708fbd5e374fa157c72999ad4a4e0e83fa3fc04952ce339d375f9e9a2a9f83c3

Analysis

max time kernel
151s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/05/2023, 03:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
Size

3.1MB
MD5

ee0ea7bf38da5b271bf5ef7b01e87666
SHA1

08e22bb8faab1a9f5d446231c820d8dd09ad3321
SHA256

708fbd5e374fa157c72999ad4a4e0e83fa3fc04952ce339d375f9e9a2a9f83c3
SHA512

3aed7bf48890d41edafce14c9cc26335d8830842a13678243bfccbce7c8ec1a5163405fda5d780816a067729b3832c635d00c10750503c55d234433a076a688d
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCb:eEtl9mRda12sX7hKB8NIyXbacAf8

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
1288	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1724	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
1724	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\P:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\N:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\U:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\G:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\H:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\M:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\R:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\W:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\I:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\L:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\O:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\F:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\J:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\S:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\K:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\E:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Z:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\T:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened (read-only)	\??\V:	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1288	1724	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe	28
PID 1724 wrote to memory of 1288	1724	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe	28
PID 1724 wrote to memory of 1288	1724	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe	28
PID 1724 wrote to memory of 1288	1724	2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-12_ee0ea7bf38da5b271bf5ef7b01e87666_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2961826002-3968192592-354541192-1000\desktop.ini.exe

Filesize
3.1MB

MD5
676aeab83fc60bccb3337c64cb4476c0

SHA1
f3112eaefc9586af4c6bce8ad9feb0444b7bae44

SHA256
8115640062e0e476b6aac74117218a6dedd8aececd451f664aafa50afdd3d09e

SHA512
bebd43d7317a6f9481f13c513343da1a039ef313e13f8075e594f8d7fbbd73806e04c7466a7b6163c30ea48db4108f2f421b9da76b6299161eab04ac18ce21b0

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
3.1MB

MD5
ee0ea7bf38da5b271bf5ef7b01e87666

SHA1
08e22bb8faab1a9f5d446231c820d8dd09ad3321

SHA256
708fbd5e374fa157c72999ad4a4e0e83fa3fc04952ce339d375f9e9a2a9f83c3

SHA512
3aed7bf48890d41edafce14c9cc26335d8830842a13678243bfccbce7c8ec1a5163405fda5d780816a067729b3832c635d00c10750503c55d234433a076a688d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66ba78dcb86abf97dd9ede6e244c37

SHA1
edc2a9a58b21898bec53dd0929d8d76932238248

SHA256
860a9a0e78429959dce5b90b9ed832b52a2394b39c60fbe71a408a3ea0ff49e2

SHA512
3533c4d74991d3a3f2d9dda008df38fdf948093bbc0a3acf7be70573a0f8e604dfb7bf7867558cf35c10d463aeac857941d5ac898b25287734150525177f5929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
430a3dd90823f9f4ebe06b5b619904a2

SHA1
93459504c7aad74f563bc5d6922cc5e49272988b

SHA256
477a1d01cb6c5cc9be2096659185df5253dc70dc7ad8ed696d0db24531da611b

SHA512
e2f8ff433cda15a53feed699ced05a1380d618f4c1550f81f5d482fdd39c8409d27313222601c5973fbe0f86c07ddaa1a358e54b43bd172227444d443b8c886a

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
memory/1288-157-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1288-68-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1288-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1724-120-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1724-66-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/1724-58-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/1724-57-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1724-56-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads