57ba237eebf8422a8f7fac07f6e6710d62ad2ef91fef58810c720073b1fdba44

Analysis

max time kernel
152s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/05/2023, 15:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
Size

2.4MB
MD5

f03084124fe54e59dc78b3a1678072e4
SHA1

0c6a70261cdff49359651745436d5262225ee91b
SHA256

57ba237eebf8422a8f7fac07f6e6710d62ad2ef91fef58810c720073b1fdba44
SHA512

ba3956af855bfea9dd623ab96ab0545cdc60cda4e1078fa25a617b523f1df41132e678f73f80190f778b7e5668b407b76915b30d8a153bfba96e6efd1c928a90
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCS:eEtl9mRda12sX7hKB8NIyXbacAfv

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
852	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1756	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
1756	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\J:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\K:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\S:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\E:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\V:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\L:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\O:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\T:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\U:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\F:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\G:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\I:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\N:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\R:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\H:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\P:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\W:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\M:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\X:	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 852	1756	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe	28
PID 1756 wrote to memory of 852	1756	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe	28
PID 1756 wrote to memory of 852	1756	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe	28
PID 1756 wrote to memory of 852	1756	2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-14_f03084124fe54e59dc78b3a1678072e4_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\desktop.ini.exe

Filesize
2.4MB

MD5
555b37e847cd4d888eaa4fdfec384dfe

SHA1
99fa4bc50aedd192fcbb8601b20e9e1e5d68a466

SHA256
1fa4c75082f9076763d6cc046f1a8e9fd58271ec5eaa1c5ee4cc8fd21e7883d6

SHA512
cde3c08bd64852890a100dc8d162a2c9c95e5db7e5120713060c87b86410126a32207bf279910c3ac61d0d86479be317eaba58b81c075e4ac3b106437ff04421

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.4MB

MD5
f03084124fe54e59dc78b3a1678072e4

SHA1
0c6a70261cdff49359651745436d5262225ee91b

SHA256
57ba237eebf8422a8f7fac07f6e6710d62ad2ef91fef58810c720073b1fdba44

SHA512
ba3956af855bfea9dd623ab96ab0545cdc60cda4e1078fa25a617b523f1df41132e678f73f80190f778b7e5668b407b76915b30d8a153bfba96e6efd1c928a90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b0daf6723f6b90569a727715ecd0fea

SHA1
eb2aaa1cac8006d2d794775aa4829c9e51862067

SHA256
0793930829ee2877669e93ca5284da8509e03235e26369b6069ef04f99091acc

SHA512
37d0e62301fb657d139eb93243cda759414fcc2ff450cfdc5e50216e9c53f3e294e932e660ce8520e0b5bc6579e925a0cc55f1ee406e1337c199089ce81058dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
ecfdf385177b48aadb4dbfb8e163a17f

SHA1
43a29b98122d8c696012d1dbe762ebf7388914ec

SHA256
135c80366bf7fc3f4d08ec5bac1efb1b0e4393d23fe566e41cd3af6309fbc455

SHA512
d1bb4fa48e38ccf60ebb3556ca97b133bf348affd038530c15755911f85b9776f5ea40d742eab426784074e3dc95468958f7bfd9f6208a67e4191bbeae09cb66

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
39dc98f39b94b78e46e12fde1d7b92f6

SHA1
b68f868836305a9ddf5a6b66b87eac2aa10ee80c

SHA256
d4d28717f6f2d08f4896373842c24d4fdef289d252ab03ed546ec38a714f40e6

SHA512
75a1e8792bdb7e1032ec6d5f12f62bafd3257922d3cd4fbbce86065d516b37261f5fa0c7d6170e015e4c22eb02ab3a9be0f6b8d9ad110eeed1d304a8812b0c11

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
39dc98f39b94b78e46e12fde1d7b92f6

SHA1
b68f868836305a9ddf5a6b66b87eac2aa10ee80c

SHA256
d4d28717f6f2d08f4896373842c24d4fdef289d252ab03ed546ec38a714f40e6

SHA512
75a1e8792bdb7e1032ec6d5f12f62bafd3257922d3cd4fbbce86065d516b37261f5fa0c7d6170e015e4c22eb02ab3a9be0f6b8d9ad110eeed1d304a8812b0c11

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
39dc98f39b94b78e46e12fde1d7b92f6

SHA1
b68f868836305a9ddf5a6b66b87eac2aa10ee80c

SHA256
d4d28717f6f2d08f4896373842c24d4fdef289d252ab03ed546ec38a714f40e6

SHA512
75a1e8792bdb7e1032ec6d5f12f62bafd3257922d3cd4fbbce86065d516b37261f5fa0c7d6170e015e4c22eb02ab3a9be0f6b8d9ad110eeed1d304a8812b0c11

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
39dc98f39b94b78e46e12fde1d7b92f6

SHA1
b68f868836305a9ddf5a6b66b87eac2aa10ee80c

SHA256
d4d28717f6f2d08f4896373842c24d4fdef289d252ab03ed546ec38a714f40e6

SHA512
75a1e8792bdb7e1032ec6d5f12f62bafd3257922d3cd4fbbce86065d516b37261f5fa0c7d6170e015e4c22eb02ab3a9be0f6b8d9ad110eeed1d304a8812b0c11

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
39dc98f39b94b78e46e12fde1d7b92f6

SHA1
b68f868836305a9ddf5a6b66b87eac2aa10ee80c

SHA256
d4d28717f6f2d08f4896373842c24d4fdef289d252ab03ed546ec38a714f40e6

SHA512
75a1e8792bdb7e1032ec6d5f12f62bafd3257922d3cd4fbbce86065d516b37261f5fa0c7d6170e015e4c22eb02ab3a9be0f6b8d9ad110eeed1d304a8812b0c11

Download Submit
memory/852-68-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/852-146-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/852-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1756-145-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1756-66-0x0000000002B00000-0x0000000002B7B000-memory.dmp

Filesize
492KB

Download
memory/1756-65-0x0000000002B00000-0x0000000002B7B000-memory.dmp

Filesize
492KB

Download
memory/1756-63-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1756-62-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads