a0a3ae409bb154b65671c73ee00afcf38db5acce07e509563cb7a1a2acd0ffc15fea1a72409f2fc817e7d755cb640d578a251b1744432ca4c72cacac257e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1c68953b9330e0af1573c2e1124bc1bf

SHA1
3e857d4fd375787c4dd792ffc198991663b262fa

SHA256
5727ec5f28742539c680700b7060c8df391b14dc4d44b28d1440ee5e7d947a9c

SHA512
a8ece0d7f6050b7f9e15b7fd53e080e4fd53421bd8648dbae97f16accd78cbe5202829b86370934835621ce870f87dc1f6006fa074a815150585de7a1f05c789

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ce567695f3cc73ee1fca04580ed89827

SHA1
024a593bdcad9ea292fe7e16358e3232ec868727

SHA256
919f11c2d9c81194ed018409031a29d8b0b416f3da159d5cb77e2c63695959fa

SHA512
9677166b2d267e949b3008f6a12b516936dbbcefa33e725f6e1e3232f04bda1148c0bc538fc356ae8469eb2f1d919b388ebbd0d35e2080bf904ce097ac9df89c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e0aac50268a7f231c231d0f9b30e2ff7

SHA1
1f98096294ce4921b4b236a4b7b89e81af15cee5

SHA256
a955b25a0984f2d0357f858af1eaef3c12b32b1c03d4f57f6ca0cf199e92f6a9

SHA512
9d9b94d27208720ff2613f723e42b3db1c9405ab582a08796de3322cbbd445dff7f7dce9b39be30faf21b288b275cc901705c3cc194382f621b39da8247e73eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9160d8d165ad12746d510da207aabdfb

SHA1
349778326f344832f5bef14624ed355b4db84687

SHA256
56bd66ff203342bba48c3b18d4527f293511d518ea36fcb504146ef30e8ebafe

SHA512
8725aed717ef887e0954e76e1e6055d9e4ad90fdcf11f8e46bfca9094be6f3ce327bdaf52739462fc49828b8fff9b707e955c9e2c2e573e7e3a75f50c09aa51b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
87a1051110e2257d5399169e28154fa8

SHA1
ab9481279e389dca3d979d06a3869e83b887a16d

SHA256
17ab4c2619b3ad6e18e7403bc4462a745007810609c2d1b74dfce7750d311692

SHA512
3058de084aa37d6aac8731fe67e3d0dd7aaffd82ccaf5b8a04f6cf53f09e33969b55a70de73334b900a55fe5356e3721fc829ec261d80913d2c38003c3255fef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
145b0ca5763f07a8ed7de0575de66562

SHA1
9306f556de9b68db4c680760c2d38025e088b6b0

SHA256
7e4705d89b578e6fae6ab0dcd6485c1c0aeb8f19bcf21b36133be23743159fb8

SHA512
c796a03905f975354166d05f3a8ebb9ba246f9b5a18d803627b8b49def122edce94a49493d8c7587f14fcacba84ccbb3cd22838105b53f52cf80ddfff1f8ed80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
339eaefc4b3f31d96bc738f09c9e31ea

SHA1
455753723e88ea9d35b3246f6db4327078e41f5a

SHA256
c97b01a0a34f644acc43ce1a33a45373eee4e1e3daac2e8970f647f5716ea12d

SHA512
7c95121cf1769906073d616b88ade40e9f6f83c887fdb4f6ed49695c5ae5169025134338252fa70aacdf34bd98b84e84b2952d1e793c0dd89e38b0deb5eaa4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
996c1a5079a961b8c9be028978b394c9

SHA1
245805845c14c520bfb45b5c65ad88d1bd71d115

SHA256
9cfe4b842df42a557decb814eab3b430a969c1f3921183be35d0bcf240ec20f2

SHA512
16d7f5d969cc4f974e69deb12e812e4807ac3d9fb132016804cf7eea0e6b5e25fa0af44418c39dd0ac9c0a56bd273c8c805ac328605a9725cdc5ad459bdd8b67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
87bf7bad9b94a475d9697346dfc4bebe

SHA1
ba48300f606b90c77b2134ff652d1bc5ea366896

SHA256
95a3f3aa805169e4a75c7b34abc691bbe77fc3639eb83627ab97b17134598acb

SHA512
d52c2d078396eb398709ac8cb98e804503e6b0eebdbc54e1cf4b8cd6e776c807f2fe79298d99d8ad40f33e2e3110f09d05c3e98ebc53be6709e10c2a8e1c5a6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
236d08a6887c9f2ed71642c880c73bdf

SHA1
0e6fecf0a5e25b627692c74911c18f65f537bfc9

SHA256
c7a2e702aa7a817c7d5096faeceb778638e396dca49621a053fb44d10def7d88

SHA512
2b0fefd916f3633330f34c85da5517634aaaab5774f97a200dbd995e7723a1a38d29764e47efe35e5e62f36b04b23df8e3d66e2205f5073215b33cf11be8e763

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
939424bb00154b621061f15afcb9b1de

SHA1
32543c5da405a09ed6f189ec4f51b1c6df05893c

SHA256
0b59d0d957ea4b03d39d6252717305dd3b95962279fb97e5b4998648df49adba

SHA512
5df4a78f878f5e10f88f1e6be47b8b0996d9611dea8c4ecd52374ae758226996558d343e75a10b9f92ba3cd1bf5761dc00b5341562e7c53a71d6d9e6e414eadc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8fb66df57e6712c8ceacd07f04ea298e

SHA1
4d6669a31eabf6d3aedc93bd8c5e68bc25b95f26

SHA256
5fda43d67aa1fc4f3705f33e6e5e6132b3c9b24aea8cc381abb1a6d438f6fe01

SHA512
a21fe781fc7be47b01bb872c4221105aed93803d33d717fe8e03acb7800e242cde699fb21b555a8eb75bd504b0e37af3df9d9a236a967c969541b4333d550d01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
99838ecfe42ffd39f069f8f6a69426a2

SHA1
98cb52711d2956751bb76255e2782afa378625c5

SHA256
53267b0b0ae39514cc21632f6744b2870f704355c83a7c5ad8240c755d7d980e

SHA512
d7c742b53932f09c7d937b105a93a8c6e3e860dd17c1dd765fa6e553894ed863ac4d52a08197431d30c045ae85bfb36ebfc005472658689f705beb2b96c8553c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
225dfa839537c5977bb95159f693375e

SHA1
47786d6590a88643aececf594a661d6b1e86c8d5

SHA256
61221c89d24e38c5d4efd558be3959a98909bd7306bed55ff70b85cb7bc71739

SHA512
85f48da7299b2f20908c2872a56f5dc40d30b053a9689fbc67c00ab3809a1c0c53e8591de55ea36ddd45abb0c032fdd8399166d73dfa182438f58fa7865ddb93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
aa73500b16089a74fd3e9ab7ef51da82

SHA1
cbd702575846d8e3ab9e01e36b698e55d453bb9e

SHA256
137e26af7670d2174631cec6e95f72cdf06a804ad18ec1704f2382e66c302e5f

SHA512
121e2b2615b11d18e847aa5e31a163938f8c047478d00abd60c436b5f17805c82ab9f7365ab69910e5f90861e920367f0e419f30730abc8d9e281e6a1275153c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4f9557b90aa29e84db2db871c13e3b02

SHA1
fcca3749c6fce6186453d91ef26576594e030b56

SHA256
5d8d7df80fbe16f17ec6cda0fe0b621e326318673e382770f27d7b2d494360b2

SHA512
400c9e4fa08d0205f81dc7e58bee0a11de5f82d95521b6d9cd5f15f67d05ee040b250c13682cdb290514812e960b8be6035460ac47ec7636f987a5bc3a3af599

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0e396e9692379751941421c7fe30f687

SHA1
34cfef6e6a79ceb77102e26a46a3945e83714385

SHA256
48222bc82ed4caa2ddf824851df29f01763a0e7da2c795077128483a254feb49

SHA512
7c366c20eef6dc6eab86c8eae0ede3d7a39e682b6f8456ec895a4747fb6ddc4079435e02346a2b6fd5561089af060954bcc115d40b674521cede60923782e87a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4274b13cf367c29752a231646176c4d5

SHA1
c2c6df38a7a60e5f5754f748a52fb6d771cf9a56

SHA256
1621bc272f47e90405b795e774d1c5b7cd7b180646541c0c0bdf964314061c57

SHA512
2d1a73b25fcb1e2676d1e6bb4736d2383967e4b508a4c8651327be1b81f0f3f94bfa2515cd860ecce40b5e3a7e219cda9a6321684f758e8be709ac2972db6bdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
35aae96d83bf4f6544b4b8ca0ce28fbf

SHA1
2cec88bdedab3bed52b45c0f87988a1ee18b0158

SHA256
689e5b6e6291a32d2444dde749fce91e2d8971552e6b688a5a52ed7b231ee922

SHA512
a67a1582a33f2cfa9d32f7e3e805e2b98b0dad1014dacca8331118bc6566395b3af553396c2fd1e00320a88ae44e88a422d079d9a19fbf45702e5c93961032d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9913a2b32691896b81e8e253d0ccec6

SHA1
5481f49c66d5312faa3b022536c881fa48f1e1af

SHA256
ab10da4c8737bb73a40403127079fe1c499a5ebe92150e275e5c797dbb0998d1

SHA512
bfea24bb89f0073b4eb47b10a86d7cba3bc91ae88f5728b219d921572f4dc86756fd94cb5db9dbca067f89f950229111ff49e6e4f97118881288dbd27efd7d03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f0710629ff1147c9c93ef00a0da667a6

SHA1
b4e61c01736d3195fe3cf55ac2fd1f8423b025bb

SHA256
cfcc51ac846913e74bbf1ec4d20daa70a823f8560c402b232083218b3d1abaca

SHA512
cf6d6f580047e27b072de0efe0464526ed81f3f07dc51a43314c5349e987c9fe9c96a5119d4ca3b70e1495cf06bbb2dc51b40177766aaeb963bd00deaa19a4bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7bd1344f0f8c9dce6d053d68076b7bbd

SHA1
f4b76df206f567f67e23c8c88f68448992cc7542

SHA256
6e1adf0cd6e18906f36f70fa4a9b94998b158924cd2de302508ce2029260d26a

SHA512
9da7334f165acb9c627208e765af6af8183f0c5423c071d0e7572fbef811c33629ed0227ad59eadf78f0603323c25aca43b315313f4ba5a51f889361d618ae6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
42dea82cbc0d2af7478250434b702a03

SHA1
79459ca7c5b9bb5cb957b542131ad23d5b647903

SHA256
23a1389c9956b3783dd5aac6267262d82af10fc05954a029cc5464dc931325ea

SHA512
c65f53578e596027a6f2063bc1d4a37e81534e3c84c8ff718a3a7424873b78fac190717ba608c45bd32d95c14a332bd7b3c23b3c6512b7bbcce75339f6586526

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9f556d9a7c635dd4ace04a5c8fb879a2

SHA1
e7be04d79ec7984f9efab972916eb0945f779b8c

SHA256
1e928189bc169a13889462ef7c0f7a6e266e418f06ae63ca0ef8ff04ff24630d

SHA512
7b6e9af4391634a82e94a9cec92c6f741bf20a12676350d3a250a79b46b3ea0ffbc80de4c509279982f54b756902498b6ec70c81ba00fc325ed77563533755b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
86a0b478cd757938ea04e4048cc2284a

SHA1
7ed5352ff6ac04275b0509a28f27d8e474669195

SHA256
ff5f484ec40667a9d8a7ef74e3ec74e37b68c0d3903c95fab3f6b9452841b11d

SHA512
dc68441e31324c893a043e32c63d5345252637a4cdfb8e30c84fd0692b0c0e447319afc529e1768566802a0246e7259751996065b07604345247ace2a3f44426

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
dda8fb6ddc5d23831ebd41780d389072

SHA1
983e0fd99f40fe9592b8ab7b71b594fe35d9e1a3

SHA256
70884156d2f161926f3bcfee230efd795a4233e0ea86f6cb8e396f63d6b092ca

SHA512
9ec92c806e374d708f6febee9aee933af5c42c307feefae5b36f4decf1d7db753e3772782b39842ea26a46832b33efe19a01be69df09b1d24bcaf27fc55590fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6fce2b66b75e310b08f3861746a0c1ea

SHA1
e1b459e4fd519214028438cab4612d7805c36936

SHA256
a39dcfc78ad8b96bfc485fb42464434a781af9dacec0b57718ba84c79309869e

SHA512
2ef31aabf0eeb0fc995f73bda0fbf42dd83c9643099eeda369c54cf070678c32905f916caff67a14eea9927604ec065e6d5d5b25b320a41db01c0c66a5c95b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0599407db6d6cb059e09af4c0b1947e2

SHA1
8c1ad74f7b74af6e3afce49cd069ceaf6179c04e

SHA256
2eadb9b5d36c8ae32f36e55eac4c7a505324173da85d34d20eda9cb94b59a940

SHA512
945ccb663c5b2ee7bc84016641727a6244d6fa949bd8964f6d95a12292f5ad09eefe5ae3b2dc4e46c765322c381d408a95348ba9eab5ae8d1fcef843d08a3069

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c996b289d15cc329bb2bb091be706d79

SHA1
184c46d78ee9b33fa3ce4928473184abc9da6a18

SHA256
0c4a4ed562ad627707bb882eb80997a3344b3f497538c2031f2227cf58375e81

SHA512
9848301f72cd35527872d96088565b4e6be9142422c20a9c605d663b15d92189847132ceed334b9db928b0ca5257211593d08ba0a73bfe42df9d71dacb47c158

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
60f1b545a468b222e7358b51a4dfa4d4

SHA1
d183453afe848d5c866285a2d461ea9ad922e065

SHA256
745391775e944c00eaa2c550a8036faea2c2d3f0bce62591f8da5e1e67f22ad3

SHA512
2afdc3fc9365d8d4fc0e3540baaaa5e0979c7d835f3d8c396c7a1f6e9e411aafb8d2f13988b7b0293451c74a94203741a5884e65a5b61d156016c9ff0e1505ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
955b0e0d22844c59f5742c859fbea3ad

SHA1
7d4e20b89627fff155974559d80260c91aed8cb1

SHA256
2cd20a53274dd8392ee090d088648192bca4d07247358c91072f623d1048271e

SHA512
c2cf08c703387cf7230aa6e451803fbd55dc6d2a408e7e3198dbf7be487bec65a0d2d657b3543acd4560e25be9408c2f88bd91834d8622662ff7468508d372a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
84157fe6099eb0aee7c86a9eb18e1e97

SHA1
179ec3abb04f0eedf3d1536d6ab514adb76261ce

SHA256
f53eb58833d0b55959890660e9e59d2ca32bf62af9493893794441aceba77296

SHA512
4ed431b145e95bcb2b4437fdb23f92e05a20706d0d8574bc21399aac1a2ab754554edca48950c9f1529a4c2cce1e4e64bd7ebd8d58e20cb1f66ff24f0a66082c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
dbbf565371a9c19252829eb0147533e9

SHA1
8aefa718345fb598b80e7089983fc192c0ca586d

SHA256
26473a813aff8be69db1021de01fddbbb35bace2b1d81419873e87649930e378

SHA512
702ab1e7028bbe30e6b5adcfa063f2f528d9f676c2ed7975e98ee47c75c7cb8f379430f484e75670129733ec86fee9b33e5a82834a50d5a24885ba318002f65d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3a054610a84881cfa6fd39e6ca2498c2

SHA1
804e7530d2ab486bffa673c9e052fee2af34ef20

SHA256
e36ca7304bead47565e7affec774808c58da01b47b1bd80173eabef034cad9ca

SHA512
0d53344137e7c41d51f61cd8b5d137f737c4b7e29b05c627044c46989440eefd7dca1ab94598ba10b7cd50f41f4d23895044a488ddbae503e10c0fb4a38d40dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
68545b073af599bd482954c0dd833ecb

SHA1
d5b0620a69d4ab971f1d41904da45f4cd6fa621d

SHA256
f3c671e1bc0b0387deea834a9435fbf1b6a98f31cebb5d5eed9acfb7a6ea77d8

SHA512
26f09e657a84fd67b480010bc09f4fa5fa46dcd12eca15378bfc27feafc0ae0d4dcb750fe768111a7a7c83ed2067611563673d34eef1a81b0f08caf081839cd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d8c4978438bd880f3a98c19709ae6820

SHA1
05e02275c1ba4bb159bee53d18d60a47f958e7b7

SHA256
c563cc91d1e2ad0f14bfe7098ba280ab08fe26aab7110caf75a4d4d60372f2e8

SHA512
d4d3db90f3227d864244de59c139f9eff1d28aaa196283bafea428d42a07bee0c01fef12f4849b3a5355a02905276f4a4cb548427374a2d24488b9789555ed62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6d454d6aa2ebca17d55fb26b984e25e3

SHA1
31141980723b6dbd6fa3aa8b5a9e786bfab14a89

SHA256
aef549136b03176d232226884779eda42cdafd601997c7db7c1f4e3a4d818142

SHA512
191bdd0db99df8c4227b573bf537112d0edd629c7b5770caee767b7509db86dc8f3439793ff030a233bbed3cdfff3a3bcc2fcb7f0a4658dd1cfe100d5957fdf6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
dedc89b3cc8198d9dbc422b351a12753

SHA1
a928c1be36b8674b217a2aa2fc2a452df4630764

SHA256
8d4e6d60e6dd5ff5c9c49205616af78480154841387852bdd4c8b780c05b90df

SHA512
3ff61b1445136a96a7fd0b9a300d616363d4f6afbf7272c0f196981741ae7dd32aa2248c7725b3cedfc29690e60f4049647be6b26667f492f150eadabd76b5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
aa0d75aa4d772de4c316f1d14b795665

SHA1
039117d943842f023d0f8adb1d05ab31583f249e

SHA256
085f75cb028626410a9b8cf99b2d988bb619a1b439a5a0011d9ea645744b067c

SHA512
a6ef2639398062d4690ca7c2c316b6f0e20446318e85abe3bd046d3126b6f5ff1603b4804317c22c9a98c74c8d54ff59617f9c9caa402302b745fb783169ce95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0fba51227c4e7d482f3a3b4c42c65aa8

SHA1
a1ab407065f5f02e095bf4cc07899e4d2abb349f

SHA256
f86636bd054e4742b2ce869c8f911d2a02d512e2c641d02098189832655dd3e6

SHA512
c6dc96aaac1ad8ed0ac126c2c1dbaa52b3413d33875d81b02bea472ceab92b7aac84bac9f4e839239a3ff2974a2d8ff6c8675206ae30c081e97734f67144d614

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
df855d4d25e0a268fe32b368c8c55315

SHA1
256617ad5b3e81c4179657c0f4d3a7e082e521ea

SHA256
46466262e5795ef45efe73c920f816abee056c4de5ce52d32bac5ffe65fb8a3a

SHA512
03150d91d5b9eca7f95f87adc4879fc717dd3bf50efc902e2fbbea8dd42c181f4528d828f813d9ec935fb85bebd41e94287690ec09c3b784f09230f358f93393

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
428a44d17d5dfb854c96e565dbf83c21

SHA1
d4e7cc0c5a8cbc8e3f8a40cf4de198fa76163f81

SHA256
d99b649b859e7eb49a960779d1539e4201855fedbde2ad7e06f8fdb29b81a6e1

SHA512
2187c029203635cdb0f4bb6dedddc51714060395f940d8f368de829ee841b7d16d089529e18771d91a4388245b7e235b4fde96ffa844940189d502217dd1064f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
64576db6b9d7f106f0035b33bb865f34

SHA1
9f649a166b357a3c5e57d2292be3ca8d57bed7c5

SHA256
0ceb4c558c7f572a2899f53c26d877116d89bada584b1de66edcf58fdeb6369f

SHA512
41868e279d465c3c91be04c77d953ed4da8739cc9943571ce0f7ebe319a5eaec55d86531a2e7afd800a7ff8c48d0702d671c05d96bad7ac6783bad9e334734ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1fc538ba7bbdcb4a503148fa5e05a200

SHA1
bab5a2801966c0b4f670fa2ad0edeb7852c13e1a

SHA256
1dd97b5a8367170b81caad9bef7d52bf1b68dfa2e5c6a3dc7089671c6a9c40db

SHA512
e8c8a622f11ab04cbd85e3d8110a679747290ccc3c17492f4912130ae1cd777f4855b1f206a8aa946bb3740045bbc9946ef5a9732e3cb13bd804707f33eb1a62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1fc538ba7bbdcb4a503148fa5e05a200

SHA1
bab5a2801966c0b4f670fa2ad0edeb7852c13e1a

SHA256
1dd97b5a8367170b81caad9bef7d52bf1b68dfa2e5c6a3dc7089671c6a9c40db

SHA512
e8c8a622f11ab04cbd85e3d8110a679747290ccc3c17492f4912130ae1cd777f4855b1f206a8aa946bb3740045bbc9946ef5a9732e3cb13bd804707f33eb1a62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9265932fd001f5e8d46a7369490a51c2

SHA1
885bdabaab1a4ca5fba60b301da038e40aeb6580

SHA256
97a86bc331456253d784863cccb68a5d4622b040e89160127924b66f4a7a4b89

SHA512
72eb643a7a0e3eb67c7c0c86df764c8bcc5ad58bdba35bd2988438757171aebefabdef84906c14dd6657c8bea292a8e89e1bf891b5fc14a81cc20504a20867e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d74f6a6c42d0c0475dfd51442b818e76

SHA1
0a583a1e5c3edce57503e86be67c062357394638

SHA256
f96f9ed438e9199d3fab625e2faf9364d91bf516d8b3c4c838267cdb2d9df3f9

SHA512
df425eedd7757f59b9d1c0e717bdad4a8e5bbc64b6ab765897640bdec7ec8052067edc4402b15b16374f36b37f7b4565e16c869e561dcff33fae905d27f541e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3401372f907b3a58a7bcfd6fc7842f37

SHA1
828a825ef779230554fd120b5a3735e3bb343d9d

SHA256
78965c40c891cd96338b1e9ce855bb6eacdb77235ccfeeb1de5c47761c926020

SHA512
d3ab9499317ec16677951ca00887c1767c7b0646ad5eaf1f5f24b8bab975714971fa529457ea903263a20f1cae2f6f7079599257f9496f56ce218865f8255d86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
06d6aff9f978add595c23d6003be268a

SHA1
58e677a63114ce5b35264f0ad00d740e7eb5baca

SHA256
577d1dd54ee66951248f2f400c080f310ba253c8043ee1775df109472673e2c8

SHA512
3f9ea0c8eacf98255f9cf08d1bf093a672a653aa2c9f58c1e5c6af614e709b43a988d7160503adbbfe5ddd1085df90fb83b5fa221dd3af9704e5c3dc2c082a71

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
18.7MB

MD5
f930b9a5be278eaec8ac6671d7df88c8

SHA1
23d52d0fa05dc95f9ccff59d96436a6e29c39ef2

SHA256
a23473e7d506ceb7e12013ac1c75d443e02b5edd7398e8f5da083415b7bf1177

SHA512
eff2e8132ab32cd68e6ab8f78d9ee16ae8a65ea596b80ab8582383b4ca458adf6b5b9fb52d40af0231fc86bfbb496d4c10590a3338ed08ccc73bc56aa3fcc823

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
18.7MB

MD5
f930b9a5be278eaec8ac6671d7df88c8

SHA1
23d52d0fa05dc95f9ccff59d96436a6e29c39ef2

SHA256
a23473e7d506ceb7e12013ac1c75d443e02b5edd7398e8f5da083415b7bf1177

SHA512
eff2e8132ab32cd68e6ab8f78d9ee16ae8a65ea596b80ab8582383b4ca458adf6b5b9fb52d40af0231fc86bfbb496d4c10590a3338ed08ccc73bc56aa3fcc823

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-984744499-3605095035-265325720-1000\desktop.ini.exe

Filesize
18.7MB

MD5
aff86b0a9f824f92e1f8da872840e4cf

SHA1
f26eb6cd963c61332541aee92882f431c65984b0

SHA256
3b102178d8259a466bc5241d87d416fb7f15528a051d37b133162406a03d033e

SHA512
27d79f2824621e518b1e44be7238b56249bb8a9a1e900cbe4635ec68108b8ee834f37467ae3b781746b1af69b77da0911fc80eec16dfbdddb01f66b634790f36

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
18.7MB

MD5
46cbdfd8071a9b98291348537f82812a

SHA1
e557e852b7449608764ae50cc3ec25760895bf0d

SHA256
335d423cbdace888958796c1d23ca98217be3118fb421498195ec57f10d64b1e

SHA512
de3f2308df02aeb00d4fa140246de05c80d2504ddca83c91ccd0163b3ca534f0df52b60e012789de4069a6f549dfbcaf90a7e7affa4aabf0e7de453935b4ba32

Download Submit
memory/896-1-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/896-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/896-86-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/896-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5004-7-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/5004-109-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5004-6-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads