8b79349353fe79cb8dff3abda030c85c66b076b6586e4b3f3bdc8b066ac4378a

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22/05/2023, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
Size

2.9MB
MD5

dad720134118b399f17310c458312126
SHA1

87ddc005c3aa815bb0a0ba95aecb5a081da6e955
SHA256

8b79349353fe79cb8dff3abda030c85c66b076b6586e4b3f3bdc8b066ac4378a
SHA512

b019e85b3155a9a84e38799c8ef269a785d8955bd0f29e6183ed7ba007e67f7c8ed181ce0cddf62ae8ee1dd658ddd4a711689cc1c4391c3fc2362202fd6392d1
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCN:eEtl9mRda12sX7hKB8NIyXbacAfw

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
1744	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1060	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
1060	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\F:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\P:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\R:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\W:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\H:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\M:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\O:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\V:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\E:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\G:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\L:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\N:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\U:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\J:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\K:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\T:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\X:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\S:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\I:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1744	1060	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe	28
PID 1060 wrote to memory of 1744	1060	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe	28
PID 1060 wrote to memory of 1744	1060	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe	28
PID 1060 wrote to memory of 1744	1060	2023-05-21_dad720134118b399f17310c458312126_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-05-21_dad720134118b399f17310c458312126_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-21_dad720134118b399f17310c458312126_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2961826002-3968192592-354541192-1000\desktop.ini.exe

Filesize
2.9MB

MD5
664e51566810a30ec3c978a7c9b7bbc6

SHA1
738a2e71565845f8e5cb2347d4b8189678fcf8fe

SHA256
52d5d8a951eef742cf650c8e075e6c73b206b629fb49aa2d3ff1a95064d582b0

SHA512
a109757d83c381b31517f6eb475d40d79db5e1c883fc1e33740ff1ab15c16aa451ef7abf0d1e0ec3e9eb605c8677fef28e1d2b544af9850ef938240a60460c8a

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.9MB

MD5
dad720134118b399f17310c458312126

SHA1
87ddc005c3aa815bb0a0ba95aecb5a081da6e955

SHA256
8b79349353fe79cb8dff3abda030c85c66b076b6586e4b3f3bdc8b066ac4378a

SHA512
b019e85b3155a9a84e38799c8ef269a785d8955bd0f29e6183ed7ba007e67f7c8ed181ce0cddf62ae8ee1dd658ddd4a711689cc1c4391c3fc2362202fd6392d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
fe30e727c8157c7e15c2416fd9369f50

SHA1
af82841b9132b56d4c9789e88513c2cb92d7fb4d

SHA256
6658b61c6348240c21a388441122079ed69c444ab034976737b8f8bd19ac25a8

SHA512
8162fc65368049975823cf72f5b1846bd27865c93251ec5115034b8185d579f1af218a3436ea5b7b6405fb372c03c67b1828781b717fe5298455c44ca81261ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
fe30e727c8157c7e15c2416fd9369f50

SHA1
af82841b9132b56d4c9789e88513c2cb92d7fb4d

SHA256
6658b61c6348240c21a388441122079ed69c444ab034976737b8f8bd19ac25a8

SHA512
8162fc65368049975823cf72f5b1846bd27865c93251ec5115034b8185d579f1af218a3436ea5b7b6405fb372c03c67b1828781b717fe5298455c44ca81261ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
fe30e727c8157c7e15c2416fd9369f50

SHA1
af82841b9132b56d4c9789e88513c2cb92d7fb4d

SHA256
6658b61c6348240c21a388441122079ed69c444ab034976737b8f8bd19ac25a8

SHA512
8162fc65368049975823cf72f5b1846bd27865c93251ec5115034b8185d579f1af218a3436ea5b7b6405fb372c03c67b1828781b717fe5298455c44ca81261ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
fe30e727c8157c7e15c2416fd9369f50

SHA1
af82841b9132b56d4c9789e88513c2cb92d7fb4d

SHA256
6658b61c6348240c21a388441122079ed69c444ab034976737b8f8bd19ac25a8

SHA512
8162fc65368049975823cf72f5b1846bd27865c93251ec5115034b8185d579f1af218a3436ea5b7b6405fb372c03c67b1828781b717fe5298455c44ca81261ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
fe30e727c8157c7e15c2416fd9369f50

SHA1
af82841b9132b56d4c9789e88513c2cb92d7fb4d

SHA256
6658b61c6348240c21a388441122079ed69c444ab034976737b8f8bd19ac25a8

SHA512
8162fc65368049975823cf72f5b1846bd27865c93251ec5115034b8185d579f1af218a3436ea5b7b6405fb372c03c67b1828781b717fe5298455c44ca81261ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
fe30e727c8157c7e15c2416fd9369f50

SHA1
af82841b9132b56d4c9789e88513c2cb92d7fb4d

SHA256
6658b61c6348240c21a388441122079ed69c444ab034976737b8f8bd19ac25a8

SHA512
8162fc65368049975823cf72f5b1846bd27865c93251ec5115034b8185d579f1af218a3436ea5b7b6405fb372c03c67b1828781b717fe5298455c44ca81261ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
fe30e727c8157c7e15c2416fd9369f50

SHA1
af82841b9132b56d4c9789e88513c2cb92d7fb4d

SHA256
6658b61c6348240c21a388441122079ed69c444ab034976737b8f8bd19ac25a8

SHA512
8162fc65368049975823cf72f5b1846bd27865c93251ec5115034b8185d579f1af218a3436ea5b7b6405fb372c03c67b1828781b717fe5298455c44ca81261ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
fe30e727c8157c7e15c2416fd9369f50

SHA1
af82841b9132b56d4c9789e88513c2cb92d7fb4d

SHA256
6658b61c6348240c21a388441122079ed69c444ab034976737b8f8bd19ac25a8

SHA512
8162fc65368049975823cf72f5b1846bd27865c93251ec5115034b8185d579f1af218a3436ea5b7b6405fb372c03c67b1828781b717fe5298455c44ca81261ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
fe30e727c8157c7e15c2416fd9369f50

SHA1
af82841b9132b56d4c9789e88513c2cb92d7fb4d

SHA256
6658b61c6348240c21a388441122079ed69c444ab034976737b8f8bd19ac25a8

SHA512
8162fc65368049975823cf72f5b1846bd27865c93251ec5115034b8185d579f1af218a3436ea5b7b6405fb372c03c67b1828781b717fe5298455c44ca81261ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
799bb11ae4a0b3c6c9d8cc2ea0bafaef

SHA1
5e8ada82f2c0c767ed1ed527ff4f54977b3732a7

SHA256
b5e9d7a4cb39d9cf24234af9f44926bc41d90c4692b26f4ad09aaf563c704867

SHA512
b60f701e6fe6fab7d013bf4208d6666419ae756ef346f7deb06cc2d9ee4117d363cd6793cb4aac6b6e1d5bf1c37d91c3f11c4d656d5250c0983f55285e93ad76

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.9MB

MD5
047774b67185e1934c4e4e46b7df804d

SHA1
281607c11e8e5309a07a5cfccd1e604a2a074e1c

SHA256
3540b5b2cc512b15221ffc41911d0899fe2e6fa31b16cfe5ee8a01266345b609

SHA512
3c5f4694e9aca9f66dc18f763fc85c51e69019e093ba6b4f8e76a245e3955a73d788f80c1b84e5c263219552a5020547173f24e2baad93fa87dd395f25c05628

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.9MB

MD5
047774b67185e1934c4e4e46b7df804d

SHA1
281607c11e8e5309a07a5cfccd1e604a2a074e1c

SHA256
3540b5b2cc512b15221ffc41911d0899fe2e6fa31b16cfe5ee8a01266345b609

SHA512
3c5f4694e9aca9f66dc18f763fc85c51e69019e093ba6b4f8e76a245e3955a73d788f80c1b84e5c263219552a5020547173f24e2baad93fa87dd395f25c05628

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.9MB

MD5
047774b67185e1934c4e4e46b7df804d

SHA1
281607c11e8e5309a07a5cfccd1e604a2a074e1c

SHA256
3540b5b2cc512b15221ffc41911d0899fe2e6fa31b16cfe5ee8a01266345b609

SHA512
3c5f4694e9aca9f66dc18f763fc85c51e69019e093ba6b4f8e76a245e3955a73d788f80c1b84e5c263219552a5020547173f24e2baad93fa87dd395f25c05628

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.9MB

MD5
047774b67185e1934c4e4e46b7df804d

SHA1
281607c11e8e5309a07a5cfccd1e604a2a074e1c

SHA256
3540b5b2cc512b15221ffc41911d0899fe2e6fa31b16cfe5ee8a01266345b609

SHA512
3c5f4694e9aca9f66dc18f763fc85c51e69019e093ba6b4f8e76a245e3955a73d788f80c1b84e5c263219552a5020547173f24e2baad93fa87dd395f25c05628

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.9MB

MD5
047774b67185e1934c4e4e46b7df804d

SHA1
281607c11e8e5309a07a5cfccd1e604a2a074e1c

SHA256
3540b5b2cc512b15221ffc41911d0899fe2e6fa31b16cfe5ee8a01266345b609

SHA512
3c5f4694e9aca9f66dc18f763fc85c51e69019e093ba6b4f8e76a245e3955a73d788f80c1b84e5c263219552a5020547173f24e2baad93fa87dd395f25c05628

Download Submit
memory/1060-63-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1060-120-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1060-64-0x0000000000770000-0x00000000007EB000-memory.dmp

Filesize
492KB

Download
memory/1060-62-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1744-121-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1744-67-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1744-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads