89286fede4f926ec8869703329899f4c17fdd7a812943d740d6077a5f2575daa

Analysis

max time kernel
148s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 01:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
Size

18.5MB
MD5

42a8075e5d341bcd1d20c7d3eadff950
SHA1

094fb48ecebd5ce3aef3d142d745c24182b171f5
SHA256

89286fede4f926ec8869703329899f4c17fdd7a812943d740d6077a5f2575daa
SHA512

782fb809754b030e52485ed62fddb26b1d875f622c22d620b4dcfeb542b36b17c545457e6aaa9be25e4d48dcb58000b6c0f1f7961297d76a8fbc3f1c22ffbb19
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMt:9nwngnwnQ

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1764	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
1764	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\I:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\L:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\N:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\K:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\R:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\W:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\Z:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\B:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\P:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\X:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\Y:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\M:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\O:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\T:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\G:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\E:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\S:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\H:	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2696	1764	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe	28
PID 1764 wrote to memory of 2696	1764	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe	28
PID 1764 wrote to memory of 2696	1764	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe	28
PID 1764 wrote to memory of 2696	1764	2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_42a8075e5d341bcd1d20c7d3eadff950_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-86725733-3001458681-3405935542-1000\desktop.ini.exe

Filesize
18.5MB

MD5
de5c767a16770b7afc9fc5c41acb3f27

SHA1
8d2e3c8fc1d12fe4a1850aacadbfa28582fde0c0

SHA256
c0073bfa9251fa55b179723e3c4f6250c4fde8bd294f6174eccffc7aae9c2232

SHA512
fb71f9a686ec1e53831b5ab1cb95dca63770a3b4a83eff2920270aeb4e5dc4941e47f1886c7d49f7fb3fbf97e7240a2e5f30a15dd43a2db6b6098995ed137cdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
89d4309d0e23a90b2665533412245433

SHA1
993dc4014aca021fae3cf4f592fa618b4a949578

SHA256
0f38ff30becb973bfded313e8495bc22e069e951d09287d2a15aa93c95d56732

SHA512
8dbc3db9966dba8c19d21cd50c8e5ae7d955176a1b056df144b2c93263b9be2cd6b16b7a6d9bd5c03517e0f1bdb1aba6d0d16b8887ee5db4b0c812a33aba0a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e8841eacbfb369f1e06c71d0362dbbca

SHA1
4ee572c61b7534e97154fb610448699a2d52778b

SHA256
27d0655826f6a9a911e9fed98ee03b2bc6ba54f567d5423ea0a6cc1c694d7e93

SHA512
d02dbdacd9b71b8ac2aec29f6c2ed98a7622bab43623bbaea9d84c67c5f36672a72dfb5ad6e73535057be3b600b7010a4d45e1a4b43a3359d2b7472f5a0b6c67

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
18.5MB

MD5
4e1a2a65671385d78272bbdb098d861c

SHA1
0033f6e869010767c42b8d007f7d52649494c3e1

SHA256
f74855921cfe84931c51db83e1fef2c9936e907b34def413629f7e0316d57acc

SHA512
c23f1f37a7f886f08f57b084e8ac66ef3eda839c5814e90bd1676e0f5df6eaa95c3ae0687ee25bb786bf3d0ac5932b9dc9046f8ab65ad80c2667a230cdacb8a6

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
18.5MB

MD5
4e1a2a65671385d78272bbdb098d861c

SHA1
0033f6e869010767c42b8d007f7d52649494c3e1

SHA256
f74855921cfe84931c51db83e1fef2c9936e907b34def413629f7e0316d57acc

SHA512
c23f1f37a7f886f08f57b084e8ac66ef3eda839c5814e90bd1676e0f5df6eaa95c3ae0687ee25bb786bf3d0ac5932b9dc9046f8ab65ad80c2667a230cdacb8a6

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
18.5MB

MD5
4e1a2a65671385d78272bbdb098d861c

SHA1
0033f6e869010767c42b8d007f7d52649494c3e1

SHA256
f74855921cfe84931c51db83e1fef2c9936e907b34def413629f7e0316d57acc

SHA512
c23f1f37a7f886f08f57b084e8ac66ef3eda839c5814e90bd1676e0f5df6eaa95c3ae0687ee25bb786bf3d0ac5932b9dc9046f8ab65ad80c2667a230cdacb8a6

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
18.5MB

MD5
42a8075e5d341bcd1d20c7d3eadff950

SHA1
094fb48ecebd5ce3aef3d142d745c24182b171f5

SHA256
89286fede4f926ec8869703329899f4c17fdd7a812943d740d6077a5f2575daa

SHA512
782fb809754b030e52485ed62fddb26b1d875f622c22d620b4dcfeb542b36b17c545457e6aaa9be25e4d48dcb58000b6c0f1f7961297d76a8fbc3f1c22ffbb19

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
18.5MB

MD5
4e1a2a65671385d78272bbdb098d861c

SHA1
0033f6e869010767c42b8d007f7d52649494c3e1

SHA256
f74855921cfe84931c51db83e1fef2c9936e907b34def413629f7e0316d57acc

SHA512
c23f1f37a7f886f08f57b084e8ac66ef3eda839c5814e90bd1676e0f5df6eaa95c3ae0687ee25bb786bf3d0ac5932b9dc9046f8ab65ad80c2667a230cdacb8a6

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
18.5MB

MD5
4e1a2a65671385d78272bbdb098d861c

SHA1
0033f6e869010767c42b8d007f7d52649494c3e1

SHA256
f74855921cfe84931c51db83e1fef2c9936e907b34def413629f7e0316d57acc

SHA512
c23f1f37a7f886f08f57b084e8ac66ef3eda839c5814e90bd1676e0f5df6eaa95c3ae0687ee25bb786bf3d0ac5932b9dc9046f8ab65ad80c2667a230cdacb8a6

Download Submit
memory/1764-9-0x0000000002AD0000-0x0000000002B4B000-memory.dmp

Filesize
492KB

Download
memory/1764-68-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1764-73-0x0000000002AD0000-0x0000000002B4B000-memory.dmp

Filesize
492KB

Download
memory/1764-59-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1764-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1764-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2696-74-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2696-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2696-11-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads