dbcab77d9c7966de98413d2aedfe6ee6f464189c2eaf35215f59534fc3926a7c

Analysis

max time kernel
149s
max time network
29s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/05/2023, 03:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
Size

2.4MB
MD5

90dae46e52f2b5108de3b856e2a54d04
SHA1

18d2e1c30d47642e272dc6ad6e2104d5c468e354
SHA256

dbcab77d9c7966de98413d2aedfe6ee6f464189c2eaf35215f59534fc3926a7c
SHA512

4173ebb1d4d5b8f7811262f838e18facc3ca0a8e710cdff10fa821f994a181a82ef050dbd58e592fa507a17902f4303568b8c07e0b880dfde25a33d4eee53c5f
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCS:eEtl9mRda12sX7hKB8NIyXbacAf/

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
1652	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
1960	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\E:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\F:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\X:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\S:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\T:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\I:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\O:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\U:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\G:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\R:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\L:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\P:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\N:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\M:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\K:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened (read-only)	\??\W:	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1652	1960	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe	27
PID 1960 wrote to memory of 1652	1960	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe	27
PID 1960 wrote to memory of 1652	1960	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe	27
PID 1960 wrote to memory of 1652	1960	2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe	27

C:\Users\Admin\AppData\Local\Temp\2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-12_90dae46e52f2b5108de3b856e2a54d04_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini.exe

Filesize
2.4MB

MD5
7b971a48ece01b6b15b28143ee573807

SHA1
ea893f56be6e956429f2a2f28cfcff4239732682

SHA256
0b19196e5fa412e2adcc6015d07501bc8069b06354b3b81a881fc807aeefd231

SHA512
2d84ba44b3e32b1de1d4afc06ec66d1de730fe07a159e2a06f10d1bb198814d47ee48a9f2bc96cb9160105bbbdd5948456f60782d2c076451f6bd2765cc705d8

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.4MB

MD5
90dae46e52f2b5108de3b856e2a54d04

SHA1
18d2e1c30d47642e272dc6ad6e2104d5c468e354

SHA256
dbcab77d9c7966de98413d2aedfe6ee6f464189c2eaf35215f59534fc3926a7c

SHA512
4173ebb1d4d5b8f7811262f838e18facc3ca0a8e710cdff10fa821f994a181a82ef050dbd58e592fa507a17902f4303568b8c07e0b880dfde25a33d4eee53c5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd7d530ea3674d03a7d993903c5e4b67

SHA1
3e0594c8dc15b58904d224ac711a0b998a9c5b88

SHA256
db47f5b7cad0e17cec06c0060e67f43867ac01aaa040f8143b7834707fb15839

SHA512
cc1ab27c668a861deab2ccfebcb91aa7337e9a7380873471c93d2315d276960213891d2cbc8a80aa69c094a0d5afbebe0bf1dc085209c58e572a3dc094cfb96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b386e69636c64e702632b97aa78aedb9

SHA1
81dfb65481f9db8ef6cba04bfa19a82dbfcdbeb0

SHA256
3a4b57fcaa63bf2e5acf23068a5975a0daaee397a75cc091e5318377fb917e17

SHA512
d447765e1071cb81dc44a4ac9b5dfa8f567d1332c91ca46e582ed18993806c6e838482fe9671cadbdcbd7681bf8376425ef07627369080e3e11689caa158962c

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
9e24095aca768128d1fbaf64adc5c140

SHA1
2b33417c84ae118df22858ead61d613b1b6e79bd

SHA256
f74ceb260f9eb6da73b9d33a0f23bdf0ec8c6927c358bd98842b3e3325397b3c

SHA512
df828c10ac11e8be5b1d5a8965ce03775434d69a1b91acdf357265a9c6e25aae94e9a2ab9c4ef98ae9a8cfd9636878926fb728b4a3973d5d1bfccbfbaac5cebd

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
9e24095aca768128d1fbaf64adc5c140

SHA1
2b33417c84ae118df22858ead61d613b1b6e79bd

SHA256
f74ceb260f9eb6da73b9d33a0f23bdf0ec8c6927c358bd98842b3e3325397b3c

SHA512
df828c10ac11e8be5b1d5a8965ce03775434d69a1b91acdf357265a9c6e25aae94e9a2ab9c4ef98ae9a8cfd9636878926fb728b4a3973d5d1bfccbfbaac5cebd

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
9e24095aca768128d1fbaf64adc5c140

SHA1
2b33417c84ae118df22858ead61d613b1b6e79bd

SHA256
f74ceb260f9eb6da73b9d33a0f23bdf0ec8c6927c358bd98842b3e3325397b3c

SHA512
df828c10ac11e8be5b1d5a8965ce03775434d69a1b91acdf357265a9c6e25aae94e9a2ab9c4ef98ae9a8cfd9636878926fb728b4a3973d5d1bfccbfbaac5cebd

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
9e24095aca768128d1fbaf64adc5c140

SHA1
2b33417c84ae118df22858ead61d613b1b6e79bd

SHA256
f74ceb260f9eb6da73b9d33a0f23bdf0ec8c6927c358bd98842b3e3325397b3c

SHA512
df828c10ac11e8be5b1d5a8965ce03775434d69a1b91acdf357265a9c6e25aae94e9a2ab9c4ef98ae9a8cfd9636878926fb728b4a3973d5d1bfccbfbaac5cebd

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
9e24095aca768128d1fbaf64adc5c140

SHA1
2b33417c84ae118df22858ead61d613b1b6e79bd

SHA256
f74ceb260f9eb6da73b9d33a0f23bdf0ec8c6927c358bd98842b3e3325397b3c

SHA512
df828c10ac11e8be5b1d5a8965ce03775434d69a1b91acdf357265a9c6e25aae94e9a2ab9c4ef98ae9a8cfd9636878926fb728b4a3973d5d1bfccbfbaac5cebd

Download Submit
memory/1652-114-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1652-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1652-67-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1960-62-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1960-64-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1960-65-0x0000000000370000-0x00000000003EB000-memory.dmp

Filesize
492KB

Download
memory/1960-111-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads