738bd03ee5b1a59113a5d1e8d734e3665e1365cf603e591841d8caa0c8933004

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 15:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
Size

7.8MB
MD5

7ad3fbb8f26352c303f951639cff5df2
SHA1

a20ea1e0b6090bdc95a2d6703cc2b4de13d9b2b1
SHA256

738bd03ee5b1a59113a5d1e8d734e3665e1365cf603e591841d8caa0c8933004
SHA512

d255849388d77808af74f990aafa3f404f079b670183ae302854eb2881a7a4a235599c20be0e1241c7f726112f10d8cf60a30a62014d985b18331fb38cf61a62
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMQ:9nwnr

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
4376	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\K:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\N:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\T:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\E:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\H:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\L:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\Z:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\G:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\P:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\Y:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\M:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\J:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\R:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\X:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\W:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\O:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\S:	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiBold.ttf.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ExpenseReport.xltx.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\THMBNAIL.PNG.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteFilter.dll.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\zip.dll.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.ssl_1.1.0.v20140827-1444.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.bidi_0.10.0.v20130327-1442.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-locale-l1-1-0.dll.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\PREVIEW.GIF.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Common Files\System\msadc\msdarem.dll.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\awt.dll.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\salesforce.ini.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSSUPP.DLL.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-pl.xrm-ms.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-windows.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\jce.jar.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.exe	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4376	1520	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe	86
PID 1520 wrote to memory of 4376	1520	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe	86
PID 1520 wrote to memory of 4376	1520	2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-27_7ad3fbb8f26352c303f951639cff5df2_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2890696111-2332180956-3312704074-1000\desktop.ini.exe

Filesize
7.8MB

MD5
f635832ab20a9ce4430793f2adbaaddd

SHA1
ca7d35ccb35ec1fdf9c7d7a5417890ac4dcb6e63

SHA256
8f0d88f8b0c1254a6410937b7d48e546e5ca4cc178109c693928bc5ac13d401e

SHA512
1ef4883a1c1342326856546060c24ccb4672028434dd3a70d486ef9ccba6e519d9bca3a1d4cf2c6a7a4b67641a9aa4d3f5cbc0fa50facb759d7764f800c2f691

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bca3e1eff0ef98e805626f51cdb14948

SHA1
4f7b841cdccec3de36a9c5d979fc12d2c03e9d7a

SHA256
12d2da7908b808cf550e889789fc6e1dc38864493f41a663bef9a708d13cf14e

SHA512
13476e52744d49d50dce902661b70c578322ee5add238b084e37e827e9d6fdfad7b4a126b5eb2e01856437da5402caa8a20f4c191a533f9ae06d24aeae2a8e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
012f819ba2bc0ee2cd3d382c980a676b

SHA1
77e8d1c765a4d1c55e7253d1949a8b8749ccc0a2

SHA256
db69c974b914fc239dca12a3fd5c1b99a1a43ec731adedbe17c88629e6f6516a

SHA512
6302c164a95ec6d646fc1945028d303150480e2a206c7610b25565f3196c479c0b7dd3990de8b6bfc669a26aece96ee9a868476565f563da0295221f62394d0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3f61a62695d82b3d7139676ff9f7f1be

SHA1
6a8991762f488265857f7786602698dfe3e50859

SHA256
b14d49f734074f1ec6a31d66fad2a77908610bc79e7bff79dfe4d65a610bc882

SHA512
0e94765a65e7b82df66db96f5491d9df0405f54a6deb5305ccbc84a1e85dd9928216feb7e8333cdc76036df3d4f00f3dba9d59d11d550fbe9fb064148fc55336

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5f2e3e5d8e851ad8d9346d0379f65883

SHA1
3f211282b605017a2230f744daffb928fbc683a9

SHA256
769845d3491f6d672f38d0c60abda401daeafe220372f3f86f9e1ff0c25faa09

SHA512
c94a9150e2fcd67c3e29d136480c79dc1d59979466d8349be2d0a683dc3e7783ada63105efca9b7e61307d2afa5e828c6592302e90d3c24a8ce8c87e38a88193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5f2e3e5d8e851ad8d9346d0379f65883

SHA1
3f211282b605017a2230f744daffb928fbc683a9

SHA256
769845d3491f6d672f38d0c60abda401daeafe220372f3f86f9e1ff0c25faa09

SHA512
c94a9150e2fcd67c3e29d136480c79dc1d59979466d8349be2d0a683dc3e7783ada63105efca9b7e61307d2afa5e828c6592302e90d3c24a8ce8c87e38a88193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b10808ede2f3f712d8d18957123c88f6

SHA1
4cf22cf4b47199b3590509227a9538c0142196e9

SHA256
4c27ff5f61a75381f8942eb6d94fd1674562ce739b1ed9ce60162317286e8a5e

SHA512
3b16bea071ffb600307475a6ab96f63579477016adad488a8d179f2e53067b3f74935552df6e2dd24d05a60f5068862226120cbab27d07285117d4b061002ee7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
98a0ae812b2410828fb53bb77b21f5f8

SHA1
d558cf9eb158d03564eb81fdbee50674107d455f

SHA256
a83435f95e82370b5ecac8be2487d0d5db3141605eb6cf5df0cbaa17850caaf7

SHA512
43b78f4ba1f9c60a811eaadbcff2dd407d0be88f279920ba0baf50d5e569093a6c84b1573667e4a09cfc0da70c7fff99b95940654c20f39a6aded6726da4ed6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e6c63b323cd6017883f2d12d941af477

SHA1
04f00d01596986be54108540e55e3777846ee53a

SHA256
e5ae61a1d9b929887c8e043a6f58a0f55e97ca1e4cc85ef6f76c2cd447b036d0

SHA512
028c3c2e513c09c2d46a534605b50ecfa6b78b7ea57469aa5dd63036bd5e2e3b5a09d8ae3598a3f98e380988b3bcd25f7c741a887d9b9df4a8692d83fca545d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ed31541f3eccbf5355e643ccb53bde34

SHA1
50af842ee7d3dd3935ca543e492d7236aa1c692c

SHA256
10c179c9b0269984fd493a9c1c413a61db1d2a40ceb62cfbb0c4ad3864d2431c

SHA512
e7ae181969209e47e6441c3a313845817a0d56e7ac498ee6ac4434369c06491b8251e63d9e59ce10f9e6d4e855ee610f9a036d0ec49267d50865eb9e9095c7b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3c6eb06fca2815734b10e512cae9f5c1

SHA1
e2d97f85d69766c71b24325eaaaef218a289581e

SHA256
f4ad5623e98e8ae96d4b075718ce53b1ca3b55745fc7fee5a7971a413b899696

SHA512
a8e04d92ba1d9e38d66653fb80acb0d03a88dae45bcfe88e690f6340f3ef1ad40e03cc694c60695f87d3b6b5a9c74455cdcfca8db001d63e2614e3a7de9353e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
db1c5b7c1b694ef2438362aadf85ac2a

SHA1
d3e16b8eac3080999c5a9ea03067a24a63bea1ec

SHA256
d5f58dea1e2f10b08c3d68f0c76f49bd3f0cf48d0ab76da3332cc340795ecfd6

SHA512
ec5512d7f4940c39f23dde53be26ce71c813f06c5849c73cbbd2bc10aa8b0d34da7233eda3a2512bce130e3b0a2ea94f6ebbe3930c5ef25b46f2443936952c9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6edc6d72031451eceff0ca86c814158b

SHA1
b912d8596a5684a9b8b45015b6494605f678fa14

SHA256
3cc7d78e045b199b2cb31f4fae087f300f9570cf90a469becb367aeec4b31696

SHA512
34765888d64872aba06a503d68fa1be52fb1f6cad3455e1364548e2a82aa5451a17e3484b61d40f19f9888a4222c415d52f0e5f1d2cd019fe5b7e86d39a5b93d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8fc1c19a548b66338fcb3a1a0e004671

SHA1
b6a40cf3120d29ec19a5c62e7453d063cceca485

SHA256
f1f1e2758d0ed5138b36d16854312efee4f28aba90b4f89da389da57a45af6cc

SHA512
4052e5ea9429d0faf1acd17edf3840d88d08cd130cd20626c15df337eea77321d1b82dc7c31d76dfe0693bd43de3ae8ee04292e75e054d11390553ddd3f839a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bec71c289f47bb5d785f4fb9de364811

SHA1
cec7ed1929312d601e5470e816cabbf0f09847b9

SHA256
91adf7600328c367b96b13490a4b8351b1552c57c67d32701fa599ef08fda506

SHA512
f08b0336602ea1ffd32e71388ca0b1da79e5c1430aee861153e478762bef4fb77d95de15577079ed196292807fdfa10b66ff06cfb387428cb7dbd9d08b4a2e09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2dac1842983c09cb2d97dd753b494a79

SHA1
a3c9ab0b9d450050cde8f9f28d082600fbcd9c4a

SHA256
c0ece3c323e773a3f870648d7286d38c96eb7c869fd66d11ca685c32d443d546

SHA512
433bd9fb923abaeba2a6254cc9d60b0fda26f1f784b2e69dfd22eec75792e12aa218a4be4113e3d88baf5e140bfc063ec2fd95f73860f3838756259c93a1437f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8b142f17c34665a08a4f1e2dbf684b18

SHA1
028ef460009644d957cd6ba2c17b9bf374c48d33

SHA256
3ee3623000cfee7c1af552cd0c39954eac1c9afd8ac1b30994414bb541138c0e

SHA512
8cbb0221c43a8f16ae841e3dde21c32744fa2db3ad6d3705d0ade9a8557352be9921003408d9e5f7b13daa4f6c4823e3971176130913f825afeb82a78f019f2b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c3fc1511b5e47839bc008e9f71c52f25

SHA1
5b46257683471005cf1d5738dd1389c9f9889ea6

SHA256
9395b560896e43e606bb6a16508a7975fa5abab2f6e366ea4d98671d8f5698e9

SHA512
49fb39eb15a5c48aae91a3963a0606485e6915d6a4e17d55c8fe0cca2446cf33d8d106a7d6b51d047b08d5f46b2e407772849b823b8c1bcdb895217768987dcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f98f5e3e93a529ece5e4a1b8b0c39dad

SHA1
664f0ce46b8714d87f7fa28812a7a3009fc3b260

SHA256
e3dca702ca66e1f856b596c854b9c8d14ee8b74f0264589ca0ee836098386ae4

SHA512
b5370184ccc490daa030e3340b023671003fa422a916d00eec0d10ac01416d43bdecd255fbd192092bc424831d2107cebe254783b3ad0d9c63e0ddf3fa4402aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c99887ef7b671b69a734a41838421707

SHA1
df70c55aea722d21c8f894480cc9fc357db624a6

SHA256
04dc117e9b2142abb4dcacf56c3056b193c1baecc992117f9c0f3274e6e0b5e7

SHA512
e08e35d3215c19b71ca43b316d9f132ac0f869fa68f8237dce66046fb40f89ce9e5f013b6ae68469bda5060e70a01a74f1c1056da134d4a3bf451b17b62b27a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
912d5792eaddfe39d0216e779eb25132

SHA1
d3babc9b52e4c502764c3fe540e8727035536674

SHA256
192e24f0b67fa1c829a5af4d1f1ce42a44babb5cc947b448cd34948176579908

SHA512
012a290832a18977afa2581b332b1bbf47a01a363ecbd62bae635a256a947663047038da7c6e5f024678043e545c20cbc94865764da8f5df462cf0e7d7510e26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6ae9e062b0771d35f8d7c881d5b656f0

SHA1
27fb442012b76809ac566a8838dce72d67664809

SHA256
d5d6be912d03b541d1cf027022bb1ca20224bc32af653253df22e17a1304c807

SHA512
a2f64f3f9e1252c982d19a3645499261ee29263ded0f3899620ab6d3a7748545538243cc889dabec0d30142024230d5b2279d2961efe5a89a0635d466adb8d12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8f22cf76423b9781bfb125c6284fcd93

SHA1
066bd4fc7840b97144383ba8b173fe8406b479be

SHA256
58a40f0f4c17dac9bacf18e68e2fc74895d052c05978bf3d81bf3b6f4670aa00

SHA512
ec09fceccc2faae190ab4bcca379cc4612c0ad742707c5998fb3da37eb4f96eae2f5106a226d2dfc978bf28d02568ad38e25397a2a847573fc1da49e07df6641

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
de44128611196106aca9cd1d25285199

SHA1
88f3bb87c42537c716d27cc681c43fb03a8bf7d4

SHA256
87936a4711e7d26e4ba42ee80e94bcc742aa3869be44165782253c4402c4dc48

SHA512
0c2057e516b02ec4c7c63a4b205f3f9aa5cea7a81e39365912a1e7d1daa3f9e1c142d95bb6665efb48db8de7692c7e95bc41bd05dde15f4c3a404a0c9a9046d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1bcfa57afea2bf837964a69b6aeac2fe

SHA1
7017a10c84e1ab21560a0c4a71ee0deb2d6d7649

SHA256
a7fb427011d068018a2940ec405323c7e4640035579246d89d7da2076b5c0231

SHA512
95ca242e6174869dde104758fc90923a97cb9a797a126863f066eac04f111df29467f93891ebea0c50b1354b6bc1692092be3496c0c5af57cc5765255b061e4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3ca5c7462bd4a9663727d36208cee46f

SHA1
0a77f97cdc9a700bd433b06c390c4713d96802d3

SHA256
e8da5545683d3f584fcb0805bd163ceffac201f7cd9bf5905b4864aa9c022c65

SHA512
7794fd0f394329f02838840252ed97a683d14a8381a6680f1a3ba1bc5deacb5e6364e2c063bc34b515a9714c4a9f84b57fb5ee858d6d04cd38e0cce463941ee8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7608c446288cd98b97fb5910f1521bbc

SHA1
f0dda2e46abfe11713344c2116b6c6885c795968

SHA256
aa6cf826361e887904fe39d1200e3f9488e5c36c04ebb75b054968c39c1da123

SHA512
9f7402bdba55ceddbe161fe78f76ef7cc9e40ed5986d9c07e04f01a96d95169bfbe65424ff6a1a786e484b5b5aa5eda4acdc64514c6635b9238491679c8505d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b59acb0e6a76dd33eb7f1721c6e9db0f

SHA1
143bed75171679fb47ab0f4313e06ff6a80d32c4

SHA256
6f0ef072dd37f614b96e7a8e0f69b6943cd12b36b4ccef4bf4172b098696ac42

SHA512
e4fe2cf52d30e440f23c9a90a8dce4647d4cf4f4616f20d20afa15fad22199132d72aa53bdc1923326f89d53923e1f9ec0c8d08fdae01061dbf9e8b7b02e4bc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c3876473a975894ab6a654f57268b771

SHA1
cb7341b9ec14082e14229cb1c9b71b7bad8f544f

SHA256
29856639a071642644ee4a1ae8c16a0323aefdf9481e59f7a210402610b545b5

SHA512
20d5bce73028e9835dccdeaf6fce5de40556105d7ab790639df440f98cbcbe3775a08e7aa93ad6a8970ea44f194ad09b95dbe783451b23665fb89faf81a95336

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
1f386bda3636959af877e5a111b29d7d

SHA1
2fcf499e801939ecbeb3767e15b7805f86ac64ca

SHA256
aca0164c3f0074ff08964772e8a280044d6148f8c7aa72227be92d4d8bc77ce9

SHA512
19d3e9024ec8885845cab6e172a834f2706cbca4c019cac5c99c04db003ef5855fc3432b34e8ece4bc2e1de3d7c20c2fb580c6908ccaad6cdf9e76f40ad937ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9e6d1b9a335fe2643e5b523a365d8cb8

SHA1
be53e3a412a17bc8a7f8b08bebc8d35d6a124f64

SHA256
2e3d200081ba8e81b969e385d089ef78e637e37818708468cf300e26ab844587

SHA512
9b96acffb28344b047fdbb69852dae5009ad01ea636e8a4a0aeb8faae7c1ba57755540a8d5a746f2278fae84195a1793ffc080312d142fed77ff1f2a19b733ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
30b72454448ce8e72f3df2034dcb9af0

SHA1
e858818561afcce0ff78487c5dcb51210cc6cd20

SHA256
108bc1f0ed0b2e4532bf7574e67d589ed164024b31f6150c6885cb7d07f0aa44

SHA512
9d86f1131174b7d0ca3c27d5bf7a76d193a115aec559cb12108bd5f14667377b7389d1d27548d7f53783f58f56a1b532370063e44feffd050ed22f0927bf408b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
455ecaf52cd8a42b7dad829863c0005f

SHA1
2c96a9b376f7799dc545646843225f0c967c980b

SHA256
87143e8a6cab0e5df9cde2f0ea92254892a823ca9b2ed1d89c3851db85e8f792

SHA512
a284457a9b2e5f76fc97fa09d97386359dea27fd013ebeb252f45c78c2939150c28a6dbe4744a26aed6a9fbb7fda1ada998f7f75d9846c381633d36c31cef97e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
6c0dc6ef668364a8ae5833f15eb06c4f

SHA1
442ef7bbb5975e4434a56626963cad5c29201085

SHA256
30c7fd4177462e6e1c7abaca56ff1fdf82c0fbaa6dacaf2263ae93b811a43e18

SHA512
358d26f537f1c596190167de6f0d57cd1241218363302cdf32704299cbd375276c025ae12ca37a6f7c33585082500b93131016d4b93f75d68e5a6ba25f5ce348

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
894c8a5bca192edd5ba94c5b958abb25

SHA1
8aea17695364b33c67b45c164bab18977e6762a7

SHA256
7ce270089f3cbb57df7fe4f9201d374f91573b46b516eb84c3ee4cd7b8861252

SHA512
6bf5af33158430f05367a1a31e378a0500d885197de41d5dc9b0388e6a0841d235943971f5c7a7a131ac37256fd523488e79fb69377718b3207db58030cc0042

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
1be71552d38db1ae3a5f724003378498

SHA1
50d6e7ea01432eb8471e6754a6c1885b7317696f

SHA256
92ee83a60d9fd87c18ba4c839fd53b721a9126a118fe44049a30590a05471bbb

SHA512
350a09b26faa59911c3203f34d4bf55af0e30289dad9a5ee6805e459d77d96e8d518048785b8af253fa249b8942e72bdf3971eeb5e0f5a4af6949754a61bc6ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
36a01e01409c772cf7c90f7bafbb0b38

SHA1
c399adcb6f4f1fdedef895a35eb8d9c48d0d218a

SHA256
9da2f8cbb5649c019fcac92b70d814977dbf926add29ee9894413ad51802a28a

SHA512
31aac2a6f903630ff505a77c5c328003cc254878ed3f8081b8be75c7472e37401c84eacf610c0782f341587741a5379f49c2adc3a325c053e26e48eb2ff383d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d980f5b20f535203bb469603a36e710a

SHA1
54257c9e53e7d85756595be002a4c6f0da47d41d

SHA256
c2b349563c00225d012e76926c53824a7e888a4b5e8c9bd3cc3f70eed39c6176

SHA512
0109f9de50bfd0ba705de4117f22b2d16b09f34989ce41686eed32263f0613338fc8151672c61accdb1d2bd607016c3b9ca235c9db0a74d9ba761bc457a6ebad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f693a70fb1498c7701c8aa0f38f0ed6e

SHA1
38732f0543956673b8c07b725d6c0b6cd96d7960

SHA256
e9d497446a72c944703f751809b2dc366e95dd9627f833706f0199e126bbfb63

SHA512
aa3e83e2a9014f19ac599293b1064ef4d709e6fecb62990a246dfb763df0f94e52f8016656aef94b7816c354068025d86c18927239529331186eba4ba0005067

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f36417e7e7c39dc148374a157ac8ce16

SHA1
814df6dce51afeb422180a1bf255cd120b592dc7

SHA256
04d136b4a0b93e5019b15ba6d80df506c6f8ba61749a46fc8bf6cd63d80af364

SHA512
43e4fa68ab3d14ef19fbc3edc390badd96ad91e006f9fbd743c3f66d1d4ec64b943f58cba76f7db17491a118ce0b8e8721e56a76b73b818ea6e2b3959932b7bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9a59659ba6ca2f0a821b12c9f5414c15

SHA1
9a35191b1e78d18b74f6f2e46c83507ed06612de

SHA256
2c79b9e6f59e1eb79a238ecfcaefafb538c532153954ff53e21831d2d4391b68

SHA512
3cea0032949973dce93324654121ddebee2cb054407daf5717591faf7e64971625517643dfda9a73ae43d246ba1303d48d6f4852d309ac293caa56949ad98c6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5370cdc55ae4f0c6135361f48354588e

SHA1
89dd9b4b2df8e2c2b957113645f83523093c8c05

SHA256
27e1f54e6ba92337f4abdbd719d9e71d407236c2aad245fc727e3b534cb852d9

SHA512
0720dff58de2d6bdaf0246db0b5a933accf316a6ed7da529f0370534d2f0596f59a3147803c1b73f14eb666852e7fb5667ee99cec0c39a7906fa5970727be307

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e68720febd085ebc53e6a9f2e45611a3

SHA1
73c2c7b5f20b1a2f250920204e3061d4d5d8231d

SHA256
f5076bf4bc64a6bef9df9bc3969a6f7a74f4f99f8b55be9f5ac6e2a6c6331d8a

SHA512
49e46f0c216c6125d6b78541516b9a5ce0a0ee699db3bd517fe4b8e3429155f43f1b2b5aaf5954c565037d0dcb4079954a7c2683905553245a021162749a2b85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
98defe77cd7ed7c267b3c2de61de960a

SHA1
cd20052517b66379bbb298055f4729f42c24828c

SHA256
4e6f385789f53f21433e9e95833d9640f9e93854a242f7a100eaf49278897fda

SHA512
6d1e13d881ab76427a03b6886f373b2db87ac66441e16adede00c82a55c82beff755a5583a57e60e9597d6f0c53bf12b3dd3533a3898728fdb8cfd681a923eb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
410891b072b45de377c02744979fd4e4

SHA1
832c771518e5847b32df641f6f4e1552ce4e7968

SHA256
e96cab9c09ac4f546d78b46a0d0c874b1e5af3cbd17a078101b48d7c7562f7e8

SHA512
6b19ba9666f0fd2ba6ef2c2b9759f9b51d5ce8978fe6c0f80258296f74c6d6eb186d02d8654f3996d0aa6c3076a4817f875acc198b52ea9f59ee07677b150241

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5739c7a2d1dda59909da76df6b198cc8

SHA1
f551c15f9834853ee5c521eb2e860d4c2c1a5f1e

SHA256
bf4bf318cb6d9d97e54ed43e0295829dda7807d9c12455d96afe3849f027128d

SHA512
56a994a85c02acd9a1f70dedeb195a46a318622f323cdff414a9cee98423917da32e94f6d63341acefb227d8b18e13a5051cd423e3b038b35f35e41a53b0f45e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7e5e363b8ca26b04062b83a54771f26b

SHA1
60b02263073923d5c3fe1e773df70a64ae77ac48

SHA256
3157bba28454ac4eaa496f94d7d41107bc144e683d70a0acd496382b4d26981d

SHA512
0ea117f9e63ecc0e9ca1155a26e4b960363bee95911a2d5a8e2bdadc11d02fcff03a050c850fdc49fead272994876e8f140e7fac08785bef8e6fc9bc00357694

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2d434874e887108a6685181151be8d33

SHA1
81c76925081aec9f39cd2c4f349e4f9c0184060e

SHA256
9f8122ceda336737619025bc5d9874a467c33a290ae38ac96b8a55e6c998d254

SHA512
9eac556e044304d559690c67d1919f34ff0fc989f2f70faf34257585ed47ba14569f56a77d510a90d8ff5cf69cc7a5f00b2d81009be7b7934c3d5dfb6544c995

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ddddacc5707c8bf81e4b15216bab7ff5

SHA1
5f7b5ce89cb8db2d3d66c4af8f3356876429d0ab

SHA256
1170385d48e1ba785bfe2fa8e824cff9a3fb98e1522651fcf237665d1254bc53

SHA512
e53a4635546eceff008254f85c37dcd032f39e6566090f903a7276ac2c1ebdae85919c6830974a582beb0072363c42ff5fe7ddc78caf432eeedc46d924d0b121

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
2c636bce8f7ece6706244755d4525bdc

SHA1
765506c45354b020c1cbb8a0a25e4a602d0d7987

SHA256
9d24c1ec22e020892f9388450b0af91197f531ad9e634de636d7f0e62be96e6c

SHA512
ed19ef9f1068a5086257a7b935af5d77ad60a1df40ab84b60a5bc1a4775ce9cbd0d422e07da953f1ca1073a1b90539208529c6ba431f321e540aecb005190998

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.8MB

MD5
2c636bce8f7ece6706244755d4525bdc

SHA1
765506c45354b020c1cbb8a0a25e4a602d0d7987

SHA256
9d24c1ec22e020892f9388450b0af91197f531ad9e634de636d7f0e62be96e6c

SHA512
ed19ef9f1068a5086257a7b935af5d77ad60a1df40ab84b60a5bc1a4775ce9cbd0d422e07da953f1ca1073a1b90539208529c6ba431f321e540aecb005190998

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2890696111-2332180956-3312704074-1000\desktop.ini.exe

Filesize
7.8MB

MD5
36e85d910010c36320e0c78b3a06a598

SHA1
116e51e9d439bcca354b0dbd8eae30e2388bfb29

SHA256
26f0bb899de8f4f108a67361a3b5914af4fd7c69c866eb4c1f86173ccb53b0c9

SHA512
cdeded334e2d292b5714e1bfcee9307720b5fe00cfb2747b6fc40ddae1325ca02c208c826fb8ad2ff1b804374125fd1f10eab37040acc56cac88ff59bab67e54

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
7.8MB

MD5
7ad3fbb8f26352c303f951639cff5df2

SHA1
a20ea1e0b6090bdc95a2d6703cc2b4de13d9b2b1

SHA256
738bd03ee5b1a59113a5d1e8d734e3665e1365cf603e591841d8caa0c8933004

SHA512
d255849388d77808af74f990aafa3f404f079b670183ae302854eb2881a7a4a235599c20be0e1241c7f726112f10d8cf60a30a62014d985b18331fb38cf61a62

Download Submit
memory/1520-101-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1520-1-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1520-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1520-148-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/4376-6-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4376-151-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4376-202-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/4376-7-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads