ae185a5a9cb0dfe4c693ebe295bea8154efc21b7f18f0cf4ba222889c6037cde

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-05-2023 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
Size

2.4MB
MD5

9b396edbfbc4bcc009548e9bc327260c
SHA1

96e802cc1a59dcef13e38fe7fee46203fb4949a5
SHA256

ae185a5a9cb0dfe4c693ebe295bea8154efc21b7f18f0cf4ba222889c6037cde
SHA512

d8c50d6362bc5347b7946c512ace83032f7b83ad24d861b6382c6b663a3336a21c66d483b3d12c289c557b5a38094862a310d051fce5ec2026c6373d52ee8198
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCh:eEtl9mRda12sX7hKB8NIyXbacAf2

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
2012	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
1720	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\T:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\G:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\R:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\V:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\X:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\E:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\K:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\S:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\L:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\N:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\O:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\J:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\F:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\I:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\M:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\U:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\P:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\W:	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2012	1720	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe	28
PID 1720 wrote to memory of 2012	1720	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe	28
PID 1720 wrote to memory of 2012	1720	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe	28
PID 1720 wrote to memory of 2012	1720	2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-25_9b396edbfbc4bcc009548e9bc327260c_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3499517378-2376672570-1134980332-1000\desktop.ini.exe

Filesize
2.4MB

MD5
3b98d341e5a40b10db7b17cf5c07c677

SHA1
363bb0adbb32b99beece486b7993e4fbcffc4d66

SHA256
f8939b950286557fd3473ae145463b228c17f8b502688d2cf609f5a6757e8909

SHA512
f8778cf2172c32842fa345b7e8f4c5b6135e6f36f77f035a6534dbe055045ae78a4309f63b2ca6ec50200a3d2c3e39df8a505e4b154796ab2f3360ad233bfa61

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.4MB

MD5
9b396edbfbc4bcc009548e9bc327260c

SHA1
96e802cc1a59dcef13e38fe7fee46203fb4949a5

SHA256
ae185a5a9cb0dfe4c693ebe295bea8154efc21b7f18f0cf4ba222889c6037cde

SHA512
d8c50d6362bc5347b7946c512ace83032f7b83ad24d861b6382c6b663a3336a21c66d483b3d12c289c557b5a38094862a310d051fce5ec2026c6373d52ee8198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019089d1fd0daa5a03edd7b04dc281a1

SHA1
6a8192ea5ce5fd4f692a0b36a5f66c0e74d223c9

SHA256
dcf0161633413504a4a7e399486f389df29f1b9f3f83e980f5174d149b361fe3

SHA512
2c70652bff9de1d86b498cfe266af719310881ba97bd2f48eaebac5978c401677301f8817ee3740e27762042196fd58228be87fea1ab43268328ba747e401c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f11b8ad26c5c876476b5907fecef2392

SHA1
0d89b7a1fb149d2be1ea881362a3427e99b5160b

SHA256
20995a8bed5d02478621e3ee95a5069e02bee42079da3923e0e43f41f374364f

SHA512
a701a83c7cd12080e785780401e7e5e6595e958267ecd926de60fedad35b22717513f11361591ab6b3958b531a2f40065fb9a42584f7566d39f8a6b355d2bca5

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
42935359d9ae5ab7507f082c117c0027

SHA1
05dd7616805833497c0ec1826ffc53b7673d8191

SHA256
2fff52aa0c2fac4e53008cdf0bbea4ade2243bf42418330a03d5ce6f0d598421

SHA512
f7fb318258fd7faaed95facea3b8c1ee2c11c13cb5ea239773b22ae5e270cef94a1892dfd2f60df15cf79f9f4935e4145bf5127734ff8893c3020c245d18189a

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
42935359d9ae5ab7507f082c117c0027

SHA1
05dd7616805833497c0ec1826ffc53b7673d8191

SHA256
2fff52aa0c2fac4e53008cdf0bbea4ade2243bf42418330a03d5ce6f0d598421

SHA512
f7fb318258fd7faaed95facea3b8c1ee2c11c13cb5ea239773b22ae5e270cef94a1892dfd2f60df15cf79f9f4935e4145bf5127734ff8893c3020c245d18189a

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
42935359d9ae5ab7507f082c117c0027

SHA1
05dd7616805833497c0ec1826ffc53b7673d8191

SHA256
2fff52aa0c2fac4e53008cdf0bbea4ade2243bf42418330a03d5ce6f0d598421

SHA512
f7fb318258fd7faaed95facea3b8c1ee2c11c13cb5ea239773b22ae5e270cef94a1892dfd2f60df15cf79f9f4935e4145bf5127734ff8893c3020c245d18189a

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
42935359d9ae5ab7507f082c117c0027

SHA1
05dd7616805833497c0ec1826ffc53b7673d8191

SHA256
2fff52aa0c2fac4e53008cdf0bbea4ade2243bf42418330a03d5ce6f0d598421

SHA512
f7fb318258fd7faaed95facea3b8c1ee2c11c13cb5ea239773b22ae5e270cef94a1892dfd2f60df15cf79f9f4935e4145bf5127734ff8893c3020c245d18189a

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
42935359d9ae5ab7507f082c117c0027

SHA1
05dd7616805833497c0ec1826ffc53b7673d8191

SHA256
2fff52aa0c2fac4e53008cdf0bbea4ade2243bf42418330a03d5ce6f0d598421

SHA512
f7fb318258fd7faaed95facea3b8c1ee2c11c13cb5ea239773b22ae5e270cef94a1892dfd2f60df15cf79f9f4935e4145bf5127734ff8893c3020c245d18189a

Download Submit
memory/1720-272-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1720-65-0x0000000000780000-0x00000000007FB000-memory.dmp

Filesize
492KB

Download
memory/1720-64-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1720-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2012-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2012-67-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2012-273-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads