Analysis

  • max time kernel
    152s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2023, 13:48

General

  • Target

    2023-08-26_729c3e9acf75b2f8bef749495d3e5a58_ryuk_JC.exe

  • Size

    7.8MB

  • MD5

    729c3e9acf75b2f8bef749495d3e5a58

  • SHA1

    ea31999d40aca8a9bb2d92745e69472c222a444a

  • SHA256

    ba88cc7fd425db8fd8ee2c0a0920a1df16cdd2473ad33dd6019c1df913acf403

  • SHA512

    acfa3713bd1167f39d2c19da8e8f0870549187190149d22ad3c80e0e1e396aa0f131165992871227e0b04d82f41a38e56337d833df35f139a2397268e659efe9

  • SSDEEP

    98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMd:9nwnY

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2023-08-26_729c3e9acf75b2f8bef749495d3e5a58_ryuk_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\2023-08-26_729c3e9acf75b2f8bef749495d3e5a58_ryuk_JC.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1720

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3513876443-2771975297-1923446376-1000\desktop.ini.exe

          Filesize

          7.8MB

          MD5

          09386d800c0df35ae5daf75fe2cc6c16

          SHA1

          4cc66a9b3376d8328a8a5a863e1fd2f52cedb5e2

          SHA256

          ffd4e2327a2095e1f91d3fa842b4ef6c07c81f8fb52e15b93ea6d70f7b0d6450

          SHA512

          27ff9276a6de3a375af6d5301fa89f271e739771588a146831de4ac4308199fb7ad14cc77d5d0f1822998f5bdf361e97f5c1f24d86af4114d56f8a6e16bba100

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          958a445f408fd16bcdcb142717c87c12

          SHA1

          e10f3432ff636e2d18e0eb05c9df4fc46e3447ee

          SHA256

          bd806f97cded3a67bfdac2fead6b93b4ae9ba0e6d09f3b1d97c47820efdb029d

          SHA512

          e7e9855fb3575a55153fb2e98baa300c431c8ba4289cc8bbb5de279570ce918e2456a02a06db19599a5ec2f42be5b152350e6882368456362c3e56d180950b5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          831b67912ad3208b6142680e62b6b67d

          SHA1

          5f8a5496915cf16e3c5e69725357bf88187f5cfa

          SHA256

          37eac1a65d80da3a41c0d195696bfe4e1965890a5ad0be56bec1b22ab1e1acf7

          SHA512

          d17cfbc7863f9e5da0a6a6f8f50837380d3e8ab9a1001f3d4f0c3600b8c99063b2c916a02e8777eb5972061c89d7314a1db2afeaa68e93e1383525e064d4449a

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          7.8MB

          MD5

          0e6c7282ea1f538efae6914cb37803ed

          SHA1

          608a0d2b6bece0fa8ce1c4ca4d6ae8c1d5e37d33

          SHA256

          388adf79c1be72ab6ef28e38eb0dbd7a5618940fa82c0527e02b05ec3344e282

          SHA512

          371d0450c9f6c6a2a24f2aae5d716c673eea41e2a51a965e35a73653e794032d66921fefe3bf430ba19d9eda119687899534f9a64c91b73aebe7de7dd4b9cd19

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          7.8MB

          MD5

          0e6c7282ea1f538efae6914cb37803ed

          SHA1

          608a0d2b6bece0fa8ce1c4ca4d6ae8c1d5e37d33

          SHA256

          388adf79c1be72ab6ef28e38eb0dbd7a5618940fa82c0527e02b05ec3344e282

          SHA512

          371d0450c9f6c6a2a24f2aae5d716c673eea41e2a51a965e35a73653e794032d66921fefe3bf430ba19d9eda119687899534f9a64c91b73aebe7de7dd4b9cd19

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          7.8MB

          MD5

          0e6c7282ea1f538efae6914cb37803ed

          SHA1

          608a0d2b6bece0fa8ce1c4ca4d6ae8c1d5e37d33

          SHA256

          388adf79c1be72ab6ef28e38eb0dbd7a5618940fa82c0527e02b05ec3344e282

          SHA512

          371d0450c9f6c6a2a24f2aae5d716c673eea41e2a51a965e35a73653e794032d66921fefe3bf430ba19d9eda119687899534f9a64c91b73aebe7de7dd4b9cd19

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          7.8MB

          MD5

          729c3e9acf75b2f8bef749495d3e5a58

          SHA1

          ea31999d40aca8a9bb2d92745e69472c222a444a

          SHA256

          ba88cc7fd425db8fd8ee2c0a0920a1df16cdd2473ad33dd6019c1df913acf403

          SHA512

          acfa3713bd1167f39d2c19da8e8f0870549187190149d22ad3c80e0e1e396aa0f131165992871227e0b04d82f41a38e56337d833df35f139a2397268e659efe9

        • \Windows\SysWOW64\HelpMe.exe

          Filesize

          7.8MB

          MD5

          0e6c7282ea1f538efae6914cb37803ed

          SHA1

          608a0d2b6bece0fa8ce1c4ca4d6ae8c1d5e37d33

          SHA256

          388adf79c1be72ab6ef28e38eb0dbd7a5618940fa82c0527e02b05ec3344e282

          SHA512

          371d0450c9f6c6a2a24f2aae5d716c673eea41e2a51a965e35a73653e794032d66921fefe3bf430ba19d9eda119687899534f9a64c91b73aebe7de7dd4b9cd19

        • \Windows\SysWOW64\HelpMe.exe

          Filesize

          7.8MB

          MD5

          0e6c7282ea1f538efae6914cb37803ed

          SHA1

          608a0d2b6bece0fa8ce1c4ca4d6ae8c1d5e37d33

          SHA256

          388adf79c1be72ab6ef28e38eb0dbd7a5618940fa82c0527e02b05ec3344e282

          SHA512

          371d0450c9f6c6a2a24f2aae5d716c673eea41e2a51a965e35a73653e794032d66921fefe3bf430ba19d9eda119687899534f9a64c91b73aebe7de7dd4b9cd19

        • memory/1720-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/1720-42-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

        • memory/2988-0-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

        • memory/2988-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/2988-38-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

        • memory/2988-40-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

        • memory/2988-41-0x0000000001DF0000-0x0000000001E6B000-memory.dmp

          Filesize

          492KB