71ecee8c350c7aeeb32c902a2a5c97a1541603ab89db74acfa10e7e7e37e5e45

Analysis

max time kernel
148s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-05-2023 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
Size

3.1MB
MD5

0783ee1a1636154c369af767016efbf1
SHA1

b1dc1648219cf8244b9cd55681717d4c2779df05
SHA256

71ecee8c350c7aeeb32c902a2a5c97a1541603ab89db74acfa10e7e7e37e5e45
SHA512

5bc2c599e4be799ec8beb31bef1ea9aa5f2cc9ad29c1e357bea01362f605cefd529d25c8284080c25d3e820cc6b3587ad99c462bf281aaf40c33e81ab0852514
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCR:eEtl9mRda12sX7hKB8NIyXbacAfa

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
1716	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
272	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
272	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\E:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\N:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\P:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\U:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\G:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\V:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\X:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\H:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\J:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\T:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\K:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\M:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\W:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\Q:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\R:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\I:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\O:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\F:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\L:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\S:	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 272 wrote to memory of 1716	272	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe	28
PID 272 wrote to memory of 1716	272	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe	28
PID 272 wrote to memory of 1716	272	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe	28
PID 272 wrote to memory of 1716	272	2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-12_0783ee1a1636154c369af767016efbf1_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:272
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\desktop.ini.exe

Filesize
3.2MB

MD5
ee66db020d679c29ca94dfea49d7e47a

SHA1
e8ee6856f112dd6b9967c4e223a28ca4f4d50ec8

SHA256
2bdf73b1ad01024a47e61839dfab06529d992623e36843d2f17a2e526083c325

SHA512
b7f67260f923e98dd2e88fdd22989f929e35bc7b60fa17dfca714dc7378b1cd9e13a0441f85733eabfe0afc4c30cc5c39737a515bd8c6d38a4c69e988df49b04

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
3.1MB

MD5
0783ee1a1636154c369af767016efbf1

SHA1
b1dc1648219cf8244b9cd55681717d4c2779df05

SHA256
71ecee8c350c7aeeb32c902a2a5c97a1541603ab89db74acfa10e7e7e37e5e45

SHA512
5bc2c599e4be799ec8beb31bef1ea9aa5f2cc9ad29c1e357bea01362f605cefd529d25c8284080c25d3e820cc6b3587ad99c462bf281aaf40c33e81ab0852514

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b904a175f5917bf3d1c1dcb07d15ce40

SHA1
f1d8d0ce826258488e6c717bb8df543665581eef

SHA256
4d5f06e4098e823f91533ca1ebb5ac170f92f24f7351292aa5378760fbd5c944

SHA512
cec477720faa768e9f3dbf948dd93efbfb2dc5671455f948456d19de19405fa32a859e621f882a17f20ae8d8afb7147c35643274566fdd341e05106f831dddfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ed9b0279bdf3b8b92d5cb116b331ff0

SHA1
8ac25eba0fa85e3f0c601311290267ecb53e9ac3

SHA256
6949afa12d01af62ab497e37dcea8c92f8855219daa732a21f366a1e0d4dc587

SHA512
939dbeb7eb1b3945fc18cb8653464c596f11a5ceb6d337451d5209865cf31ea691f0f550d09ed6e9ff6c9a1668b5e1a0f7f92f361ff7f563df1c664d4c61b26a

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
memory/272-65-0x0000000000370000-0x00000000003EB000-memory.dmp

Filesize
492KB

Download
memory/272-261-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/272-64-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/272-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1716-262-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1716-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1716-67-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads