d8c57e5c4eb091474db1e65a7fd85b43c1656ebe5f5868e7f56b54b95483c2a0

Analysis

max time kernel
155s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/05/2023, 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
Size

4.4MB
MD5

cb773320abdd02921cdd88a9483c6621
SHA1

73ed601c8fd4c92a91d10950d572203a0ebc88c8
SHA256

d8c57e5c4eb091474db1e65a7fd85b43c1656ebe5f5868e7f56b54b95483c2a0
SHA512

a342f625d6a3d631b443686af7661d9c6e3cffb4b07a4d2cd674c800410290faf6f10245fb066adff65e651ef107282e2359f5aca359dd38b7e9d95032dac0f7
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCl:eEtl9mRda12sX7hKB8NIyXbacAfW5

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
1036	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1628	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
1628	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\E:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\H:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\O:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\S:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\K:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\T:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\W:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\L:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\P:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\V:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\N:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\F:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\M:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\R:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\I:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\J:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\G:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\U:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\X:	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1036	1628	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe	27
PID 1628 wrote to memory of 1036	1628	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe	27
PID 1628 wrote to memory of 1036	1628	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe	27
PID 1628 wrote to memory of 1036	1628	2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe	27

C:\Users\Admin\AppData\Local\Temp\2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-22_cb773320abdd02921cdd88a9483c6621_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini.exe

Filesize
4.4MB

MD5
6bdb366dcb9dd9c3233121bcbc50cbcc

SHA1
0b34709e26c5897707910d727ca6b10ec4135198

SHA256
86806fbd026f684c8e6f7b10974972d38c1b5972895f791cddc66d46102cd315

SHA512
d9962bc07fb1f534268b95fc5921614210ce5e80802da392723216132811ebf9166eb05f8109eaacf3a75a5cccc7b2a36168dd812aaf0a27fec561155653cf97

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
4.4MB

MD5
cb773320abdd02921cdd88a9483c6621

SHA1
73ed601c8fd4c92a91d10950d572203a0ebc88c8

SHA256
d8c57e5c4eb091474db1e65a7fd85b43c1656ebe5f5868e7f56b54b95483c2a0

SHA512
a342f625d6a3d631b443686af7661d9c6e3cffb4b07a4d2cd674c800410290faf6f10245fb066adff65e651ef107282e2359f5aca359dd38b7e9d95032dac0f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
293fd726287d831877d90ae1bbb77b48

SHA1
336645d6b828750e02020711e2163fdff0e77167

SHA256
d3c3ebd6b2ed2ab1a6d50f818dd90eb6cf0572cbb394449b645de987e8c6cfd5

SHA512
58fbd0f9c3accc0a3ac855bf4730f33883723640768422083e00e94a7eda0613d5a749f1234ed46bdd46809b836c8e6a78f1fbcb39a6a6726af0f876ec03710a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e9757db61858b92c91e8b49a5c0027c

SHA1
526285a7b645727ec4169863e4ca17a9ef147902

SHA256
84dd0fde217459f5528cedd7ab6ab1ab62b1945137a88a05fb79665dfd8c0631

SHA512
c5337fc9ae4443c1b11f30fe56bf492b9622bae076dcef9d2ffab5c00364772494ab87ec6631d00e02ab73d7c58791780e399d1910a35db76436e2e082787cd4

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
b73dfc831fd5c6f37de0a4753edbf5fb

SHA1
f335c7dcd8b158cc7c6e570ffae6a6bfe446ca22

SHA256
49c49c868ebe9176318d03c41ec850ade7513135db87d60a48e0ab402a45225f

SHA512
7e272a5425837150bb6ccd7e0a23aa6da93f990d34282a196bf31179e6aa92baf35f3486656df409a8567063e834a620d131f66634e6eec1fe4bbdd0de79f6cd

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
b73dfc831fd5c6f37de0a4753edbf5fb

SHA1
f335c7dcd8b158cc7c6e570ffae6a6bfe446ca22

SHA256
49c49c868ebe9176318d03c41ec850ade7513135db87d60a48e0ab402a45225f

SHA512
7e272a5425837150bb6ccd7e0a23aa6da93f990d34282a196bf31179e6aa92baf35f3486656df409a8567063e834a620d131f66634e6eec1fe4bbdd0de79f6cd

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
b73dfc831fd5c6f37de0a4753edbf5fb

SHA1
f335c7dcd8b158cc7c6e570ffae6a6bfe446ca22

SHA256
49c49c868ebe9176318d03c41ec850ade7513135db87d60a48e0ab402a45225f

SHA512
7e272a5425837150bb6ccd7e0a23aa6da93f990d34282a196bf31179e6aa92baf35f3486656df409a8567063e834a620d131f66634e6eec1fe4bbdd0de79f6cd

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
b73dfc831fd5c6f37de0a4753edbf5fb

SHA1
f335c7dcd8b158cc7c6e570ffae6a6bfe446ca22

SHA256
49c49c868ebe9176318d03c41ec850ade7513135db87d60a48e0ab402a45225f

SHA512
7e272a5425837150bb6ccd7e0a23aa6da93f990d34282a196bf31179e6aa92baf35f3486656df409a8567063e834a620d131f66634e6eec1fe4bbdd0de79f6cd

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
b73dfc831fd5c6f37de0a4753edbf5fb

SHA1
f335c7dcd8b158cc7c6e570ffae6a6bfe446ca22

SHA256
49c49c868ebe9176318d03c41ec850ade7513135db87d60a48e0ab402a45225f

SHA512
7e272a5425837150bb6ccd7e0a23aa6da93f990d34282a196bf31179e6aa92baf35f3486656df409a8567063e834a620d131f66634e6eec1fe4bbdd0de79f6cd

Download Submit
memory/1036-171-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1036-67-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1036-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1628-172-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1628-64-0x0000000001D80000-0x0000000001DFB000-memory.dmp

Filesize
492KB

Download
memory/1628-63-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1628-62-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads