41ff2f980f989002c9ea852fb1f85e13ca49511f4f9ec60e648d0cba3af121a5

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/05/2023, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
Size

2.4MB
MD5

eb6fb42514e024e77236476da457c1d2
SHA1

c4321fadc4a7f634f278fef8b7b362ba906469da
SHA256

41ff2f980f989002c9ea852fb1f85e13ca49511f4f9ec60e648d0cba3af121a5
SHA512

558b5b855d81e08da0747a43fb04ddb88b509614f8d6c338f5b63a64596e0d56c76b6b0f7fa6b83e23529b7604278181dd3f62087893360c14c0695c7f9b31ce
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCQ:eEtl9mRda12sX7hKB8NIyXbacAfX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
2016	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
2004	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\L:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\R:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\X:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\H:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\M:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\N:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\E:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\F:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\T:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\W:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\S:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\I:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\K:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\J:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\P:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\V:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\O:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\U:	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2016	2004	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe	27
PID 2004 wrote to memory of 2016	2004	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe	27
PID 2004 wrote to memory of 2016	2004	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe	27
PID 2004 wrote to memory of 2016	2004	2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe	27

C:\Users\Admin\AppData\Local\Temp\2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-15_eb6fb42514e024e77236476da457c1d2_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini.exe

Filesize
2.4MB

MD5
205264c88fc4a58c29b9d35986dac13f

SHA1
0b19644a37dd56f42871dda5a06d8ddc26f046a7

SHA256
7f7028242b73fcaf3048bb2658703a1b56460a649b9aac34d0b988822872cffc

SHA512
9676aa5d6ceb68754393a62b67fb7db384d95e5a1879c5e6e1be6290916cdd1fce2992f09a415b4628f2a2fc1de1f23aa48d8fb528d60708335c23e8b399281e

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.4MB

MD5
eb6fb42514e024e77236476da457c1d2

SHA1
c4321fadc4a7f634f278fef8b7b362ba906469da

SHA256
41ff2f980f989002c9ea852fb1f85e13ca49511f4f9ec60e648d0cba3af121a5

SHA512
558b5b855d81e08da0747a43fb04ddb88b509614f8d6c338f5b63a64596e0d56c76b6b0f7fa6b83e23529b7604278181dd3f62087893360c14c0695c7f9b31ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d2110832fdf41352592aaf71b70c45b1

SHA1
4fdc2650908c577cea6da48bc029bd0a4c19f545

SHA256
e3bc158ff4fee87c7a336a91d5101f89545804e3518942bb0c038317f4fedef6

SHA512
a1e77f27e703845c8f32994256e858d667f0156b12c4a9057ef8404b3857dea3440e78c8fa9d9033a9fa8b9043da5e055f7b5891cc7d6b7ed46ddbda0f8305b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9d38f4dceab124f5e41c1ae13b1842d

SHA1
2e4b7be865b0221bc33cae5ac1e109348c5e0034

SHA256
5fab8f75b7f98b7be525860cacc76b3970c22c6482193c600ba83631d9ccd675

SHA512
719dbdcdd8335d5fe0c656c9e460b3ffe239377f6002c3cc3c11df51e5f1c7df87f4f77b59a94f6df30bf3e7b48299ef84a7e70d37ec14a73f246fdabc651489

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
e3682e75dc89d7efb6ca7b54efaa9dc6

SHA1
0b3107a17fbfa9be88e91d5e53bc63121b88fec9

SHA256
a4b774ce65e61b41faf706e126c9eb52ee008fe36e18285a4571ad093dcc895f

SHA512
399266bbaf9c7bf0e67a769432c262b6417fde7463702022bbf43951a3a1ce3dbd4b3bdfe382c4423f4edb7f67713337e1e1880bf1a9fe258dca42a0af1576e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d2110832fdf41352592aaf71b70c45b1

SHA1
4fdc2650908c577cea6da48bc029bd0a4c19f545

SHA256
e3bc158ff4fee87c7a336a91d5101f89545804e3518942bb0c038317f4fedef6

SHA512
a1e77f27e703845c8f32994256e858d667f0156b12c4a9057ef8404b3857dea3440e78c8fa9d9033a9fa8b9043da5e055f7b5891cc7d6b7ed46ddbda0f8305b3

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
0c4fddaef5a664a708f6a382a6f5bc65

SHA1
9c7b78e7ad4d574d635452e072a816566db77603

SHA256
464ef662288c249036e9d8fbe507e7905e629847fd30e5068fcb13086c32a3de

SHA512
e27f84a2d0364870fd93b8e48b9db23d022152a9515b95f89a7b6bc2a19f1aada1078d228361277e960deb6c403c514bab07060045fe20c5f59fc0611e1d32d2

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
0c4fddaef5a664a708f6a382a6f5bc65

SHA1
9c7b78e7ad4d574d635452e072a816566db77603

SHA256
464ef662288c249036e9d8fbe507e7905e629847fd30e5068fcb13086c32a3de

SHA512
e27f84a2d0364870fd93b8e48b9db23d022152a9515b95f89a7b6bc2a19f1aada1078d228361277e960deb6c403c514bab07060045fe20c5f59fc0611e1d32d2

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
0c4fddaef5a664a708f6a382a6f5bc65

SHA1
9c7b78e7ad4d574d635452e072a816566db77603

SHA256
464ef662288c249036e9d8fbe507e7905e629847fd30e5068fcb13086c32a3de

SHA512
e27f84a2d0364870fd93b8e48b9db23d022152a9515b95f89a7b6bc2a19f1aada1078d228361277e960deb6c403c514bab07060045fe20c5f59fc0611e1d32d2

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
0c4fddaef5a664a708f6a382a6f5bc65

SHA1
9c7b78e7ad4d574d635452e072a816566db77603

SHA256
464ef662288c249036e9d8fbe507e7905e629847fd30e5068fcb13086c32a3de

SHA512
e27f84a2d0364870fd93b8e48b9db23d022152a9515b95f89a7b6bc2a19f1aada1078d228361277e960deb6c403c514bab07060045fe20c5f59fc0611e1d32d2

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
0c4fddaef5a664a708f6a382a6f5bc65

SHA1
9c7b78e7ad4d574d635452e072a816566db77603

SHA256
464ef662288c249036e9d8fbe507e7905e629847fd30e5068fcb13086c32a3de

SHA512
e27f84a2d0364870fd93b8e48b9db23d022152a9515b95f89a7b6bc2a19f1aada1078d228361277e960deb6c403c514bab07060045fe20c5f59fc0611e1d32d2

Download Submit
memory/2004-224-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/2004-131-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2004-65-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/2004-64-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2004-62-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2016-225-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2016-67-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2016-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads