5e509250c7d25d15ec435a89bb59dd8847a2300539ac1a7b5de405ea16474945

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
Size

20.9MB
MD5

d9fe02c1a8336d3c565b042db1a9a494
SHA1

f2253793d91c6e75e9a26d395de49d93217b4ef2
SHA256

5e509250c7d25d15ec435a89bb59dd8847a2300539ac1a7b5de405ea16474945
SHA512

5e53a9f1a2b71eec4e2061628e245777c1d79835f8226b1c1edc7c15a4139cfba8099a924457577646ea29919d52babe7fda8d48db853daf39581caf45aea6c1
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMW:9nwngnwnBRX

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2224	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2944	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
2944	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\S:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\I:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\L:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\E:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\Z:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\O:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\R:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\X:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\G:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\H:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\M:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\W:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\Y:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\P:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\U:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\T:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\N:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened (read-only)	\??\K:	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened for modification	C:\AUTORUN.INF	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2224	2944	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe	28
PID 2944 wrote to memory of 2224	2944	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe	28
PID 2944 wrote to memory of 2224	2944	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe	28
PID 2944 wrote to memory of 2224	2944	NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS2023-09-05_d9fe02c1a8336d3c565b042db1a9a494_ryukexe_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1861898231-3446828954-4278112889-1000\desktop.ini.exe

Filesize
20.9MB

MD5
6e1564dc42959702814024390fc7fd23

SHA1
e5c64cc7c452fa13d24415ba086863570726fb1c

SHA256
ad64dcb3a774138e1d422e1a973da2d2bcf50a09ca2098e8e0acb88bdbf06252

SHA512
53e403eed64bfadefd2723b41fdfc7ef826823b383b7a4b6b41bf916a0e6113ed375d2483ecf63358edc0deb26fea907f68a3823fdcae3026a9edbacfdd26857

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
981c2f3c64119b5ce08da9237dbffc43

SHA1
436831576780779885d76e579ae04b08a83f7c6a

SHA256
37a6745a0dcbf9dc7f432e5988d86d2d454e55f7cb6fc7b0aa9ed81cdf689f86

SHA512
faac779f764b4c6c7fc44c08d68864c3803bbf8765a168a101f6aedc4a6e32f0eba4c2989e11c2174a87ea94f2ce3873029c5812b86940988ea99c7e3a9b34f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a285ca55157fa8593c96e48a7b1e9142

SHA1
a650910746c1865042a18841041e9895037e26f4

SHA256
d90ea7a1fa2a5527759ba12a544eb851efb670c1076bb7d384b7ee804457b843

SHA512
caa57aa057d25acc4ab86354c1b67d6048df2f0808517cf1572bda2e66703a843029fae6533dd252e4829b40848c60b22c012befe530cfdcce51b495a154ee43

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.9MB

MD5
e046ebf4f2b918bed6f698a1f6158cf9

SHA1
acfdb23443938d527792ea6330f199b278cddb6a

SHA256
32baaedd6d5ebe0ffd03492339710e77cf521befb816dd8defa9547539c2d8b4

SHA512
3a37d2e3a42aa56a39e9a5979085def7b28b13c1d3de51acbe5765f4231957d6361eda152c330e3654dc7c0a6853283f6f721bb53495145df6e0a199fd772ee6

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.9MB

MD5
e046ebf4f2b918bed6f698a1f6158cf9

SHA1
acfdb23443938d527792ea6330f199b278cddb6a

SHA256
32baaedd6d5ebe0ffd03492339710e77cf521befb816dd8defa9547539c2d8b4

SHA512
3a37d2e3a42aa56a39e9a5979085def7b28b13c1d3de51acbe5765f4231957d6361eda152c330e3654dc7c0a6853283f6f721bb53495145df6e0a199fd772ee6

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.9MB

MD5
e046ebf4f2b918bed6f698a1f6158cf9

SHA1
acfdb23443938d527792ea6330f199b278cddb6a

SHA256
32baaedd6d5ebe0ffd03492339710e77cf521befb816dd8defa9547539c2d8b4

SHA512
3a37d2e3a42aa56a39e9a5979085def7b28b13c1d3de51acbe5765f4231957d6361eda152c330e3654dc7c0a6853283f6f721bb53495145df6e0a199fd772ee6

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
20.9MB

MD5
d9fe02c1a8336d3c565b042db1a9a494

SHA1
f2253793d91c6e75e9a26d395de49d93217b4ef2

SHA256
5e509250c7d25d15ec435a89bb59dd8847a2300539ac1a7b5de405ea16474945

SHA512
5e53a9f1a2b71eec4e2061628e245777c1d79835f8226b1c1edc7c15a4139cfba8099a924457577646ea29919d52babe7fda8d48db853daf39581caf45aea6c1

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
20.9MB

MD5
e046ebf4f2b918bed6f698a1f6158cf9

SHA1
acfdb23443938d527792ea6330f199b278cddb6a

SHA256
32baaedd6d5ebe0ffd03492339710e77cf521befb816dd8defa9547539c2d8b4

SHA512
3a37d2e3a42aa56a39e9a5979085def7b28b13c1d3de51acbe5765f4231957d6361eda152c330e3654dc7c0a6853283f6f721bb53495145df6e0a199fd772ee6

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
20.9MB

MD5
e046ebf4f2b918bed6f698a1f6158cf9

SHA1
acfdb23443938d527792ea6330f199b278cddb6a

SHA256
32baaedd6d5ebe0ffd03492339710e77cf521befb816dd8defa9547539c2d8b4

SHA512
3a37d2e3a42aa56a39e9a5979085def7b28b13c1d3de51acbe5765f4231957d6361eda152c330e3654dc7c0a6853283f6f721bb53495145df6e0a199fd772ee6

Download Submit
memory/2224-13-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2224-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2224-11-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2944-14-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2944-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2944-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2944-4-0x0000000001E60000-0x0000000001EDB000-memory.dmp

Filesize
492KB

Download
memory/2944-74-0x0000000001E60000-0x0000000001EDB000-memory.dmp

Filesize
492KB

Download
memory/2944-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads