7a2bec09187177b5870b37504aa305649404b034b27a67034fea487c55005282

Analysis

max time kernel
153s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/04/2023, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
Size

2.5MB
MD5

fb7ac156ea2350ddf9f7428f061ce643
SHA1

e1c57d5e0465f73b47fe5e9bc92a981b1fc1e85b
SHA256

7a2bec09187177b5870b37504aa305649404b034b27a67034fea487c55005282
SHA512

dc5e52e49893fb9bcb32486e03c488c29eb7272eaea3156ef6d0b405bb3bb17d6c2f9b012b18b5559cb7899b1a9fe80147c07ca37086934aa6424bf94748feb6
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MC/:eEtl9mRda12sX7hKB8NIyXbacAfg

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
1064	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1144	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
1144	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\A:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\K:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\P:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\U:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\X:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\G:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\H:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\O:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\S:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\F:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\Q:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\V:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\W:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\Y:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\T:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\I:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\R:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\J:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\L:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\M:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\N:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\Z:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1064	1144	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe	26
PID 1144 wrote to memory of 1064	1144	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe	26
PID 1144 wrote to memory of 1064	1144	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe	26
PID 1144 wrote to memory of 1064	1144	2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe	26

C:\Users\Admin\AppData\Local\Temp\2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-04-10_fb7ac156ea2350ddf9f7428f061ce643_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini.exe

Filesize
2.5MB

MD5
2014074d0b199ed53d2d8337fe0d5a91

SHA1
ce3cdf3ed56ad33ce68770fd9124f3f79a71823f

SHA256
27f5a558438f08b33985de56a19fa4e2dc33682dd547b221717ab6c13f2d1466

SHA512
992eca4e0d05a605b71268c81e8f16eae4127d66d402effc27e5fe3ef2a3d07e8748535b3b6c4595c5c5a75cf9a623a011830099e4b68b9975bfb684cd35d3be

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.5MB

MD5
fb7ac156ea2350ddf9f7428f061ce643

SHA1
e1c57d5e0465f73b47fe5e9bc92a981b1fc1e85b

SHA256
7a2bec09187177b5870b37504aa305649404b034b27a67034fea487c55005282

SHA512
dc5e52e49893fb9bcb32486e03c488c29eb7272eaea3156ef6d0b405bb3bb17d6c2f9b012b18b5559cb7899b1a9fe80147c07ca37086934aa6424bf94748feb6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69cd96f94a0491cc060c855b4406103b

SHA1
db3247067c532691f0088effecd13e192324e01d

SHA256
7c2c8839f9e52696de6c4be586e1edb6ccd6e94a9a188760ca0847b61429a9b8

SHA512
70423afc338825d4ae9f34427dc4a0ab12dc7738c0859a19e815c84af6e2353de58f94c99f00aff0a6efb0eeeb5d1a5b110924eb910cce597c61760edbfcdae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e9841f5583f28b3c0f514c1151ef2941

SHA1
2e85be0ab7a021e125e4ba1be6e015e7dd3d80cb

SHA256
9f0e0bf0de40a30f61624b85aa4f745fed154c8f637d48d3350c40f1efe30770

SHA512
fe770a4a2d8493e6c4d28f8c1316436cb8389f0c4e344b4bf7fe02395491e489914048d2423386defc21379256ae7d337c081c733074f7db9b6796c24e6e3dbb

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
e94e0b4318067b41625a8d2c56eafa90

SHA1
40d382cd7347368865e5a93d6c5437ce8e014d00

SHA256
fcb6d679d7bed0089266301a0be8b0a410a0aa4f52e22c801c7db4e25fc5256c

SHA512
d6faa5e9d7ce9d0cf8d95509daa8e5a96e97700f4867afe7d2a023149f3c79b7d9c9b67b22c8ba4246163f7d0d20a6ea9badb40847933e88283613b265feb48d

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
e94e0b4318067b41625a8d2c56eafa90

SHA1
40d382cd7347368865e5a93d6c5437ce8e014d00

SHA256
fcb6d679d7bed0089266301a0be8b0a410a0aa4f52e22c801c7db4e25fc5256c

SHA512
d6faa5e9d7ce9d0cf8d95509daa8e5a96e97700f4867afe7d2a023149f3c79b7d9c9b67b22c8ba4246163f7d0d20a6ea9badb40847933e88283613b265feb48d

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
e94e0b4318067b41625a8d2c56eafa90

SHA1
40d382cd7347368865e5a93d6c5437ce8e014d00

SHA256
fcb6d679d7bed0089266301a0be8b0a410a0aa4f52e22c801c7db4e25fc5256c

SHA512
d6faa5e9d7ce9d0cf8d95509daa8e5a96e97700f4867afe7d2a023149f3c79b7d9c9b67b22c8ba4246163f7d0d20a6ea9badb40847933e88283613b265feb48d

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
e94e0b4318067b41625a8d2c56eafa90

SHA1
40d382cd7347368865e5a93d6c5437ce8e014d00

SHA256
fcb6d679d7bed0089266301a0be8b0a410a0aa4f52e22c801c7db4e25fc5256c

SHA512
d6faa5e9d7ce9d0cf8d95509daa8e5a96e97700f4867afe7d2a023149f3c79b7d9c9b67b22c8ba4246163f7d0d20a6ea9badb40847933e88283613b265feb48d

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
e94e0b4318067b41625a8d2c56eafa90

SHA1
40d382cd7347368865e5a93d6c5437ce8e014d00

SHA256
fcb6d679d7bed0089266301a0be8b0a410a0aa4f52e22c801c7db4e25fc5256c

SHA512
d6faa5e9d7ce9d0cf8d95509daa8e5a96e97700f4867afe7d2a023149f3c79b7d9c9b67b22c8ba4246163f7d0d20a6ea9badb40847933e88283613b265feb48d

Download Submit
memory/1064-106-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1064-68-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1064-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1144-57-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1144-101-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1144-66-0x0000000001EC0000-0x0000000001F3B000-memory.dmp

Filesize
492KB

Download
memory/1144-59-0x0000000001EC0000-0x0000000001F3B000-memory.dmp

Filesize
492KB

Download
memory/1144-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads