e7b66e92977c0f7c701b7a69cd0e8e149afd423e85afe118048eba0c0492e724

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 05:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
Size

7.8MB
MD5

c5a29aa5ebc78833d9f3e3b95cd6caf1
SHA1

b24bce3d9dc701cb97e7b7f53fa7adc2541c67e0
SHA256

e7b66e92977c0f7c701b7a69cd0e8e149afd423e85afe118048eba0c0492e724
SHA512

9b0dfcdc47dbf4415f62f2c6fd9bf6db2d6d6f4d1fd28f877043f707cc28503b2971555ea8c1fb6a8240264e54b7d0c7366abd7e3809fd2159b6805f2e6d0641
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzM5:9nwnE

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2756	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1964	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
1964	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\I:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\N:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\O:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\H:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\M:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\X:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\Y:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\B:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\K:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\W:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\A:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\J:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\L:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\S:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\Z:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\E:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\P:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened (read-only)	\??\R:	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2756	1964	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe	28
PID 1964 wrote to memory of 2756	1964	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe	28
PID 1964 wrote to memory of 2756	1964	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe	28
PID 1964 wrote to memory of 2756	1964	2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_c5a29aa5ebc78833d9f3e3b95cd6caf1_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-607259312-1573743425-2763420908-1000\desktop.ini.exe

Filesize
7.8MB

MD5
42837fd2615789964fb2c9eddd5fabb5

SHA1
ae71fecf66ed2278d58f87ebbfb3c2b575f72592

SHA256
0838ae7b6af8789e429aa4a45d1ff9cd599601befacdf294866c4bcf37c1b8eb

SHA512
97138f304569bcc06cd6505c2ecd3a8e9b87f1d525fbcc8d428b91863a18e8b054eafc982dda24847686be2b08f95fcd228f62fca6d5e70c6ec2d079ce9968be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
5d3f6f77eb9ef874715a1f63992d6365

SHA1
517292ab1164c463bcd29f4a55cf577eb8b36b94

SHA256
8e23269b9afef47a1401402b61f4e9cdcf5d68863516d23fa27e7cb86a524a6b

SHA512
c9a4c10d0599d8319a7b0187bfcd25f93f1b723cd3b9f93e8bce0c3b5a7d163095510a7a121556bbf2af3de187416b3e4d3e0434f707d5b6ed2390b1652093ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
77d6b4082bc9eec1dbea36111a523278

SHA1
79251ee7bde98f37763ac79baea345738a9efb38

SHA256
272e94a671520cf1c5436623b439f18fd6f5be4b22eca72ab31c26177fa56897

SHA512
3c6efa9d5847cfa92bd71b91a8fee3c0a08349d525a48773826c2a018e8e513fcadb9f6588dec04aa68ea5df1b29c126294d9ca576f12875a888faa736b02c02

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
56b1521a30e3e542e2804089563e0b47

SHA1
89d877438ceda60a5f290817747ab46916aaa371

SHA256
2ab4c5b0787649404ea4fb77259fe16a9b1b3d45ff1ee59a6857ce1af2f983be

SHA512
723f34fea35fffee9c7e6d027b499a1884b45e021e4d0798c68d190f1485fb73be18f0512f1c443bbed570d4eb26db834bb22eb0255ac6890f83376127b1c2a9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
56b1521a30e3e542e2804089563e0b47

SHA1
89d877438ceda60a5f290817747ab46916aaa371

SHA256
2ab4c5b0787649404ea4fb77259fe16a9b1b3d45ff1ee59a6857ce1af2f983be

SHA512
723f34fea35fffee9c7e6d027b499a1884b45e021e4d0798c68d190f1485fb73be18f0512f1c443bbed570d4eb26db834bb22eb0255ac6890f83376127b1c2a9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
56b1521a30e3e542e2804089563e0b47

SHA1
89d877438ceda60a5f290817747ab46916aaa371

SHA256
2ab4c5b0787649404ea4fb77259fe16a9b1b3d45ff1ee59a6857ce1af2f983be

SHA512
723f34fea35fffee9c7e6d027b499a1884b45e021e4d0798c68d190f1485fb73be18f0512f1c443bbed570d4eb26db834bb22eb0255ac6890f83376127b1c2a9

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
7.8MB

MD5
c5a29aa5ebc78833d9f3e3b95cd6caf1

SHA1
b24bce3d9dc701cb97e7b7f53fa7adc2541c67e0

SHA256
e7b66e92977c0f7c701b7a69cd0e8e149afd423e85afe118048eba0c0492e724

SHA512
9b0dfcdc47dbf4415f62f2c6fd9bf6db2d6d6f4d1fd28f877043f707cc28503b2971555ea8c1fb6a8240264e54b7d0c7366abd7e3809fd2159b6805f2e6d0641

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
56b1521a30e3e542e2804089563e0b47

SHA1
89d877438ceda60a5f290817747ab46916aaa371

SHA256
2ab4c5b0787649404ea4fb77259fe16a9b1b3d45ff1ee59a6857ce1af2f983be

SHA512
723f34fea35fffee9c7e6d027b499a1884b45e021e4d0798c68d190f1485fb73be18f0512f1c443bbed570d4eb26db834bb22eb0255ac6890f83376127b1c2a9

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
56b1521a30e3e542e2804089563e0b47

SHA1
89d877438ceda60a5f290817747ab46916aaa371

SHA256
2ab4c5b0787649404ea4fb77259fe16a9b1b3d45ff1ee59a6857ce1af2f983be

SHA512
723f34fea35fffee9c7e6d027b499a1884b45e021e4d0798c68d190f1485fb73be18f0512f1c443bbed570d4eb26db834bb22eb0255ac6890f83376127b1c2a9

Download Submit
memory/1964-71-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1964-9-0x0000000001E30000-0x0000000001EAB000-memory.dmp

Filesize
492KB

Download
memory/1964-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1964-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1964-72-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1964-75-0x0000000001E30000-0x0000000001EAB000-memory.dmp

Filesize
492KB

Download
memory/2756-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2756-11-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2756-76-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads