f95ab72f3dbc0f053bbf300a20d8e6c26bbab1b6812d04a6fb4770ea3bde30b8

Analysis

max time kernel
151s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-05-2023 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
Size

2.4MB
MD5

d815dbbd883fb0ca60366fec3446e3f5
SHA1

392fccb013d50ad1fbf7bdcd783be9bb85a48a87
SHA256

f95ab72f3dbc0f053bbf300a20d8e6c26bbab1b6812d04a6fb4770ea3bde30b8
SHA512

42ef36a40ad3993b5abc7b322c5934613d888fb9741554654564d24bd2cd27f1a1146ba1c5b62242959742cbb4fdc58be26efda931b79f74a7f9547dc1944b38
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MC5:eEtl9mRda12sX7hKB8NIyXbacAfC

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
1396	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1760	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
1760	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\J:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\P:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\S:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\X:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\E:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\I:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\M:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\T:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\U:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\K:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\L:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\R:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\V:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\W:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\H:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\N:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\G:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\F:	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1396	1760	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe	28
PID 1760 wrote to memory of 1396	1760	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe	28
PID 1760 wrote to memory of 1396	1760	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe	28
PID 1760 wrote to memory of 1396	1760	2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-14_d815dbbd883fb0ca60366fec3446e3f5_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini.exe

Filesize
2.4MB

MD5
8d23332e3c2a55951d2bb53f7b3598bf

SHA1
1aefd1881a8d06a6fc5a505c723c75216115d37c

SHA256
2044e5cca52a3aa2bb55d52b7c45d6c481887254310772ccc1d36d4f02a3b741

SHA512
49daae9788bad328079431def6d8835f103c0584447f54654ad3b56bf7238c2f5c7731dd0de9488a6e6f1b7fff3b0ce97f9c0f475267cffe9c01afcb28a2ded0

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.4MB

MD5
d815dbbd883fb0ca60366fec3446e3f5

SHA1
392fccb013d50ad1fbf7bdcd783be9bb85a48a87

SHA256
f95ab72f3dbc0f053bbf300a20d8e6c26bbab1b6812d04a6fb4770ea3bde30b8

SHA512
42ef36a40ad3993b5abc7b322c5934613d888fb9741554654564d24bd2cd27f1a1146ba1c5b62242959742cbb4fdc58be26efda931b79f74a7f9547dc1944b38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5d3cdc25403aa4a5024cf01e39ca8a5c

SHA1
25d14c146a13202cc474626df31a845f632dcbf7

SHA256
89f36218fd657a43d83ac71b06c2d60e3744d24f767c41b8f7867d1b7cae9087

SHA512
6ea787d36e64b0fd45fd4669707f72e36033cb936fdcc848af26cdcc9cfeec594f478ee997a01c7c3c9d75d78969536c3cb46af4ff8818182a53b0ac83b62c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5d3cdc25403aa4a5024cf01e39ca8a5c

SHA1
25d14c146a13202cc474626df31a845f632dcbf7

SHA256
89f36218fd657a43d83ac71b06c2d60e3744d24f767c41b8f7867d1b7cae9087

SHA512
6ea787d36e64b0fd45fd4669707f72e36033cb936fdcc848af26cdcc9cfeec594f478ee997a01c7c3c9d75d78969536c3cb46af4ff8818182a53b0ac83b62c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5d3cdc25403aa4a5024cf01e39ca8a5c

SHA1
25d14c146a13202cc474626df31a845f632dcbf7

SHA256
89f36218fd657a43d83ac71b06c2d60e3744d24f767c41b8f7867d1b7cae9087

SHA512
6ea787d36e64b0fd45fd4669707f72e36033cb936fdcc848af26cdcc9cfeec594f478ee997a01c7c3c9d75d78969536c3cb46af4ff8818182a53b0ac83b62c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5d3cdc25403aa4a5024cf01e39ca8a5c

SHA1
25d14c146a13202cc474626df31a845f632dcbf7

SHA256
89f36218fd657a43d83ac71b06c2d60e3744d24f767c41b8f7867d1b7cae9087

SHA512
6ea787d36e64b0fd45fd4669707f72e36033cb936fdcc848af26cdcc9cfeec594f478ee997a01c7c3c9d75d78969536c3cb46af4ff8818182a53b0ac83b62c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5d3cdc25403aa4a5024cf01e39ca8a5c

SHA1
25d14c146a13202cc474626df31a845f632dcbf7

SHA256
89f36218fd657a43d83ac71b06c2d60e3744d24f767c41b8f7867d1b7cae9087

SHA512
6ea787d36e64b0fd45fd4669707f72e36033cb936fdcc848af26cdcc9cfeec594f478ee997a01c7c3c9d75d78969536c3cb46af4ff8818182a53b0ac83b62c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5d3cdc25403aa4a5024cf01e39ca8a5c

SHA1
25d14c146a13202cc474626df31a845f632dcbf7

SHA256
89f36218fd657a43d83ac71b06c2d60e3744d24f767c41b8f7867d1b7cae9087

SHA512
6ea787d36e64b0fd45fd4669707f72e36033cb936fdcc848af26cdcc9cfeec594f478ee997a01c7c3c9d75d78969536c3cb46af4ff8818182a53b0ac83b62c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5d3cdc25403aa4a5024cf01e39ca8a5c

SHA1
25d14c146a13202cc474626df31a845f632dcbf7

SHA256
89f36218fd657a43d83ac71b06c2d60e3744d24f767c41b8f7867d1b7cae9087

SHA512
6ea787d36e64b0fd45fd4669707f72e36033cb936fdcc848af26cdcc9cfeec594f478ee997a01c7c3c9d75d78969536c3cb46af4ff8818182a53b0ac83b62c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5d3cdc25403aa4a5024cf01e39ca8a5c

SHA1
25d14c146a13202cc474626df31a845f632dcbf7

SHA256
89f36218fd657a43d83ac71b06c2d60e3744d24f767c41b8f7867d1b7cae9087

SHA512
6ea787d36e64b0fd45fd4669707f72e36033cb936fdcc848af26cdcc9cfeec594f478ee997a01c7c3c9d75d78969536c3cb46af4ff8818182a53b0ac83b62c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5d3cdc25403aa4a5024cf01e39ca8a5c

SHA1
25d14c146a13202cc474626df31a845f632dcbf7

SHA256
89f36218fd657a43d83ac71b06c2d60e3744d24f767c41b8f7867d1b7cae9087

SHA512
6ea787d36e64b0fd45fd4669707f72e36033cb936fdcc848af26cdcc9cfeec594f478ee997a01c7c3c9d75d78969536c3cb46af4ff8818182a53b0ac83b62c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
b114d72298d647124d85bc4c2407579b

SHA1
d9f3b56bf1a32d30afb3aeb0fccb356f0c5370c7

SHA256
b692de8798ecaf83b56fa73f9d5967d00a27c267e293ca1f5b38d3c9ad8696ed

SHA512
7cabd839c72d753bf29e9f3010a7b2f88b9c3495a5d9014208f975d04f9ca15903f5d4a7e36a1b5d60ced5293ca4ebe6e41b1755133261b92e14a27f913a99e6

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
9e24095aca768128d1fbaf64adc5c140

SHA1
2b33417c84ae118df22858ead61d613b1b6e79bd

SHA256
f74ceb260f9eb6da73b9d33a0f23bdf0ec8c6927c358bd98842b3e3325397b3c

SHA512
df828c10ac11e8be5b1d5a8965ce03775434d69a1b91acdf357265a9c6e25aae94e9a2ab9c4ef98ae9a8cfd9636878926fb728b4a3973d5d1bfccbfbaac5cebd

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
9e24095aca768128d1fbaf64adc5c140

SHA1
2b33417c84ae118df22858ead61d613b1b6e79bd

SHA256
f74ceb260f9eb6da73b9d33a0f23bdf0ec8c6927c358bd98842b3e3325397b3c

SHA512
df828c10ac11e8be5b1d5a8965ce03775434d69a1b91acdf357265a9c6e25aae94e9a2ab9c4ef98ae9a8cfd9636878926fb728b4a3973d5d1bfccbfbaac5cebd

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
9e24095aca768128d1fbaf64adc5c140

SHA1
2b33417c84ae118df22858ead61d613b1b6e79bd

SHA256
f74ceb260f9eb6da73b9d33a0f23bdf0ec8c6927c358bd98842b3e3325397b3c

SHA512
df828c10ac11e8be5b1d5a8965ce03775434d69a1b91acdf357265a9c6e25aae94e9a2ab9c4ef98ae9a8cfd9636878926fb728b4a3973d5d1bfccbfbaac5cebd

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
9e24095aca768128d1fbaf64adc5c140

SHA1
2b33417c84ae118df22858ead61d613b1b6e79bd

SHA256
f74ceb260f9eb6da73b9d33a0f23bdf0ec8c6927c358bd98842b3e3325397b3c

SHA512
df828c10ac11e8be5b1d5a8965ce03775434d69a1b91acdf357265a9c6e25aae94e9a2ab9c4ef98ae9a8cfd9636878926fb728b4a3973d5d1bfccbfbaac5cebd

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
9e24095aca768128d1fbaf64adc5c140

SHA1
2b33417c84ae118df22858ead61d613b1b6e79bd

SHA256
f74ceb260f9eb6da73b9d33a0f23bdf0ec8c6927c358bd98842b3e3325397b3c

SHA512
df828c10ac11e8be5b1d5a8965ce03775434d69a1b91acdf357265a9c6e25aae94e9a2ab9c4ef98ae9a8cfd9636878926fb728b4a3973d5d1bfccbfbaac5cebd

Download Submit
memory/1396-115-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1396-68-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1396-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1760-112-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1760-66-0x0000000001F00000-0x0000000001F7B000-memory.dmp

Filesize
492KB

Download
memory/1760-58-0x0000000001F00000-0x0000000001F7B000-memory.dmp

Filesize
492KB

Download
memory/1760-57-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1760-56-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads