e3afa0286aef3f7e440a1244f7132898f403698188f9675a9c70cf4a41118317

Analysis

max time kernel
154s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-05-2023 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
Size

3.1MB
MD5

b493f8dcb3ed1447de0ba63980f6375e
SHA1

8b31506be25e43f8349a5182f61369904340b596
SHA256

e3afa0286aef3f7e440a1244f7132898f403698188f9675a9c70cf4a41118317
SHA512

7bd276b66fce2e95adbaa3165a30b7ff6c126303540c61421b946ccf24caf2a3f1b9e26a4375f0f54a383facc5a80aa6a385fedc8990477eb78ce193811c8dc2
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCY:eEtl9mRda12sX7hKB8NIyXbacAfD

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
1704	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1660	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
1660	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\O:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\X:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\J:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\P:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\R:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\W:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\G:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\H:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\N:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\S:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\T:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\U:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\F:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\I:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\M:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\K:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\L:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\E:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\V:	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1704	1660	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe	28
PID 1660 wrote to memory of 1704	1660	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe	28
PID 1660 wrote to memory of 1704	1660	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe	28
PID 1660 wrote to memory of 1704	1660	2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-12_b493f8dcb3ed1447de0ba63980f6375e_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini.exe

Filesize
3.1MB

MD5
84c3256401513efa471de3fece16c212

SHA1
7807e0e0e87d878cbc5b7d26235fe43cf4abbc04

SHA256
4a6ab397fc394ac97643076e3a7a0a2dd0bd06c09f2ad63ce623044b9c9af9cc

SHA512
92627d2dbcde53c32304538a909ff01770493f3937869d62f76dfc3ccaffbe2da8532e61373ee3ca86849b840b231994d86eac4a0a1aee1f60bc2cf2ca2c0dfd

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8906698bd388b0991013da7cf86f145c

SHA1
b1b9dd718f1ab8e9807327c696d7fecbd2e3416f

SHA256
3fedcd21ad2c7fb56478490a2edb0b2faae60f6f89d5972e1842c2f1c96492ce

SHA512
c84147d3d092ef5b670abdaa209bff3c2970ce59a32214b50f394b162996ca31b1b319b7557248f9e582c1bde2ddc2c0fefb9875a4040ba5f85fa44c5b259c01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
7cddb0e1338e0db472dfe21d5c04d991

SHA1
c42fce2ca91da5c8b55fdaad54f2ef9d866b12e4

SHA256
447547c4f4b6392dac8e50344338ed0217c2c09b3fc00c63989b7785376c0d11

SHA512
8827744daed22efb92edc809dda33aa4a41703db642b8562215eea69fe82042072ddb6cc6a89ee7b05b1ca8fafc72e0338ccd0f7a9f740fddb866aa793e007da

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
32c573208432ecefb37ec23c24d8ee04

SHA1
c7e61113a29122de1118accdead9ee60aad4f09d

SHA256
e8fd3faa231f7878bde3e048689a5f34c84d3e798cb4373608406871655c7d64

SHA512
b17cd19e3f31781eb965b0920c6b90312a2817251c53c1750056154ef3364316a17a8e32d9e86dd7096f99adb431464504947ecfda0103641b32fae50504afa9

Download Submit
memory/1660-65-0x0000000000720000-0x000000000079B000-memory.dmp

Filesize
492KB

Download
memory/1660-64-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1660-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1704-67-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1704-68-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1704-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads