a938560a8049cc9d5cdf9b81d4aaec38a3f3440edb314be676932abafa2a980a

Analysis

max time kernel
145s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
Size

7.3MB
MD5

b59ca4732457793b33ccdeb9def9384d
SHA1

040e46799a87935827347ab12587176c2328bff6
SHA256

a938560a8049cc9d5cdf9b81d4aaec38a3f3440edb314be676932abafa2a980a
SHA512

5858b5afa3b385d0449999e6743d523be0fa63f12649cd2fe17f6092076f72f55dff31be95d9b7aa02e1cd58d4a7c5530a6d1fb7d571b69e6d6168de2cf044e0
SSDEEP

24576:zMMpXS0hN0V0HDIH53npi6IMMpXS0hN0V0HDIH53npi69:gwi0L0qK5XpiWwi0L0qK5Xpis

Score

10^/10

aspackv2 discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00090000000233d0-3.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-15.dat	aspack_v212_v242
behavioral2/files/0x000a000000023385-33.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-42.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
4540	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\H:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\M:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\Q:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\J:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\V:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\W:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\K:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\S:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\X:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\U:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\Y:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\G:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\R:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\N:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\Z:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\O:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\I:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\L:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\A:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\B:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened (read-only)	\??\E:	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4540	2596	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe	84
PID 2596 wrote to memory of 4540	2596	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe	84
PID 2596 wrote to memory of 4540	2596	b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b59ca4732457793b33ccdeb9def9384d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.exe

Filesize
7.3MB

MD5
c1306535743937bd07c056f1955055e2

SHA1
9a4eae6fcc9ceb86e9184ca373411106e6bc5c13

SHA256
7d6cb00d6a4e62c06aa64493af57599aac5267f97ef19415b611ec068f084488

SHA512
9ec84e1ccb2fd178e857d96cebb782db5120f2ee7967f3c07c88fd4ef49639523fb106decb307495730008539652c857f1c70019e6f08fd829da14d0d78467d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0999021ffd55b88681d6bb50dd181723

SHA1
606b76300fb0b7e07e08a28bcd939bee3e0fe441

SHA256
d69d93414dd798bd82ceb0b44eb99d448322a9b5b365c73cabfd2cc8fd793d22

SHA512
234eb8f62d3bb07759c57c5b5b865a104862d8c26437492150972ad1825cde166a60ea43cd878a77873ebd92280e21bfe12f0506053c266baf26dc5ebbee2a2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
55727862e500b819a2f36df7b9eec6ef

SHA1
33762f59bd3f6ad45a62daf1b325f7dcca9ca64f

SHA256
9c5549fae2fb52fdbd2678577219c487764d77c45be7daee1339b15457bb6396

SHA512
14643dfbbe865fc729f9deec6077563fe1b05641d687563cac5a9cdb71ae08e12801fc994554ebe077dc5f985cddb528e0c51107211719f28a97af1344a7556f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e05a8885195fe7cff0742ce965b79a57

SHA1
b9fdc088802467475a5c33d66b1b7e823fb5c6be

SHA256
a8dbc72a870d4aa751fea463f7a109dc500a78f30fce38293ab7b414c779abe1

SHA512
7450d3d1808b6970cb036bab70e376f408116b55573747a4b9abb3b3909e0095d535f75b975c2a10f03563291433745c8b5490600143bee51f8186064d335ea7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9f16f1b8fbd4c95e6f53a8e539b8b804

SHA1
8775310f036a0c11560bfb683c190ed1c2ecb40d

SHA256
3e8ffcdd3d1d99449648e4958ad9b91e79f7bdd8a34dc8425f3c9212148745a5

SHA512
1f0d3059d211fbd253a11b6d3edc07090530d92ad776c40007befd70cf28f56598ac2ae5c8f3701ebbff513ae496b773c59fb4192294c8ce60ae27dfdc0dc7aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7f67e308fe396b9ac0129362ab7d01f3

SHA1
1d462f949830ebdd1ba0bca47cef7fce0d50f2ca

SHA256
706483d90eabc1af6cc930f4a5f8efaadbc8774d8d57da4686708af535674597

SHA512
a03ed5d9fb3ea3772464c1dd33dac164ee2debd2ae3ef68e31c17e9f20627fc1f51652fa017eb418d3e4d3d728214fa6f10a799cfe8fddbc4a7c733c5a24be47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
022446e1e59a9ad575feb69147b7e075

SHA1
4bf26545b12f50fbddf8f1056c264043be46e421

SHA256
e582c8143fc455e99a43ba298c0f7688ac440b12bad69746b61e5856e26c9b0f

SHA512
4a87dde40f0d57e18b348315f3c5ba673354e107010f8f27ad82e69f13237d1c3128bdfd69852bbeca743301fa4bd4cee81ce4c002bbcb49541d488b01dbccdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1034eec09ac2c35fff183421ae5174c3

SHA1
e8186aaafee07b59580d81e0dae0935905dc64ad

SHA256
7671099b41da8283a42819b466879e8b0e86d509d1fc83e5cd39a65a2c9fb7e1

SHA512
efdc9af0ac4e70aff7a3be787469adb84d12f8603bd911f7f501364010f14e9cb96b31402d47e9a4312b91615a144c371bdad41188004db65a8e2dbae8d07464

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c1e6bd2d70e21806e8450e7d984882f2

SHA1
d7c81c90a56704f667fb294dfe5f11cdada86f88

SHA256
0d06e4bfa132e6365d6798f6f12c417e5916fbc1d84124a3698cfa6e10ef86d7

SHA512
e9e7eff1f2d91f95fc86f7d359e0f2135f5c9f1fdf1f49bad34374918040d3aa40edbcd0a45ee008ea73a1e6aa3c3133ddd1bc0102d42d42a90db03eb0561795

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6c8b8de10cda0e35545cf5f7a856288a

SHA1
3f4a21d2f02154cc1636c43cf889405f13a18416

SHA256
cb2edf91966502c8200beb406bef23a96a402f5db212ec94e71b1aa55a2f4aae

SHA512
b5492d4e0a3ac2677dc13da6c2aa779e56add5a4411231e20d27c7175cf9e4774bc0270ca15ea4ac9b17500e6d8670d9d4a9ecdc7d851328dae4f1473e1e6217

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9f067f468084a506802ba03fb5d298c2

SHA1
cddcea7cb3641dcfe81a7fa2d91beabd95f75f6a

SHA256
9bcac5c0648c98da13c97d6a5bf5af91aa339f538e16fcbfcbeccffbf5acf74a

SHA512
d2c460062565ff7cbc5b355ba47eeb0055f9d2da709b5c5b5196403d965d757d40350eb2527ac41cc9a78a4f89a74e354f9d19487d4f783b0a653161834df275

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
05020f0f0558f48c9c5ebfd3cfd49abf

SHA1
3251f13bf5ac265c47ff1cc04d5b0a2158bdc6ad

SHA256
de6eb60d08ab7d37bde431bfdb859b8c72b0f8d5a4b7ae4080815f0e1f313514

SHA512
b5edf375f8050edb312f21c4df3c9d0fc510b6dfd390f6a1b6234913e8dd57538aa2407e61c5578723e2a9a286e882ea73c84757361a4cef2b85759f81d18ac9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ac62b28d8ce4c6cf1944db892bd57e82

SHA1
4e4cf9fb9ceec16cd908476752d751b6c2f0dc54

SHA256
0715521d719794635bbb0e8b01ed7ae2776b9df59da3848de3989f53414e8fbc

SHA512
297a94711ebc6feda76305a7e38b7cf3c51d7d0a283aafe3656fcda9469fcdc65fe6cbf2b9896c4346853f1af605c128b0689d4da5b6aaaa04f13c80525ae62e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
527edb1457396d752b2580a274123fd9

SHA1
cb7b1e108f8ba38a44b9c93aa25695063976a1c2

SHA256
2e8d4e86b240ae7c79fcf884d4ea5b9d17983ab00ef08c01e6df98817a9bb5c8

SHA512
2028bbfc29fbc9123be60a6b0b690e7a7dc7e674ce333eaf6d2cd367fcb0da8ff6932bd10089ae7b5cf39ec6086747b4e3691f66a8026a35598c0f5e25e05d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4fa20074c45606621a3e8b311ebc0a3b

SHA1
5f5f8eaac9bdf3df8b668733f9a932144b0807a7

SHA256
52a9d1879d0c5287ebe2954d569e8ceb63714da4486160e6cd05fc54ac3bb0d7

SHA512
842acd13c181fcadcabd1d68fcdb20b14d741b12cff7eda2e6cca3463fb0a390013273bcaec9f52d65b7a988d55c5cdda69c2cfff1094fa59763e16a44b9127a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
76294123f4be22d9912c17cfa7c3596c

SHA1
6332caafb66eab1340472c92bc6f47483cb41852

SHA256
fdbcb93cebac8eee448f54ed97ba817295788376f8cece6384cdc8a3f4a48496

SHA512
44a6e53b7709322a844446f90ccebb9e48769cdf092fe1a5ea0ffe1dd5368cb71ebb5f5863fdc8ce58a76fdfdadc30ba88121446e0e1178c58b07d11e291859e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d9121e6906c016da9e1d910723a2f29c

SHA1
e2c2341204167fc1fe7dbf9b906d710787bae83f

SHA256
8e7735bfc51cb58af174b2e9bba99f2eca3ab902e72169f570bb4482e2c0a01b

SHA512
3c076317c44a4b951e40d7d07432d98ac7cef68458e6d67724af3580e2bb22c1052012a6200e247f146512f38568ec16552b3baf9ee522fd220f403bbf0f4401

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5a550faf8d60e9d662216ed03cdb03cf

SHA1
557596915cbe53be470f6ced41802049830cc7be

SHA256
ea089ad680de69168ecabea45295ea28a34495829770d13570728414938c822c

SHA512
49f18e975000f9063121b49e93d22ea44b4c05ae5435510be264231be443bfa6c63b16095090aa4be5a168b0e5943b58df2c69a0e34ed4f7b4ff68a67efdfd11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ffe64818a9d441de4b2b7f961bdf7a4f

SHA1
e328585b65268a7d757f393c65d3d1e24cf5e568

SHA256
dceca7d6d4f2ef944fed8c285341b45e255bfb4858caaf7ecbc8511b50a95933

SHA512
aa10d6c16b4799849b820e8a73390da78a5e82344ddfbd743640fc0b026c10d9dd9649b3b8d067d0a8fab42fede763709260eeb260de21d8fe64e9d2c5dd4ffa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d9297896ccc09c9b98f4b7e5d4f5b33d

SHA1
bc546b185b33ece16d5a72ce86a224cdf9539977

SHA256
5c571d122730efb89249688f1efab9c0cd4307cdc0b963cded49ec3e96650a94

SHA512
70a0b3435b4f7dc64ec5ff77ab7fe473e10c0e85b91cdc1ce41a998fdd1eae91d48b4873544cbd2c7cbb1825b0c4ff89ba67208fae9e3cc62173e30e1f92c109

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a81126f74477d1888e89fe6e16377f13

SHA1
2b51fb05956bbe37837d66a81c8b255640ed6cda

SHA256
9c04227723ca4472637a9b0f6f532677affb8cbd9684383667b4f6eb22290c92

SHA512
79ce34842726e4c3fc81120c91bc897b74fe038bd4b4e461c8bd909ec626014b8c39f13452215b34177462cada904187e61fb1fd8519616bc204281cb23aa086

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
9538b5d5febcaf8c4f8715ff84f6173b

SHA1
99e2e2e584eadb0191a55e473ec908847514feb0

SHA256
7ac5c20e93ad9c47892079638f4814403389c47cd192bccb44fdcfe2e5d64bd5

SHA512
84a146331862cb5f80a90f866eb71168066c8055f78b28030e04f1e125b33e6f7868fc965d4cc72a2697d40b4a828ffa645ffdaf46226d697cfea9295881d7b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
55ae563b8546c41cda2c902d545f6fd9

SHA1
86b2fbbeba15c9486239b8775bcddbcb14914cf4

SHA256
b8874981324cf199cd582c94388f08e955d666656c0322ed88acd29360e9ecc6

SHA512
53289aad9eb94ed628faf305c3b176007a45d75631c9c997af88230c2390c3f0db029a92ebe4cc741c6ff4fea3b48d33499dd65d82cdccfa17a941b86823b0b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6eebc81ccdd5d54d618c9063505d971b

SHA1
1a5913e27e42124790d6c110381c3e55ff698cc1

SHA256
70da529bec7e7063b62825ac19e3f45b2da61698a156008ea947c5d75e4d8b16

SHA512
6c7b3670c55d1fff285a47a31bf708f3b4cfeac1ccf7843fe81f951efd1736d5c128c08afd6519d08d047a43cbea4fa5cc756cfa886d3ab544c957f69896665e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2ee1b1f26102b301b24007d9b495e03e

SHA1
46a4c63abc5e3bb37cc89380b9aaa6db98d028b4

SHA256
d90e0e6e2acf2870ed860f900c050ef0e95e0c1ed6de2d9d60cba6b5da299f1c

SHA512
712898cfc675ce742c928778d931281c59ede6e39730a9aaa0f49949012a67d0ceba2a44dd205a15f6ea2b12c15ea1da973af35ba2e6bdafcc1ab844f5ae497a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8e14a7c4be5b22038f37c1f6c98fa70f

SHA1
c1783a51e8e1039fe571ac8a1b519b53563785f6

SHA256
7d1706a3de812007324d3e39cba27c5501d33115ffb78f672fa6307d310531cc

SHA512
cfc2ccfc4441ee62c352df84ae75cdf5beb7371ffd9fa9581f9527950f8ea50d63dc192507e1fa005c39a3dcfd261a38a994481adddd7c28f4e58710961a8540

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9a8b21bacece8d5dd826375658f29690

SHA1
5885b52d3c7331b093fe61b6443024c132cfee4f

SHA256
db58e97bf2cec987232903065fcf9422d132a924c2b30bbb50cdb012ca735d49

SHA512
cefe2e7370dc48da666ff7d7e707097866c4e5b9531e5c01e376d8ae8ee4a8bf6d6c71984d49fd0495cac8e000e4a14d756556df28b71adcf3bff8d1deb5746c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e781f4102278fa89257da6468a834b62

SHA1
ea1afeec722936c09a3d12ea0cdaee89b4cd5912

SHA256
6683fee86a1fab9c964d39dfadbf157769237abccf84d036a37d321e4644a2e2

SHA512
6cc2c8584c5dada9109722a5f57fd73d63017ab93232e6a38b4a1d7d78962d81306edc5661c2b18bd8cab31dc91b61801560f3acca525411fbba6d08f16bad94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
31a4ffc3c59fc063733531d92aaf1ebe

SHA1
1ed99770bc004ce59747c9c2454c0ffd9da1458b

SHA256
783bcb6505d349ba1874bc22271f15f53503a50973d1ee9b884924d879938579

SHA512
b1e7d52ceb75ab40fdcd43112df18ceab98422ae83f7782c3336067d593601c6ba2b388d7753ed284448a097a3574b9a7b3e42c1ed049d727ebf10804eceb697

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a9079786b92865ecb0e15dfdde47cde1

SHA1
e22c14433678f52c6f9d715cd7995a257c9de190

SHA256
6647af8a3fe0cbe18532bef6c7299ed30daa13857c532434a03e16c7e3b68ec6

SHA512
f8a39e41ff4921114f92f1b2d64f73d1cfb280f7dec23f29b05aeefab2aaca681f58383490519489859cad9334210de004d415fe3887ab5ad37fe76b5ba46a48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
232a9661589ffc34cf3156f76fb8ecbb

SHA1
02c1b259c05e047d14729806fb350f1a4d77629f

SHA256
faa1717c6cc20025dfe983868cd96cf22bd99a7e3ff7aa501dd928e7d62906cd

SHA512
9f9f8cd335e41232fe0bb40afc3b94909238fab04433acba33855990d2d3a24d2dd109b70672a37f88c0aa67c942ed25f64db3728c7280da9d6159dac6329a14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7cdb4a7249ec99e0f24d2a4e2ad5bf29

SHA1
eddd4bcc5116e51efd62ca587cad5a107ec232dc

SHA256
c29fbd46d6c76f0fc7acbb831f87d193c87269ae109d9e547b6c98fda3fff428

SHA512
784865917069d72e77918b58b5dcaec517c9a7456fe6270aa42590d851e116531a28eae765f4e71407d748c8eb122251787aab29828072eec81e5eaf1b05990b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
736083c18ee04e290ce09644791fd978

SHA1
af9ae31ffdc3cf75b9e10a7d27c7d024d7dddb91

SHA256
eb3990144f5e4597f6853aa752a30e82737f545f144990813339941a6ca319a7

SHA512
6f25c7acbaa989fd40565c969638438e6d3544a23e55896c53c1233c0481f2d1a4d39de1be94e890cea152ef19c3f4d9d84aed39a255e113ddceb242412672f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5caca39dcda46c3975d01b48e33edb69

SHA1
ed0fbf475569df6ee67a1249a17cd540bbc542cb

SHA256
13e235b5cf582de843f9a76e7ec4990fc3d22ae817abf7929906c962a9184382

SHA512
430886684c075dbe0dede53d2551e59b7e957649fada1340545f3c03a21c4cab35407394782affb6d1c196cd2b6bfc1a8b84c38a68489d3c56a31240f33c89f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d62a8dcd9411207c324fcaef32b141d3

SHA1
adb37207ed6c9dfad01261bb81c35ba73ae171ac

SHA256
e33ee3f350e4206629a253c83e973d4cd390aa3bfa90c2fceca46052f2743027

SHA512
aa59be9778e486d3ed7c9b58e0b1dc82aabab71e9c7ffc1da7b9ae26180f38973eb917ce8185f1ac68f3af079b1adaee1e57928c23ba94da5f7360ebb0096494

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d61a96a3b13fbab81441231de688e116

SHA1
cac8d5ef631008d315a6d1c0eba22d9167b5bd01

SHA256
b7391571c3afff66c1abbf878fae78bcdc9308f442edf68c1ab46096df49932e

SHA512
6d988b65d0e94a5ce1e2522fdbf8c53d3645226804582eaa477393e9464bdd756045577c8da65ba48d29a590c27a1c6c0b8906d23f6320b4239d4a23234e2f2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
14a47891b1958c174c19f588f3c32b6c

SHA1
d25f5d9cc247bb14bcc71ce0a15acd4e2c88ffd8

SHA256
7852dae3c8807bf782d977fa13f7938b641e175b5b2f0c752d0161211046b37a

SHA512
8b1874a118d25e6fc195dabb03b068f657331a4013aca6a048b846f7869f3505d31e05fee283fd33e4ebab130898757b026760afead1f4c1595a411296fce003

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f6ea135dc4dbff48cde4a711de1e8be7

SHA1
424e16e286cec5bd788044e14d5d3e89a51684eb

SHA256
5e4bb11836ccffc051ba3824dfe76c852d74cd152202c62eb942c0302484c4a2

SHA512
78b104fa61710874ee58d738e507898e1ef7b9079ba58d21e455faee7740883312bfcd0c50743662961f8f94a328bee8af3420b7d37d82033bcdefe6511e356d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7244e0a99be18ec0560f79bd4bc65707

SHA1
e907f67e0e63c91f1450735adc576b31613c6a02

SHA256
887fce007a3f34bd3bc74b21642921e84e50969138da1224f82a26af154c239f

SHA512
af6b316e616c8d6b815f39bb801c408f9360d03d511146fcc9d00ae9ee43d4df1b62e5bba58c91d56e6619a60d6bb98dc8e51cee07a06c35fd28b4c14ab68933

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4c495aaefbb6440032738b4b697d7138

SHA1
c486ea36bebb6c49166d2c2315f76fb6f4094ade

SHA256
6b4180c5a9e9d70b16b7204241ac26495de0bd88f7d34e3b785b422bff75cefc

SHA512
b8b4e7b73600825b983e98aaa33ba9d090674abfde8b9c0230df85dc80c3ea63eda36e2368d0aee877bff60438617cb415ef3f8f4d8741c11432e6ab249078d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a73f2bc05155b621eae9acab2bfe7705

SHA1
8a539205690c8dcdf5b0ad8ac621239594577e32

SHA256
38db32806e79153b1c6203e1608e79470760397e82818f72b4e8ff31935a2dbd

SHA512
189d39e0216768d42e6812ddfd989e6f0e17c29d89d5503af3201af121745c162f2cb624f2d6d254c4a2ee771af0ab5f31f57b9006edfe68987a94973a312a24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3f336e9a578b9e39a60587a51dd14355

SHA1
76137f5c1f7b2d03774a098e306e64c3e69aac51

SHA256
1b45d08d3bc6f4fce361fc02295e4957839f53ef5478f0cc040ad1d928ae3e83

SHA512
0213661596d689a4614406b27640aa3e78ffac1af37601d488d80ecf28df434c5a7cf47e18c4408a4031f42b9c5cc0b4459a67f225bcc3037d80142cac4e397e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b4590c0ddff61ff042a766b2432acece

SHA1
2555c44aaaea58166f6255aa477889f234b73c47

SHA256
1009d25b668c7a180850301573717a6f0d382a951ebdcc22ea1243dcb288811b

SHA512
85b16b5210cb4da86eb5160a393dcdd3f6c983de8b60c75ebc93918366f56c1885294b471c561233c5b98e998eb593517801c74dea88512e1ad8721e22abcdf6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bf03f186681ae04a1d0212ffc1e93b07

SHA1
38cd55cfac6d815c1b687232377f25d795761605

SHA256
e33e8b1b9c1ebf17f4cfe189d5812265db3d36af1479c53cef915fd5517c5aec

SHA512
25f26358c8e00cf60675fcf8d87198bb351a1551d6cd87b85c0d482d295a76025a6f19a9a00e2c2830e73d8ab95abe326896721f91a6b873cd812c1447f17687

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7f904a4e23b1b887687e6be8583e2646

SHA1
757618686d0817b39d00865d5f941104ff744eef

SHA256
f993f3276af54db781ec91899fd5dfb1cbb2747e3b000f419736fbd4aee9891e

SHA512
b04bf54d3c76941d5e737ab4bff2337fa421b5d9b263f6c4986f7ec37f2f8d69c2aa5d499e3e52a846795a49fb02115ad7ed8a8e247dc9c3fa256ac687604aed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
67611322e05016913c72a35b485812ec

SHA1
593b9c8b61adb8d4fd743f436cec06b4d28d5bfe

SHA256
52a671115f1b08acf7369ff17fe1c1d560c12caf4d64d4919cf381de7ec653b2

SHA512
5987ee44de0ac250abfb12e46e974f597835ab548eb68f05ae73c48a8188697fa1564b00c8db10f523e69d1f7486f653acfd29bc8ad8fac0e94d809e589f804b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5f3c92a435cab2e84d2ba9bdcec9b29f

SHA1
dd85114fe59884bc194ae9ac584344d09160f747

SHA256
92c6974cb3f93a02d79b013549ecbcba5944937671d25ad2d74ee6ec9bdd9940

SHA512
3aa7e7556760b0ff6f3763491b55783067511a4ecb894c6a5440cc75c96da9fe7e615f4d42c79936bd96c2c25d41c0acd0c3057d66a2ab864d627bb0a1cde7ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4dd0f2fac1a7d27bfad1c383cd90b2f2

SHA1
25cc8d453de1693d40f9a44e97618077f916dca4

SHA256
61adc3ebec0855f4d65da3e83476899193fa00d03543a9da1db6a14b44d6f086

SHA512
851a1b4638e48ecf498a1051597c9717976a66223c45a1e657a880665c7a95f3e9ee73b3e4e6b37be5ab2ae0f8168fd948ab05ed065ff1729bb5d46e23e1560d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
88fc8d65f6ba94ddd0f50745f9112672

SHA1
b17bac88b8ef844fd832bb9040b67a3347ad6813

SHA256
cd2b2c068b11930c89814ff85477347e8bdeed811c3930f29ca500df1d12a99b

SHA512
00e2dd52ab06fab9a63d33b459c0092d6639ea0f01b4073e230ae40afd918160d2efe6f5c33dc41e177a62389fe54e37287cb68028a043a560057d39a29d9e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0e875d48415ed7bb92e3acf15e7c3d93

SHA1
7e1b2fe48393f572d3d80f4d3f0e97b52fa22f1c

SHA256
98383e86179e361a88c7995d13e113bc93302af2a566296433773da208762921

SHA512
f9aa0d617eac4bcde707a290e4acdbbde53cb8242b295581d608ad7d668dd01fd5d5a30da63d4fb5d4dd07f8e0dfc4af4faada4bc1293a99395c5c17d2dadcf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a8a9609682bff3723c822949f22ebf20

SHA1
6481f7df7af2bd36e98c13530258b1373c54ee3c

SHA256
97b429d710b0535b630b55fa3018ef314adcdb0cae306b15080bf60b6da044a0

SHA512
84d80a278f1635500a176438003d55cbb797c2cb08e10724bb551e00645f5ae685d5d62046a570bccf7c80fe93d13556ca92d0cfb3ad37798e94aaaf567a4d2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e96800db8e4a50f7eb43ec6283eb8a32

SHA1
e0be4cc498e285275196e08b4db2ccd9e0ab487f

SHA256
8bc5da1e2af137d1e4791b7a871d25d56fd2fa8e2af209d47b27dcb1dcbef9c6

SHA512
74a3cc0eb5a0fa7980097ab2097382cfc1cfe8d0542b281eeac515720fe15ace2e77a1f45fcd2951f07521d7f383096f6edf8234b9da16cdb9c9d624178afaaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d277401320956ad190bf934e544db2d0

SHA1
43659976cac534ac8dc4bda40b2ac0b79df622fb

SHA256
929c12e77942d0edd4497cc9087de080d6bc2dec5bba123a72bcea8b6822f063

SHA512
52893666b6a724d0353b7d39a38f77bd5bc3915e57fc9bf38289babc71d7d8b15c6631f615749fdaae3caa85051e9d06b8ba48d928181d754c047fd79d681f24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3d2a1eb36ebbd465f0a6f9d8eb9bc2aa

SHA1
0da6fe21526d0c611e2d5d2f3d56c4d885883b02

SHA256
a4f178049571868ff1f78849324c53555789a156191bc35a245a05644ab03a01

SHA512
062438abfa8830eca8be7cb1e0fc40d244a2023e9f990a810539cde8fad9d4f60523a3041db001b4abd86160be9576d29a8e5e1cf65e6b60ea96f1ad12d7848c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f105d6266ff4ff23cd7135d6aabea7b0

SHA1
800bfc027acab23d3e159bca5617fc21bb4be9f4

SHA256
99b71682ea373bbc8cb664c2a4e5cc681ebbff9f81d895b5241388a77b1fe311

SHA512
22aee49faeff572d70a675224972f984d06b2af4f56e20e01977c20f988eb547affd9665f02c994ba2d57e7f4bef58bd6fc52c74f9362b6d4fb1efbca57d2e7e

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
7.0MB

MD5
110370870c145397469e856dc5f3a723

SHA1
c02ccff7eae9615fd8a50683670c361799e315e2

SHA256
b8a47c7a0ea0e67c89d254dcfc40779ef23e731c7b0bfaacd8e1f36cf024fe10

SHA512
52ea460f219eb63636589fbcdea1e864cf7a5bfe275258b52a30d45fd97fab8c810417ed5c3f3f7fc0d8cab3b85301ab7297416f4e81695e590a75751ccda7cc

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-786284298-625481688-3210388970-1000\desktop.ini.exe

Filesize
7.3MB

MD5
9137670c4b3ce44e49abe29456aad901

SHA1
22c5a8884d99b76329f4559a8fbe0db6a2833693

SHA256
019183a8add8d18a706813870f3239b59006f24495dfc68a818b58347e8eed59

SHA512
fc66de53400b67061c1ac09cfa5f67ab7e3587eb51a278a1222f2d68a15fe83f00a232c6f6ede4fad9ab3e048a4021af945ce43c4df8649d7689eaa7b7268697

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
7.3MB

MD5
b59ca4732457793b33ccdeb9def9384d

SHA1
040e46799a87935827347ab12587176c2328bff6

SHA256
a938560a8049cc9d5cdf9b81d4aaec38a3f3440edb314be676932abafa2a980a

SHA512
5858b5afa3b385d0449999e6743d523be0fa63f12649cd2fe17f6092076f72f55dff31be95d9b7aa02e1cd58d4a7c5530a6d1fb7d571b69e6d6168de2cf044e0

Download Submit
memory/2596-0-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/2596-45-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/4540-5-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4540-52-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads