bb392f7abdc6e7c60edf5dfc06bd583dceda6f732f230afcf589983fd7a5fca0

Analysis

max time kernel
151s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26-04-2023 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
Size

2.5MB
MD5

d053f9699bc84157223dd058b997ca5a
SHA1

f1b9de35ae9a85f0feda561100f9d880820b513e
SHA256

bb392f7abdc6e7c60edf5dfc06bd583dceda6f732f230afcf589983fd7a5fca0
SHA512

5b491eb3e769ddc039c6fd787e3887c46b9abaeb48baaf776b169cdf41d87c30ced78d519afece7b5197d4e1eb101657bddb6d14fca79934a1128e3f98525079
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCL:eEtl9mRda12sX7hKB8NIyXbacAf8

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
2024	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
1736	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\H:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\L:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\R:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\A:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\B:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\M:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\F:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\O:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\X:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\P:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\U:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\W:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\E:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\Q:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\T:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\G:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\I:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\V:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\J:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\N:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\K:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\S:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\Y:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened (read-only)	\??\Z:	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2024	1736	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe	27
PID 1736 wrote to memory of 2024	1736	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe	27
PID 1736 wrote to memory of 2024	1736	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe	27
PID 1736 wrote to memory of 2024	1736	2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe	27

C:\Users\Admin\AppData\Local\Temp\2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-04-25_d053f9699bc84157223dd058b997ca5a_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini.exe

Filesize
2.5MB

MD5
103352b93e4b30a5153286ef48fa1507

SHA1
59f58855290297a99e60812f38647e99ce591049

SHA256
669d858f58e36c21027ae0ec719dce426f410284fd6d8cdd61b83096f7a69926

SHA512
728c43d2dcbb2749dd1579c10f70fa6fef51f5e42a1ec4cc42c39abbda088f2d2b85c5a31349563636704f77756d8885e0d70f9c507cf0152ab05f9fd044c17c

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.5MB

MD5
d053f9699bc84157223dd058b997ca5a

SHA1
f1b9de35ae9a85f0feda561100f9d880820b513e

SHA256
bb392f7abdc6e7c60edf5dfc06bd583dceda6f732f230afcf589983fd7a5fca0

SHA512
5b491eb3e769ddc039c6fd787e3887c46b9abaeb48baaf776b169cdf41d87c30ced78d519afece7b5197d4e1eb101657bddb6d14fca79934a1128e3f98525079

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69155d1506a34db51fe6239b40601530

SHA1
788eaf56bea9ad1323ee6327765002d59287f591

SHA256
c160389f63f28f327e7dadfcb22dd8a0999756cceeab8fa8b7d8affcd0a09786

SHA512
bce15606427449b8a6694ea0a95ee0f0e8c163901a1f905f7fb2141a0ae42066aca5c65f58741e15de63161057c79bc86f227c4230eb80f63f22ca6229cf659b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2888b6b419b1c392f58606742acd09f3

SHA1
3095039bd465477a29b8b236e164ca8e6593d482

SHA256
819ad439d3c6c4bea1a83467ff7ad7cffe97b8f6618258ab6864a8620affb0b3

SHA512
6e0de9b5e2874e0a1f9cc3721c6e231e9d9ce54fb01a4aa9eb7ba6e86fce275db6dfab1f20827d78d4b21ce684ebe7bf0ab708e6770f6a4e340b174a7537e360

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
96fe9afe15150cd44126d984b9087035

SHA1
7ab7b18461f1e6ccad122116555e6a2fab3423ef

SHA256
9ea786661f9422c4c22025e3e1ee49cdc21424a24213ccb8761268a0fa88c5b1

SHA512
e87f1b2f8661d7321295bb229ab7a3f3d12dc9a7bf4792306442941305e5c618f28cb012b0b2dee41954b0dbbc78f4fca652b9c1d9acdbd7e4bf9c70bf3f3077

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
96fe9afe15150cd44126d984b9087035

SHA1
7ab7b18461f1e6ccad122116555e6a2fab3423ef

SHA256
9ea786661f9422c4c22025e3e1ee49cdc21424a24213ccb8761268a0fa88c5b1

SHA512
e87f1b2f8661d7321295bb229ab7a3f3d12dc9a7bf4792306442941305e5c618f28cb012b0b2dee41954b0dbbc78f4fca652b9c1d9acdbd7e4bf9c70bf3f3077

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
96fe9afe15150cd44126d984b9087035

SHA1
7ab7b18461f1e6ccad122116555e6a2fab3423ef

SHA256
9ea786661f9422c4c22025e3e1ee49cdc21424a24213ccb8761268a0fa88c5b1

SHA512
e87f1b2f8661d7321295bb229ab7a3f3d12dc9a7bf4792306442941305e5c618f28cb012b0b2dee41954b0dbbc78f4fca652b9c1d9acdbd7e4bf9c70bf3f3077

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
96fe9afe15150cd44126d984b9087035

SHA1
7ab7b18461f1e6ccad122116555e6a2fab3423ef

SHA256
9ea786661f9422c4c22025e3e1ee49cdc21424a24213ccb8761268a0fa88c5b1

SHA512
e87f1b2f8661d7321295bb229ab7a3f3d12dc9a7bf4792306442941305e5c618f28cb012b0b2dee41954b0dbbc78f4fca652b9c1d9acdbd7e4bf9c70bf3f3077

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
96fe9afe15150cd44126d984b9087035

SHA1
7ab7b18461f1e6ccad122116555e6a2fab3423ef

SHA256
9ea786661f9422c4c22025e3e1ee49cdc21424a24213ccb8761268a0fa88c5b1

SHA512
e87f1b2f8661d7321295bb229ab7a3f3d12dc9a7bf4792306442941305e5c618f28cb012b0b2dee41954b0dbbc78f4fca652b9c1d9acdbd7e4bf9c70bf3f3077

Download Submit
memory/1736-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1736-65-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/1736-64-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1736-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2024-67-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2024-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2024-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads