6bf1f0b9fe08c7c207447f44c20b63487b06029aa65810469459410f2eda7425

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2023 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
Size

2.9MB
MD5

dc931ee5128cf9f7e26394fe51bad3b5
SHA1

3296dff96d57d44ed3c63664f585ce19d3719e54
SHA256

6bf1f0b9fe08c7c207447f44c20b63487b06029aa65810469459410f2eda7425
SHA512

eb10963da6ffd18494108cf51ce7371117613abca66c9bf07a34b1b99cd429ebc35fe384f19b203433bfb0a7d0a213e7acc32a3a2d518f092e02b528512e4820
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCR:eEtl9mRda12sX7hKB8NIyXbacAfC

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
4656	HelpMe.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\P:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\U:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Q:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\L:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\N:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\O:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\R:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\G:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\S:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\F:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\J:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\T:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\X:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\E:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\H:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\I:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\K:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\W:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\V:	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONLNTCOMLIB.DLL.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightRegular.ttf.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.DLL.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-pl.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\MSADDNDR.OLB.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ppd.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CACH.LEX.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BSSYM7.TTF.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\STRTEDGE.INF.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-io.jar.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_fr.dub.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\PREVIEW.GIF.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\vreg\proof.en-us.msi.16.en-us.vreg.dat.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ppd.xrm-ms.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar.exe	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 4656	1632	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe	85
PID 1632 wrote to memory of 4656	1632	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe	85
PID 1632 wrote to memory of 4656	1632	2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe	85

C:\Users\Admin\AppData\Local\Temp\2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-22_dc931ee5128cf9f7e26394fe51bad3b5_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:4656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini.exe

Filesize
2.9MB

MD5
1eb3b2918b638b28ebe91e5617932295

SHA1
759f3cfdecb556fc1194159e6e5f6e3a74179ddd

SHA256
da58cb82db7d3f55b3f91c89303db36123a69a2b9c9dabc0df061ba8c5fc9ec8

SHA512
62d2b2e4510fcd19ea03219d7b3ac4e78fa0f5d68366a3999f6414fc7cfe30ef3f4b94c826a119f8d99ef297ee78a8a002043ba7f19bbcb67d16ddce7dffff8a

Download Submit
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini.exe

Filesize
2.9MB

MD5
1eb3b2918b638b28ebe91e5617932295

SHA1
759f3cfdecb556fc1194159e6e5f6e3a74179ddd

SHA256
da58cb82db7d3f55b3f91c89303db36123a69a2b9c9dabc0df061ba8c5fc9ec8

SHA512
62d2b2e4510fcd19ea03219d7b3ac4e78fa0f5d68366a3999f6414fc7cfe30ef3f4b94c826a119f8d99ef297ee78a8a002043ba7f19bbcb67d16ddce7dffff8a

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.9MB

MD5
dc931ee5128cf9f7e26394fe51bad3b5

SHA1
3296dff96d57d44ed3c63664f585ce19d3719e54

SHA256
6bf1f0b9fe08c7c207447f44c20b63487b06029aa65810469459410f2eda7425

SHA512
eb10963da6ffd18494108cf51ce7371117613abca66c9bf07a34b1b99cd429ebc35fe384f19b203433bfb0a7d0a213e7acc32a3a2d518f092e02b528512e4820

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7ffd2d2495612e8862a57dd271757caa

SHA1
81c9b62fd2a7623915b24a0fe61f311ea4ee3fce

SHA256
11c4dd31b1bb79352cc43e1fe05bb2140d3cefda3bf829c2dd97820f694e2b56

SHA512
86fd11bc267ac22d71f50daaa321c35520d2db9c4671d0d83af1f0cdf1528a8b1f50e138bb2432005a0d0740a8cb8873872629b5277e87b8f2a177f0d170baa9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
be53da35e9d9618448ce5bb626a60f49

SHA1
f89cbf76fcbf04ca3091938ea05dc334d1fac862

SHA256
71a0e61c5ec618dbb03db38319784e5624e8760b1d1a5572c7a6b239a0f1c833

SHA512
94a8d99af1eed985e977f3c34fa45fb0ae45fae93a097cdde67df969ff3d697c3b9dab097589c2381da9f1a5b0f969d3e27f4ede177ed97d1a6954a966c83ed5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3b0a3b15a8751a040330d8dc6cbd4809

SHA1
f0c9aedfe4fc1cfbc70e63ff6f08f56b7952b47a

SHA256
f07b3a3a1bb8a5f7d4255d00ee7d0f72c57366ae18134de6f10973135d5e74b0

SHA512
a7c38ee64fe18fdbb44041d67528db6216d6e2f3000fd2b28dc5926e0e8ee70b7b8c4f37bda3d8adc268ace8370d768ca1de99a2410284986345f4c52c38abba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1cf7f25f5133304691ac5740cf726865

SHA1
378816f0b831f879c5edb83d735f92618a5217a7

SHA256
043d48617a5bafbaf4f7d6797ee0570c9be6bb43149d00858b80a7775ea78ebe

SHA512
2e5e5a4cd79883347b3e7433fecaa47091b2a6129ebd5f0dec2ade0615403281e2ac7a7ff54f43cff2871ffc7fd18ce10253dc564ea5ab881829359c8f744d9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
6c0ea1fd276369dabc380763ac5a2d25

SHA1
b6e27c638b068c9a2b7b1d9a0fa9caeefcb89bbe

SHA256
a0286df1534602f533d3c60b5d319d408fcec5228ac2c19445a27eb374574cb2

SHA512
37ca66afefa788759316fc4d93a01fc274a56206b57585a7c3e5725759a77287678ab9bcab535690ade7616e7860b7ccb9d472e05343473d3bdd7ec2897a65b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
96d32dc6605482876149ad5eb76438b0

SHA1
9326cf9ed466616b637633ce90a0e7ba38860dbe

SHA256
c5b59202a662c1a5a8106ecdf91f47364d42c6e887c525098d8a16fabe9baebc

SHA512
d2b88251ec0c3522a2e535804b9c72f5be1081e42ed9193fc17ab401606f5e36199dc069163272fe7eec13585771c3db614db2074929253d042e1b2e029fcb6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
49fababa0a6528938f21fe00c7204e74

SHA1
614b19de3f7df29cd674e7eaac6510df28f5ebc7

SHA256
9123f04f472c0d5692f5b043ac1f746c8e51c7bb24b8ece53bd5b60e85575b3d

SHA512
15dcc055558b3dbd48783137d4e9d60af03d310d06876b6eb921b077220f62743d56962c5cb83c24d94cf2365b160a1852ae14c6610960f4fd61ca5ccc369907

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
24c7e4b5db220c7e39ee1412d2aeae7e

SHA1
9b7dc804d01ce4c668e289d482b82f475043b9f4

SHA256
e5c2f5237315e9a399ef4cf58bb69b892a544f4e92ea406f6fe62fb5345881eb

SHA512
57d2aea5dc02b00c1cb6f7041c0e703a91ad860a45e3b01c31329e9c5810b77763a8525b5659370c0ac3157373a28a99171b52b610e7cb4fa963cb6e41435b76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
cefdf64e8c6245fc38ec65b0b53323f9

SHA1
d1ce937a6d588f9a201b01d85953d9446fe58a86

SHA256
e49fa52f87dd86a22b60754cd7b6836c07dc7fc05340bd71487db1d8b3e78e78

SHA512
e0c8c7f5d97469aaf105d9dc70c15e673a7c127619bcb88ffb0a76a4e7925f060fa972d7d6e4ffbc71b10cac9ca55411e67507bafd562d682c7fe781a1015057

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0fc2ba4b63240e04b983ec5cc0776c1c

SHA1
4e18172eda1d21f553bb8a6e08afc85577d07d25

SHA256
a542cc2ab32e6cb2959b3d408cff5b86bf800282fc6a58604b94ecf69d27bca3

SHA512
4a85b86a2779b24131d203a09c0a79e1c03199ee86aca44e77ca07ef7a9cb4a586f2349dc971055d2c996b74fe5d7bc1c7b941848159e1bce6349b4148af6727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
deed4742ef45574161e890290badb928

SHA1
5639e27144b8823104f32850f9894f70bb38015d

SHA256
261ab5b654d8c62d01f2c50aafb44b8d0f025a610e222bfb1b5ca7b320cc5f64

SHA512
fdc2d04c63aceb9bf9ba68a43d5019d58257a737cd1dde31b414cc5852afa91be44b82279d00cb3e8d13100ece8f8feba73a5a32df83d7811d32b59a1c0bf50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
90161c862aff53e7d4968a0bb4ac7cb6

SHA1
9e23f5ead73209d641bfa938e9e0a63fe153ec6f

SHA256
4e9aba1295fa2a3f777adb7dfc242692f3f50d4de00f301fdf0f3efadec0b494

SHA512
2fa4f4ac88066722af787b78e465440c52579ddcd3107dd9ed209d8066318a0c6b2473c7e489a16f1c231657f934680115d0a582a79d6262e08a3138d2f2c680

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
39540ced91dcb52203807d7c5087f2e6

SHA1
8d3728c2d203b55e13ebe44654c69ac1eee26e95

SHA256
50330da3f334bd718f548829a5418528a18301d2ceae6d84573e8d7b86784d0e

SHA512
98bbef8c64b54e2cc234dabc2acfb889c30e8d07d85726f3bc4309fc6ea0ac856ccae7c45065fe82b108a4775229dd5d4157df03f7add9eaba0ac0dfff2ea026

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
aadb2e8b6112979922d9afca9e4362d0

SHA1
487596efdef81111e82fe7d484b081125a351db1

SHA256
a383bda86dcbf45b042d64deb60c923ca2c679b9326a5eff1f592eba729dfcd7

SHA512
e7a6cc8e6f1d3cf9910589f76e6b042ea29b90142145d7f6e5a20f7c8be9290e28dae7fc29e995b0bfc09cb604bb1316e9ec2ff45726210b295f95a61b957649

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4e5f16216255ca32e5729df61324f724

SHA1
f11eb6338ea61673d23f7f68d43db0f977e0bacb

SHA256
8702183a5d43ea071595ac423c46ed3d08a8a1a053c7dd73612e4721190631ff

SHA512
6c48acd22a11373745a66b4408f7ab3896e871c078d5b9542233a36888a3aea1022f26dfa6c1234dc7f80d7fe23e2fbc1b40b4c3d8740589fd1c1e08726e72b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
df7821a74030e1918733e9f269a8e6fb

SHA1
b428091f48605c9c5ce58127c7d95c9cfe4f79b1

SHA256
07b6b6c1d0f3f810446e9eb9f9c48b8440ba91fbaaf3f85a7ba5d677b7b499c1

SHA512
27df8015c85cc0401aff4224e360df355372a64e40b71f8e1dee3456feebbc2d9c9c7a97372a2399ef087ef6c692e144a995794cd7622a6ec495c41cd4f2f68f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
828ab8fd8d2a53dc22b48e60ebb09d98

SHA1
6e973cbb5bdd66a20382cee3cf47366cac62279f

SHA256
5bef702fba41759751fbdbdb1ff0fc3c074f6ed096403037f453f01e1215e3cf

SHA512
6bed4b18351c1c42475fff46316915170a88d7a949acc13de061f000bc813a7cccb8647aac7be58258f9f6146c489cef43d3bf5d66c9bf98da2ff90880351232

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
415bc767754b99cab6a1d719c0fb1276

SHA1
e48360dd4796ea0f6d94c05bc0ee3bebabe6be6e

SHA256
5bf0cb2c38e864108e550bc971127fc50baf691d5782d781000bde54e7aebb7c

SHA512
0683eec5a59d175fc616c961627c15a9ab8b9b115191900ed1a274d6c5ddb5d960d734fdab692c1b4a32d113364cc388304b3846832e80ed31d652348ee6fe1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f5d59f41cb4ebe29b8ff59094133548d

SHA1
0b90eafb89c97bb6fa912843622ef7e7045cb808

SHA256
5bf148e8596ef6092094068a594250dfddd4ed50cadf5808bd454250c2a46d69

SHA512
150e4e02daf1eb61f934c6c28734f2830908019d5b77ed24eb05abaa7ae104bb8381ae3bfa32d33ae78b1c0aa730efb7ceab7f388803ae5c84ca1da65e3d494f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
63ced3e28501f3c8718fa4b3ce4e2655

SHA1
cab148139234013a68933ef7bbbb6b09b440d6f5

SHA256
fd3a452b6d4bb32b916cab0de872b30331ea30c98ad45544c6b1dae8ee779d8c

SHA512
a9a7eaf4680585fb992e819bac42b0a82e36722599206e868933877703169dc28dfb1c6f2626c818efba1e8f362a20f965c992184ac1ef6cc5d373297d60ea1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2df911abb380cc1016ba982baa4f9044

SHA1
176ebed7ffe660a5d47f34ca5bf4fd47d09b80af

SHA256
5c26a6e13395cd779f0f9a1a3636122471a1b9f4d0a8094f26a5d1d4c7937d13

SHA512
60a4cbbe61f07bac7a9ad0ea24e33f5d0da6f232506392b2aa2172410f3c20871cd3ce5f295d0a7e03df2d9dbf04ea6e757b27b110dc3de6ada22f6e4de2dbfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d19c860725459c448af6b1d7f5544ef3

SHA1
ee8c125099e7a989f9f98280dfd6644a8c158784

SHA256
e94614e186fb809d2ee5359d21bb13cfdaeb5fee48ca5bbe380787450654a177

SHA512
0d2303fad7b92d49470ce2cc4bcc393240e0a922935e98ab439fb3a4c10c7fc7f6961d4726af24ba455e003f422e7f91ead694194073a47ebc7e50f73dd1d077

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
9cf85c169ee5525f961a4b351c782975

SHA1
3a1ea0e2c7eebb748a927973ff49f7023187d57c

SHA256
4253ac78ea83d0f3436e891f3220c01c31d7f561fda06de8ce70719a398e903b

SHA512
309f7abdbf5d1f9750485296dae50d496507015b852d9718cd3b92d9baa127d032fccd09d2f4bb8d883854d5e01003d0079537f3cae01d4f27801ed14b46cb54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ad987693cbb262f0f8f8bbc613afc902

SHA1
5bee8febd99cbdbeb336e2cbc22c075c47654adb

SHA256
8c4c85abb34859fbbd90978863cd459ff71835d83f9e93d0e596773350d3d6e7

SHA512
c9d6df233e3f3ad665c5b003d4ce19d5bfa72db5d76dd160e7a8712b548c5489789483523287a62625c30af05c72e7586aa1098c8de7bac9d24762d846499642

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
63e2c9ba80d34d7a167844480fca5937

SHA1
6b9efda3023c38b0ca19561271cfcab004116bec

SHA256
c38a3b660de9a992acdf7a028004900026a1f4788ee25f0804527b2ed59340c1

SHA512
bc7c931bcd984312795c55fca91f0a4dcff8c9afb27a85bb36af4fc43c00d27d1ac24d3923ac4b47770878c319f6a35a79018a2b03cfae8e008a2515eaf1ebd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1f4bd30dbad7af66f39377315ad67be7

SHA1
7a9ba134be920529743b30e4a026a2f76834aa6d

SHA256
8d900b4e6c4b2ed4147d77c4b2b7da8fe2abab767934811c55901beee36ac6b5

SHA512
283e5035b30028ff66505cd29329ab092b50e12c04e2ef38e5a4982f2a8f35f903d4e2d0b738f7836e5c5e4cede30adbef4e402ba94d8c4c5047bfda346dbd36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
47cc9c96d2a8db221423f718c8b068f1

SHA1
c8de5c469720e58ce75c70343a163248f889dbd5

SHA256
6bd236491614a204a0e93771a7b7e627d4b0236d48d1be57a84574cf8ea5544b

SHA512
800c4b6345a81529e648d4a472dad878ed5d9c738c64dea03c94ab7d0fe137b407763c252be294ae0d673151465fceade43d5e80d9fdec66448cdbfa94c98f7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b6b706ce16888d77fb19578812d92148

SHA1
08bb7aad9d7349eef600c2d9c15304487818dc99

SHA256
efbe14fb17738f637765d8290399658c6417dbab0c9921cdcacf113b7a96865b

SHA512
b394aea9fd7ae1e5e89e44d819338c98f0ad65f9be2de281ede9b8b94ab1354c4ba33187f42b1abb2d54ceebe04c3fb0a67a6b9cf5a484bfd825e67559afe5e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
30d05100ceeccf6fee536952318159c8

SHA1
12163cfafbe329e07bdcb4254bf5d37696589a65

SHA256
8928f4d3db57133e38699d9c4e0ee88ac1f4133ba5f83271d578056df1b04f3e

SHA512
783488af8c91c3cd8659b012bd64f68c552512423e151eb5c8d681f0dac1ffde653fc147cf5f03e7ec68e085bd432fb410e3671ecb36b8eaea59ba85ea621237

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
61fb700fcf8ec50adf545e7f1f76691b

SHA1
2ddfc869b543095ea6058992fd3e79c08113acd8

SHA256
4e8d484f4c93dfa027bd2009d38b4e122611c3ccd4e1c1f509d4680448d0b71f

SHA512
02b8a2f0c18be66d05b726753557db168a9c67d294d3ccfc504ef89eb6713bc503e198d8755841632cb6f1c096b8dc303cafc7d145357a3f6dd53b686d75c644

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
707da46c423ee8ad813e3babc697b258

SHA1
5e9d4e7f116e9bdf753e3f0206fda9f7e9d14b56

SHA256
4048fe0c5431230f612928d4f1ce3ece3253fce0901ba68948cd9dbca1130fd6

SHA512
9d64f9ebb0e63bcca135eef49601462aed380a3e0a1330a168a88bd776c7b5e3e0dff858265f3160177dd10e0e196135d108b4a8e24173cd5a76126ed71c3d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
96aff5beab07e445fd74ed25f67b9d98

SHA1
9dd430c3595e367c835c2ed22899befd05550a99

SHA256
3ab74b0e77aedb2e8a9c7653f388e410dc555b5669e87b613cd0e250b733d12f

SHA512
81e1fc8e51285bd4228434210b8370c67ab53d0db02060cf331268b6c0467493ed09392da431d673efc5465dd26f83b5685d0e6e06bf36c1e04b14a1ebc7d716

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
59a8fa05bb05b94e79533642514156f6

SHA1
3c5435be44d99c487076dc7ddf73e424731f24a9

SHA256
31ef71efb298fa3b43f036005adb84a4593589d45868c9512439770666a12244

SHA512
2088124d89a5347e4f81e92440ec3437dd797c646eaefe41f80b7c083df1429c8375e759fd2e0698034c2271333468cc3be01160333d5b17c0963fdf4fb2e5ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
4d45fdfead14f2f89a2fe3dd5d12eac8

SHA1
e219b78875954553e90dd2b1f83afdd30ea8571a

SHA256
340f676bf483f33ffa764bf09a160465ef620d7ec98ef70e55d42256e1399dab

SHA512
90e3ee1cbc794dd8093914cfb23ef710ae6e87f5536fb8af969107b6e3d3552cb19e3ca88748df9be2855fa56b0768d7534eade6d6ed1172fe9af1d6895f4cf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
93b26d5c43042ee1753ea2609acdbed7

SHA1
81a98f41b2815ca60756bfb0aa967689a69c3600

SHA256
7a86bd76f357d93f65c7a3145f7ca1c8578aa85517c889c5eaab38ffd2ee2c3f

SHA512
5014c31c48e56f952ac091bfb74924a1e0e53cdd9a904becafc529009e064473f89694490574278ae4b11bfa9b8f1832d7102f8ee4e8b9b980cb40db9d09f526

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7062a7aa1258b34af7793f102d24353f

SHA1
cb4a3e7c6807cd69c7dd9ac6288a01689b2ee748

SHA256
f6cad6d2ae83b95bd0e450d3308c57b5fde56551ad279627362371a4d18e5971

SHA512
dc1163a4669fa4602862a04615204edf90d9e5fb5b5a7c4488d40a5fafdafc37ed02f493136b2c5957f542ea5268fabcfa9ac85654e8cab41196c8bc471dcfff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
56065e9cf456012a4b15bc16db3569d9

SHA1
1f5f24ab5ac957cff3588764e757239ff9229038

SHA256
ee453f96f7a330c538a064a54e0ae34868baa19f946095050160182338dc5666

SHA512
12e635a5c3cadc7729a844532cc0f905083ce80d80eff8271ba4c0e960a1f1132ebf81f5caae776994764dcfcc930da186e798e9fd67c82fb804d52ef0b9403e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
6cc752b5460289566955bc2998ef3e73

SHA1
0c3bd20ea9c6b5f6227cd6be6ad934725d69c00c

SHA256
acdf5420dff32f1beb595b3e754d3a1161e4a4d8c3c5b05cdd7c32c5d7b49045

SHA512
0fd790b0ea75d558827b364c39049987cafe6fa24c6dec0ac91b4d428ac38d0905d53a7cd101183738b9f6c843e8c9c9a1510630493b365e01a695460288e6d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
cbe5c628db638b2da848d39b84e73506

SHA1
e65b3b459a20aeab89f3a5e612b642c20af3c8ac

SHA256
245f44a451005a573c993df08ccd95623abef35a39b0f6ba790a5722ee628636

SHA512
c1209c8dae31112378770ba8cdbef499f57596d6666347f0dc7ccbe741cc7c7a8d59fb5e2b4043507731d2464f283d1ef8fba4b62747d1a5362d9732f18f519b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
79631e6a5c5f26e303fdfe8d111cb693

SHA1
44230d11c031af2ad41143edd65600a2f1a3629a

SHA256
61f517ed6e26b5e66d6d8ca0936860bfef2e136a575295967b9bff70c4bde137

SHA512
08149dd718d0e817f211525c6777157716c7055e7efc2ad6f003a8b06be1b8cc18ad675453eddbb42f41797334aa2a236df8506550f4b960a2db6c0adae259cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
856055c9621109b97f83574e5dc58f5f

SHA1
f0f70143337535dc8e86b803cecfa649d889f316

SHA256
565002e6911042df8fc1cddf9088f97bf4aaff91a14ab8b61e3acc2edd5762be

SHA512
c9d09c20f019691397f188d4c703ae7b028576aa2b2296c0279e053eba4d5e77b9a6fc378e1b92906f9e640c50ea816fb62272ae01758a503a24b40e03dba6cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
38888127e8df03bf7c4b98def6276671

SHA1
cbd42a199faec0d76be5d08eede679c920641920

SHA256
be1ff337f1d370143fcf825c8f980a7705f7317016ff7aba6162934bd7a209a0

SHA512
a60e337fd30c481a1ec38f64c23993de0dc4d6bcd20081c427aeaee0fe5cae2f361a1cbd86acd09af4b3ed1048600d6fa4a91bf8e5dcafd6f16459384584f4fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
757de22d00397e5b3b0c398fa3bcd8f9

SHA1
4891e4b5c0b201bb75db97fded55236ebd6a01d2

SHA256
dfee400bff6699c0daed11395cae6f5693834c4a8aa8c518750049ec24cd37c0

SHA512
9d2201c8d99e82188c0093532428a9c9fc713f07a06a0ea1fb15a3185118fa48875a9546d8d22a2132caf036e1e51ee29ff3f43bf8939f745d5dc51dead11301

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f99db95ee130a36b4aff367edbb298a4

SHA1
ef950350f7d4a0cdd70d9f5a98f945bc5811f977

SHA256
e53f05f563dbb6b2cad6f675aa6cb67e62958e1e7db8093a3ec63a69af951b40

SHA512
9e9817553117da5be86de977d20255c832e4a70df0e77f9ecab63a0dfa5dc3d25102b1e5ac17a258705df16e3e4da1b3fecd6870712ee6dbb37680b283b3910d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e85fabd533e7156e2f592c812ea09f21

SHA1
e98cfeb8666a5bb6fc8fc1b340cd4cc68a166660

SHA256
3573d2bb81d54699ba6b0ac273fb849f237aa7a0f4a1544d0212a726a858c961

SHA512
c5f6e5f80967d52d42f1b71d05c1d8624eff64599b5b02a5aee971ffef2977ed539eebac85fa0db14217b4718e4fc5a89af404049fae08766dd6c0a0ad769a99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
baf0f109b4a078f116853cb08ea6f26b

SHA1
d12ee72fc1bc9a57915c3b0e66f26bbad8f1f473

SHA256
d642c42fea088f48284cdead0fc508b894b08be8d0c23da84d9f0f7cae53bb9b

SHA512
badc9d0d2d0ad81cc5a6cdb71343d79c4d8a576d06903d2155046a1a78710ba565de8f0ab5af486839e071064c8886667539ec10a9e43abc557bfa8852d41914

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
43c73c2603949335cde546ff62d02882

SHA1
93a272f755562573c71ed7cc838bb302134f013b

SHA256
e719f310f7f3ebb27fe2968b627cfed9fe1838421fce9de86a56a2055caae7e7

SHA512
e173fcc0cb75e8ae9c2a82fe8d35c5bb6c81eae52c364ed606b7035ce4a213444aca8e0ac9ed3ba7c3177f38818ada4c9e9c8fbca60872c36068a8ea89d6974e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
9e9bf16b1816a698d4e31216681000d3

SHA1
31e2cb0e2b22b6b0ef917e5aa73fb02939f919ba

SHA256
27cff337333b158f7dd8e09fe962c9d41a066aefb324b07a5a5648a99b11e105

SHA512
15d23d059186beabced64461fbb50783fa624b1b20257d637dc5bbcd6a68ce77eca2a6b4e53ac18a9638786f445da20317d1dfd808684607491f220af5df434e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f56d8c8e38f41de880dbef07fb7fa2c4

SHA1
ba5a73405b3406565e0c0297e24e6d8e7ed4b186

SHA256
fec45a9353642e19a184317808cd45201d643733c18eebe94ed967d61eb45a1f

SHA512
6229439cdc82e3f8c9b039bf2a4a0edd997ef92b7b4eaec9a65f6eebf4d48a3429e5cb4394e6089d2e588d7b2da6135543e488e9def233f27509e4112d4b8fa9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0c04afb65e55e4003b6b34db2aaa6fce

SHA1
bd215bd49dd6917f0ed5ccc16a1c41b02d709387

SHA256
0b925ffaaf3d2502df5b03b756846bcab706f2787b03d593ec9d3bcfddf9b9cd

SHA512
68b1c053b3653a962af830710979207500542e84680ad251d93f87d1f5ac8a1d171468d16e43d7fc83ec29695a7d36552442c0041cdd209462aa63a3d2ee4eef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5ace8dc650ba280e134a154dea8e7fc3

SHA1
c48408160c7f79d6ae26f165bcd1a9c2611d2bec

SHA256
c0015bce6c0493cf19834f53f5c05579f76da2f2768b767116e519f3606087af

SHA512
5895af460817fba4e33e85dbb211a533f1937d6f7e4bcfe1a133ca6cfafd345375ab007ef1fdf00a9c9724a00cf53054a4a3334c4b19efa33d384bbd6f9be0d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ee83ccb5cfa51016369c62365fd58bc9

SHA1
04a27d03b7099f48aa16bc8b07365ee37fb86404

SHA256
bcb643549f46f226f303b64e6d6ad514bb98b8047f4603d6d783635960ca86ea

SHA512
4be67a4233761e8004e3b87fc6a5c2277476a545a3984ff1279e853cd8a5368e028dcd75014417da8111023f4ada8e4ab29e508931d7c2d5c65a94db97eba1a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
850bd7cfcde0887550add747ac63fef8

SHA1
8e74b7fd9e72580a6aff05ef6eb0022c545d835d

SHA256
7cec1167844df182fb1f5ed70fcca7969d0a5ec006aa869673d45ea4ef61f557

SHA512
07e2b7bb73e4459a98a4eb2c20d4f84e105248c17497b8b7fb747a7bd7fdf1b7f092d6fee64cb66f54191ea18409dbaee8eb8b94a3b6aba3478207f4e29b47dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8f87d03a0f1d6fd40f6b94e6acb4f8ef

SHA1
981bfd316282e7e37b1c025916a28d6db75d8c68

SHA256
42bfd429ad889462cbdeaa1418ebe42e5ee0de15151a9701b58323b92a32e304

SHA512
9f592bbd023cd07f7601e7629e1a392e8a03605364f07329c1935a43d9d57b679b2e90e93dd1d61d2ad318c8df85d0ac5e2b368038a7e93bc4db9b6ede0d0562

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
82516c45d9d045fd88345486ab77c351

SHA1
b389694cccd2c6f8aa95567c462d5cf59e52abe1

SHA256
83bb105ba27b7ccbc950a7a65cd78e348284058e04f618d81793769d05595c8e

SHA512
e8e5b1b082677ec6e58ee299ecf5a06272004d1b0aec65b702fdf33a60fb4da97902a3d3bf7e0e62075d8dc9e977b628758a027ff9bb40b43d67036e21a547f6

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.9MB

MD5
3fc33314b28a1f8ea5893d1b0142f663

SHA1
f8d9fb96810c1211c43aecf4af65370cbc3545a3

SHA256
dd8a86f923228bc143dc7f63b1986febadf3583ec63c252deeed2cb46aa0e8bb

SHA512
8bc905af3f96ff33fb852a6303809818102ef2a608388bc4d1ad3324767ea635e8fd15c0c8146428a39eaefde63afd6f2119218c6b09965d86abe88cbaa97e82

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.9MB

MD5
3fc33314b28a1f8ea5893d1b0142f663

SHA1
f8d9fb96810c1211c43aecf4af65370cbc3545a3

SHA256
dd8a86f923228bc143dc7f63b1986febadf3583ec63c252deeed2cb46aa0e8bb

SHA512
8bc905af3f96ff33fb852a6303809818102ef2a608388bc4d1ad3324767ea635e8fd15c0c8146428a39eaefde63afd6f2119218c6b09965d86abe88cbaa97e82

Download Submit
memory/1632-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1632-433-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1632-135-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4656-642-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4656-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4656-140-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads