38697b0beb28935a979b3569793cf8c8393e466935ef1f35c4c7f3eee8b00bda

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
Size

7.8MB
MD5

20a25829cbdbfebe400aaf23afae6bb8
SHA1

652362c813b9433d0bf9b032d7af074ed2a2a9a3
SHA256

38697b0beb28935a979b3569793cf8c8393e466935ef1f35c4c7f3eee8b00bda
SHA512

1d3f1ff37de29a50d78b2289980dfc0b5a4407971af9edeee325fc0cf68f568b1d83e4ea1a6179177bfdb5e0797bf861c5ef956ddea6ac012fb4df4553469685
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzM4:9nwn3

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2308	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2464	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
2464	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\Y:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\A:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\N:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\O:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\Z:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\H:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\S:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\P:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\X:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\E:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\K:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\L:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\R:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\T:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\W:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\G:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\I:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\M:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2308	2464	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe	28
PID 2464 wrote to memory of 2308	2464	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe	28
PID 2464 wrote to memory of 2308	2464	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe	28
PID 2464 wrote to memory of 2308	2464	2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_20a25829cbdbfebe400aaf23afae6bb8_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-86725733-3001458681-3405935542-1000\desktop.ini.exe

Filesize
7.8MB

MD5
4e91ec5868b0b5716b5a76bc9df4f1f3

SHA1
fa766fe4eb1647119bf91ab5897d75d06f8ac5fc

SHA256
c210348e892d516c63d740cb3f9b649e9e109aeb06d5baa55ff7f91c3746460c

SHA512
94c94618059d6662b78a3f7c7d926533cb9879c345811f280c9352257a6a1b3c92ca1f837fd5472af3bc2f8a53695cdcc6b142e5eedb31b1b928b69c3c8876c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
813139b9b6cb2987cd4a23e555dd848b

SHA1
4a8e46d3db3248d9b2027d2dd187af7156ac1f00

SHA256
6926089ce259d72fdcb92cbd8058e195113bcb0bd0901892cc275ff2ec4c8d76

SHA512
8d2aed8e5358911edf7f70d96fa2524be37e5593f5bc6432711b5efd8ba2bf29677d16571af7360495afb73546ada75e22e9b7cc1e0e99f9393e0fb5e28a3e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
6fd05d72b766d39c527cdd1431046822

SHA1
c84dd4fa160c2477f199a79e4c1eb47fabd67475

SHA256
b35a741a7e0bc7c6bd29b02b3f8784502b600da15a0496c7baea8405e64b9e34

SHA512
6eaf222830f6cf41de39952549a6cfa3541f4b3def1848c93ad4fe7ca9143e2ed0b60f19feafcbe480f1085d20e17a40ee76cd5a800ec636dc1a269bb107114b

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
c0d6d0cf9694c797ca45206cdce9fa71

SHA1
d6f4778388a332cc320fe30dc49e04da98deaabf

SHA256
24d9f055419b7e1e8d0a164908fabc07ad65f992854da55b5ce3e77476673cb6

SHA512
63143b4147936cf286716a3a03966ac9c29470ea13151612171b9d46cdcc3c6acc2b0e388d2a62923535f467b0a12c0686b0e68985af9524990e1d489a994ec5

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
c0d6d0cf9694c797ca45206cdce9fa71

SHA1
d6f4778388a332cc320fe30dc49e04da98deaabf

SHA256
24d9f055419b7e1e8d0a164908fabc07ad65f992854da55b5ce3e77476673cb6

SHA512
63143b4147936cf286716a3a03966ac9c29470ea13151612171b9d46cdcc3c6acc2b0e388d2a62923535f467b0a12c0686b0e68985af9524990e1d489a994ec5

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
c0d6d0cf9694c797ca45206cdce9fa71

SHA1
d6f4778388a332cc320fe30dc49e04da98deaabf

SHA256
24d9f055419b7e1e8d0a164908fabc07ad65f992854da55b5ce3e77476673cb6

SHA512
63143b4147936cf286716a3a03966ac9c29470ea13151612171b9d46cdcc3c6acc2b0e388d2a62923535f467b0a12c0686b0e68985af9524990e1d489a994ec5

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
7.8MB

MD5
20a25829cbdbfebe400aaf23afae6bb8

SHA1
652362c813b9433d0bf9b032d7af074ed2a2a9a3

SHA256
38697b0beb28935a979b3569793cf8c8393e466935ef1f35c4c7f3eee8b00bda

SHA512
1d3f1ff37de29a50d78b2289980dfc0b5a4407971af9edeee325fc0cf68f568b1d83e4ea1a6179177bfdb5e0797bf861c5ef956ddea6ac012fb4df4553469685

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
c0d6d0cf9694c797ca45206cdce9fa71

SHA1
d6f4778388a332cc320fe30dc49e04da98deaabf

SHA256
24d9f055419b7e1e8d0a164908fabc07ad65f992854da55b5ce3e77476673cb6

SHA512
63143b4147936cf286716a3a03966ac9c29470ea13151612171b9d46cdcc3c6acc2b0e388d2a62923535f467b0a12c0686b0e68985af9524990e1d489a994ec5

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
c0d6d0cf9694c797ca45206cdce9fa71

SHA1
d6f4778388a332cc320fe30dc49e04da98deaabf

SHA256
24d9f055419b7e1e8d0a164908fabc07ad65f992854da55b5ce3e77476673cb6

SHA512
63143b4147936cf286716a3a03966ac9c29470ea13151612171b9d46cdcc3c6acc2b0e388d2a62923535f467b0a12c0686b0e68985af9524990e1d489a994ec5

Download Submit
memory/2308-11-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2308-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2308-78-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2464-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2464-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2464-4-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/2464-64-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2464-71-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2464-72-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads