c2907371ed52ff06becd447d130a816ab9f197de9dc49dfd893b2810a645b2e5

Analysis

max time kernel
154s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/05/2023, 02:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
Size

2.5MB
MD5

550c61b68ca0df52cf33f94b11f8783b
SHA1

11bbcd899abea4cfc47e046dab45d5e455dd403d
SHA256

c2907371ed52ff06becd447d130a816ab9f197de9dc49dfd893b2810a645b2e5
SHA512

9878c2e88bb166f6e62e57e31d8251b92e10bfc12440e1e4d36d75e85f3fcae6c01c514d49ad49edbc4ae0c045b837732194bad27676fcf8fec6dd147b907f2c
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCZ:eEtl9mRda12sX7hKB8NIyXbacAfe

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
1224	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
836	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
836	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\F:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\G:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\K:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\M:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\N:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\O:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\X:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\H:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\I:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\R:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\S:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\V:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\J:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\L:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\U:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\E:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\P:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\T:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File opened (read-only)	\??\W:	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1224	836	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe	27
PID 836 wrote to memory of 1224	836	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe	27
PID 836 wrote to memory of 1224	836	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe	27
PID 836 wrote to memory of 1224	836	2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe	27

C:\Users\Admin\AppData\Local\Temp\2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-19_550c61b68ca0df52cf33f94b11f8783b_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2961826002-3968192592-354541192-1000\desktop.ini.exe

Filesize
2.5MB

MD5
b67993f0399a6f65ca1f0427008ed997

SHA1
9955b7d9726041d2592440df589c845b8891b9d9

SHA256
520da0d75e9a20fc9e4c6b388dab8373098b2690a0db6d0a1e61148608651ec6

SHA512
67091ea041d6d7e31e73990ef8e3d69336442a3483f2471bcb93eda433e4ab35709b07293042a76054b586e882fac9eafd0789efc6a1c1919112c40ea5dc64d4

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.5MB

MD5
d76a7c919d92052335246fe3b41681cc

SHA1
f16a332d6273e7d818e3a8a4a45f067d299774bc

SHA256
7a645eb34f911c311109fdf3b964a3b239c461d5b2888e19df29f636d3634e9a

SHA512
23e3ec04dae1037864f825a05ab5dd7f6d68078fb3c33526268aad5d383b1d9742e3ecaead255ba03af6b965ad87abdb4486feee8692d885d5690cab30151823

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f127181d1edc3e2ca49b7a012b989340

SHA1
c996c615c8bf1789cce4d705ee7bddff1640b54a

SHA256
0f996772304d6c534ac4931309f6c411c7c01af8394d6161712f69dc47b01715

SHA512
324e802624b82449f758b1dac341b391fab0852a85e6e80718259c04f28c96ae767bd846513243abfa7be53e26dee9c4884906add8dd8075f2666308a700b9a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f127181d1edc3e2ca49b7a012b989340

SHA1
c996c615c8bf1789cce4d705ee7bddff1640b54a

SHA256
0f996772304d6c534ac4931309f6c411c7c01af8394d6161712f69dc47b01715

SHA512
324e802624b82449f758b1dac341b391fab0852a85e6e80718259c04f28c96ae767bd846513243abfa7be53e26dee9c4884906add8dd8075f2666308a700b9a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e1b2eab190d38d5443330a7b7d9afe2

SHA1
076f45c0748d45a1cf5a06d49e4fcb5e6d53dc3a

SHA256
84cce23f0b0e3868a98ee819dc237bc568f3071ccd956aee6cdb7efd45a34bd4

SHA512
b674b05d5b999349f1e548789bf6d0ae47afb653fbacd0fb5b2c1e5edb48e7546d7fdcb2fa466f1dbb59947ae1b98d985b62e53c1b72a0ee7fb52f91fe881bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f127181d1edc3e2ca49b7a012b989340

SHA1
c996c615c8bf1789cce4d705ee7bddff1640b54a

SHA256
0f996772304d6c534ac4931309f6c411c7c01af8394d6161712f69dc47b01715

SHA512
324e802624b82449f758b1dac341b391fab0852a85e6e80718259c04f28c96ae767bd846513243abfa7be53e26dee9c4884906add8dd8075f2666308a700b9a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
8bc92ba62da4719941678b0da92210b5

SHA1
6808688362198ef2f03fab545a2259b69471029a

SHA256
19d5b198ea3b2716eda8de30fabca1415b92148db609a03b30771b7bb98a2d0a

SHA512
7a1a2560cda7b14e9739267b828427b09e849277efba6323b7fea083390c3c8c9f0d819dac93ac5138c7c87c1de06467a78b79a1686970f084e2f687b0d82d2d

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
d76a7c919d92052335246fe3b41681cc

SHA1
f16a332d6273e7d818e3a8a4a45f067d299774bc

SHA256
7a645eb34f911c311109fdf3b964a3b239c461d5b2888e19df29f636d3634e9a

SHA512
23e3ec04dae1037864f825a05ab5dd7f6d68078fb3c33526268aad5d383b1d9742e3ecaead255ba03af6b965ad87abdb4486feee8692d885d5690cab30151823

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
d76a7c919d92052335246fe3b41681cc

SHA1
f16a332d6273e7d818e3a8a4a45f067d299774bc

SHA256
7a645eb34f911c311109fdf3b964a3b239c461d5b2888e19df29f636d3634e9a

SHA512
23e3ec04dae1037864f825a05ab5dd7f6d68078fb3c33526268aad5d383b1d9742e3ecaead255ba03af6b965ad87abdb4486feee8692d885d5690cab30151823

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
d76a7c919d92052335246fe3b41681cc

SHA1
f16a332d6273e7d818e3a8a4a45f067d299774bc

SHA256
7a645eb34f911c311109fdf3b964a3b239c461d5b2888e19df29f636d3634e9a

SHA512
23e3ec04dae1037864f825a05ab5dd7f6d68078fb3c33526268aad5d383b1d9742e3ecaead255ba03af6b965ad87abdb4486feee8692d885d5690cab30151823

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
d76a7c919d92052335246fe3b41681cc

SHA1
f16a332d6273e7d818e3a8a4a45f067d299774bc

SHA256
7a645eb34f911c311109fdf3b964a3b239c461d5b2888e19df29f636d3634e9a

SHA512
23e3ec04dae1037864f825a05ab5dd7f6d68078fb3c33526268aad5d383b1d9742e3ecaead255ba03af6b965ad87abdb4486feee8692d885d5690cab30151823

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
d76a7c919d92052335246fe3b41681cc

SHA1
f16a332d6273e7d818e3a8a4a45f067d299774bc

SHA256
7a645eb34f911c311109fdf3b964a3b239c461d5b2888e19df29f636d3634e9a

SHA512
23e3ec04dae1037864f825a05ab5dd7f6d68078fb3c33526268aad5d383b1d9742e3ecaead255ba03af6b965ad87abdb4486feee8692d885d5690cab30151823

Download Submit
memory/836-114-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/836-66-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/836-58-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/836-57-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/836-56-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1224-68-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1224-115-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1224-67-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads