2f903758f36b65ac656a83ac96b862868e83de61d819b2e679ce9065064dbded

Analysis

max time kernel
149s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/03/2023, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
Size

2.4MB
MD5

242e96edf53765c6d6bfe95604735075
SHA1

d92b78af00a4697aefce7af43455c635fc302506
SHA256

2f903758f36b65ac656a83ac96b862868e83de61d819b2e679ce9065064dbded
SHA512

a4a1063b463c4f6b257243190bdac3a17c49c042159047697c6fbf8c7fa62143d31c4848e3f500548efc8e8eea5604cdab732088d17dcc92b884d391d3f5df46
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCH:eEtl9mRda12sX7hKB8NIyXbacAfu1

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
1224	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1396	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
1396	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\J:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\R:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\W:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\Y:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\F:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\G:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\K:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\P:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\V:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\U:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\I:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\Z:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\E:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\L:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\O:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\Q:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\M:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\N:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\S:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\H:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\T:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\X:	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 1224	1396	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe	28
PID 1396 wrote to memory of 1224	1396	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe	28
PID 1396 wrote to memory of 1224	1396	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe	28
PID 1396 wrote to memory of 1224	1396	2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-03-15_242e96edf53765c6d6bfe95604735075_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\desktop.ini.exe

Filesize
2.4MB

MD5
b9369850c9b21e61928c59d61a8bb81d

SHA1
96e8c58cad3fe17776fc0ae04ddc5e36e3b49f1b

SHA256
d0fdf666f15fddd943bde6e99b2435578da8a6ccee0882b346329ba8a420bc9c

SHA512
704beab63060933f48e64a849dabcbaf82f00ceb7940b67f59f318dfb8a41ae41accf933bbf71450081114bf850657445a347d7142102be13be5a58d0791e806

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.4MB

MD5
242e96edf53765c6d6bfe95604735075

SHA1
d92b78af00a4697aefce7af43455c635fc302506

SHA256
2f903758f36b65ac656a83ac96b862868e83de61d819b2e679ce9065064dbded

SHA512
a4a1063b463c4f6b257243190bdac3a17c49c042159047697c6fbf8c7fa62143d31c4848e3f500548efc8e8eea5604cdab732088d17dcc92b884d391d3f5df46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
89544013bae6299b73deb95b5568306f

SHA1
fe9fbc2bf427fa03efd9f0b68385373d4f4ccffa

SHA256
5f933be848880f1828c25310b2f002487616170a2ff9b746286a4b882fe82202

SHA512
2b7d49dbabc811b6fe938e3bcbdad64a79dd4cc61991ef69f4e27b68542c708b5e1908b02445244e4a4e7230543dccb5d382a01ac30499ae4acc27f82e13c60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
89544013bae6299b73deb95b5568306f

SHA1
fe9fbc2bf427fa03efd9f0b68385373d4f4ccffa

SHA256
5f933be848880f1828c25310b2f002487616170a2ff9b746286a4b882fe82202

SHA512
2b7d49dbabc811b6fe938e3bcbdad64a79dd4cc61991ef69f4e27b68542c708b5e1908b02445244e4a4e7230543dccb5d382a01ac30499ae4acc27f82e13c60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
89544013bae6299b73deb95b5568306f

SHA1
fe9fbc2bf427fa03efd9f0b68385373d4f4ccffa

SHA256
5f933be848880f1828c25310b2f002487616170a2ff9b746286a4b882fe82202

SHA512
2b7d49dbabc811b6fe938e3bcbdad64a79dd4cc61991ef69f4e27b68542c708b5e1908b02445244e4a4e7230543dccb5d382a01ac30499ae4acc27f82e13c60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
89544013bae6299b73deb95b5568306f

SHA1
fe9fbc2bf427fa03efd9f0b68385373d4f4ccffa

SHA256
5f933be848880f1828c25310b2f002487616170a2ff9b746286a4b882fe82202

SHA512
2b7d49dbabc811b6fe938e3bcbdad64a79dd4cc61991ef69f4e27b68542c708b5e1908b02445244e4a4e7230543dccb5d382a01ac30499ae4acc27f82e13c60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
89544013bae6299b73deb95b5568306f

SHA1
fe9fbc2bf427fa03efd9f0b68385373d4f4ccffa

SHA256
5f933be848880f1828c25310b2f002487616170a2ff9b746286a4b882fe82202

SHA512
2b7d49dbabc811b6fe938e3bcbdad64a79dd4cc61991ef69f4e27b68542c708b5e1908b02445244e4a4e7230543dccb5d382a01ac30499ae4acc27f82e13c60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
89544013bae6299b73deb95b5568306f

SHA1
fe9fbc2bf427fa03efd9f0b68385373d4f4ccffa

SHA256
5f933be848880f1828c25310b2f002487616170a2ff9b746286a4b882fe82202

SHA512
2b7d49dbabc811b6fe938e3bcbdad64a79dd4cc61991ef69f4e27b68542c708b5e1908b02445244e4a4e7230543dccb5d382a01ac30499ae4acc27f82e13c60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
89544013bae6299b73deb95b5568306f

SHA1
fe9fbc2bf427fa03efd9f0b68385373d4f4ccffa

SHA256
5f933be848880f1828c25310b2f002487616170a2ff9b746286a4b882fe82202

SHA512
2b7d49dbabc811b6fe938e3bcbdad64a79dd4cc61991ef69f4e27b68542c708b5e1908b02445244e4a4e7230543dccb5d382a01ac30499ae4acc27f82e13c60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
89544013bae6299b73deb95b5568306f

SHA1
fe9fbc2bf427fa03efd9f0b68385373d4f4ccffa

SHA256
5f933be848880f1828c25310b2f002487616170a2ff9b746286a4b882fe82202

SHA512
2b7d49dbabc811b6fe938e3bcbdad64a79dd4cc61991ef69f4e27b68542c708b5e1908b02445244e4a4e7230543dccb5d382a01ac30499ae4acc27f82e13c60e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
08072edabf046b6cb61719082a9cbc05

SHA1
b2da71896a76c164ee2d6a2f976d760712125366

SHA256
834eb3c362333b9e3c2275fe33c27fcdd84ad5f9b07f96a0a8f81c9728c55784

SHA512
b6e5548428c6c303070239ebd7846c226252b8c322f89072a267e4b0d401fc504527920ead18f8e372e2bc6e9f1b11afafa0aa6c95c2e2b79d876f2acc96a63b

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
b8d68bddc357ca0b481224c454cecffa

SHA1
30b811c56badb98739cea27628d9801708dde673

SHA256
b8bd4da89b316085332aa6f343a9eea16295708091330214dcbbfb17a16e47c4

SHA512
b4f07be20a639d14f06b18963fd1ccb9026c32b993647236bcb682578f658870f61b507b80975adf37824a81f6704eb36342a7aea47d0336c6b6f80615fd5d72

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
b8d68bddc357ca0b481224c454cecffa

SHA1
30b811c56badb98739cea27628d9801708dde673

SHA256
b8bd4da89b316085332aa6f343a9eea16295708091330214dcbbfb17a16e47c4

SHA512
b4f07be20a639d14f06b18963fd1ccb9026c32b993647236bcb682578f658870f61b507b80975adf37824a81f6704eb36342a7aea47d0336c6b6f80615fd5d72

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
b8d68bddc357ca0b481224c454cecffa

SHA1
30b811c56badb98739cea27628d9801708dde673

SHA256
b8bd4da89b316085332aa6f343a9eea16295708091330214dcbbfb17a16e47c4

SHA512
b4f07be20a639d14f06b18963fd1ccb9026c32b993647236bcb682578f658870f61b507b80975adf37824a81f6704eb36342a7aea47d0336c6b6f80615fd5d72

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
b8d68bddc357ca0b481224c454cecffa

SHA1
30b811c56badb98739cea27628d9801708dde673

SHA256
b8bd4da89b316085332aa6f343a9eea16295708091330214dcbbfb17a16e47c4

SHA512
b4f07be20a639d14f06b18963fd1ccb9026c32b993647236bcb682578f658870f61b507b80975adf37824a81f6704eb36342a7aea47d0336c6b6f80615fd5d72

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
b8d68bddc357ca0b481224c454cecffa

SHA1
30b811c56badb98739cea27628d9801708dde673

SHA256
b8bd4da89b316085332aa6f343a9eea16295708091330214dcbbfb17a16e47c4

SHA512
b4f07be20a639d14f06b18963fd1ccb9026c32b993647236bcb682578f658870f61b507b80975adf37824a81f6704eb36342a7aea47d0336c6b6f80615fd5d72

Download Submit
memory/1224-67-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1224-271-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1224-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1396-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1396-270-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1396-65-0x0000000001E20000-0x0000000001E9B000-memory.dmp

Filesize
492KB

Download
memory/1396-64-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads