ebc2297d17d62e0ca3d7ff0265e79ab1802b3dd37485485f04a896c7277fd95e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
Size

7.8MB
MD5

2ef7ab99a6f493e6057f8e2cd3038b98
SHA1

46a74eac26a3fe8ba7da7c7ba5f5f8482effab03
SHA256

ebc2297d17d62e0ca3d7ff0265e79ab1802b3dd37485485f04a896c7277fd95e
SHA512

23d01d06c43d63aea624bfd1ef1a4db6710bed29bf913b0415e88a6328f9581ff291da9a173c4b146d0652e7479ec0987b4f30d9b7c0f58abf1c48e6f42b9107
SSDEEP

98304:Ji0ti/LR5W6oIMzKpXOai0ti/LR5W6oIMzKpXOk:802boI2lj02boI2lk

Score

10^/10

aspackv2 discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a000000023c1f-3.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-15.dat	aspack_v212_v242
behavioral2/files/0x0008000000023cb1-33.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-41.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
1336	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\U:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\Z:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\P:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\O:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\H:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\J:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\M:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\B:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\E:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\N:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\S:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Q:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\R:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\V:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\W:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\X:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\T:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\Y:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\G:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\I:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\L:	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened (read-only)	\??\P:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1336	1164	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe	85
PID 1164 wrote to memory of 1336	1164	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe	85
PID 1164 wrote to memory of 1336	1164	2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ef7ab99a6f493e6057f8e2cd3038b98_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.exe

Filesize
7.8MB

MD5
96128f7227548ca83d864a1446fe000b

SHA1
13909341ce7910ca287ddc7ff5901ffe7f3c0da6

SHA256
72d6e7608920e3bdf13d06121af29779828ba327bf9b4c5f17b33a21d2b94e86

SHA512
016788c55bf35ea8360ce87664e18737d8de45d3eba39048b460995e44e27a4f5f1b02ebf0521caea5403d5d8aca231fb1afc378e8c03858532953f262f2e21f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
31819fb4e0fd55281f635bdba8c4453c

SHA1
10d9f613778332e69c0fd650630af23bc7e3ab66

SHA256
c374ff70b68e2bd115fcbb0bc4f3539be530d95b919162b3786f524749d0f371

SHA512
a13ac538a9ece5a15544b8e1692aed3f8443d74fb5b1444f11857e03db583b4cc11e3909f9126faecaac23a8ef7d6fae1b6731838f328b92b2beec47a9e72cf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c978302504b67993093605de2435ab85

SHA1
0de8e30a56782253f9ca99666529797bbf4a488c

SHA256
15bfbee58d54a15c80e4a0d4d752272827b3e11433cbc6f041891101ceca855c

SHA512
e643487a1415175244488aafaa260218231007994503051a176a7625c4d32e855ae5a3b569041970679c0ed80eefbcadd7ec00d0745e1ec1d9b2bc30e3b827c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1d449450513c0722666df336e7895062

SHA1
8c026358c656fcbd03cf28f16930fb952da834f8

SHA256
f4a9abcce569e084d7f73f83c221544af2faf566057f12843cee450da9c8cade

SHA512
62d9b30622b48cd1028db7a1c41fc5a9b4dbb9cc01bddb4968adf7a93aaa9666ff9af80ab4b057a4d9b4bfa642d417e3d804933eb1231203a913a3d1f5a1394a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
68b7b49ec2508028b4dc389289ee883f

SHA1
7ab1959fd82430b726f77601e7035a816f129652

SHA256
c255cdf481565510d4760cdc5dcc7e09ef93dbc689fd92efe2834aebc10dac17

SHA512
a0f7b59a31fc5e5bbf88cba70b1ea63807809b49a10a1292533db31bd70b6b875edf2eee266747807d0cb8482de68e20d92ba821a6e749b0e29c24cb1b4f2556

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5c8b9e536f8c434621366fa602cb9289

SHA1
c75115f222ef0020c0a87764e13ec799a42dd697

SHA256
0db3cf10c60da9bf307e4d6e79b8d5450b5ae39e6589348a92324d052db8317a

SHA512
bdcf8911ad2173970bcb9bfc47e9957d30b2ebda6b076ace3578a64ef719d625437f1d2bf691a9198b78205e7d88577b065c9ad56a654642af5e77cba161271c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e17342e4a202e8a71cc5a798d85b47a9

SHA1
76f78de2f9fa891fdb317a928dbb5b1321a2857a

SHA256
42bbfe88f96676612f886fdec2977e0bd34024bb63243d62b47e2b71dcaa0c88

SHA512
65ba9945bb78e726175fc6820cedab5c120224e4283ab49b03347f11d4d1778a80d1de5ef8137a42620090ff3d7ba0571ab1bfc790f9609a020917c3c23d51c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f263b82d2846f7c35bb6dc77a73c3933

SHA1
e5d2cffab91be1478ad1aab916c9fcaa6e68231a

SHA256
e02f7b5adf3e97a9b0a81c0eb9c286b68bca956eca786cfd8ff205d7f2ee76d1

SHA512
1002a2e22d1b03c1a8ab0de86b1d8ed047f2583e332669d0df78accc6a27020f1af4396dc765950e145b415aa60ac7955c33f7d458ca3a25cd9cdeef87ceddc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
872a1eed536f51a29b9163ef1f22dadd

SHA1
a69a72dc145aebdeebb800534ef112bbde6edeba

SHA256
efec60ce49a450dbb8130cf5a3192763b0b2df2c9c3631545b047d85519c371c

SHA512
d54d599dfcd6d5a73462b1bf4cb467ec2c3b1b0c3434a35fb57f5ce58ac8a8ceb0db03a6da1566476aa2c5cc3ddc5841243fddab32f3c071e496ae19c54d0e69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
014ec8671e3e80bfc05a2e919e9356a9

SHA1
92fa281fd5297a9487295b13e80048c7b861c240

SHA256
17bc5ffbc78b7856fa04d3f561ee638bfb063f99b4fd903a4b795117a3044228

SHA512
e61843cba6761e257985fb91ab50f8f4066d73d09cb843f46217e2750f23b472bb79f94a2fdc4e6bca7a2d3437f92b82f7b4792b975941c21930dbb048498fdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
027e4becabb8b0f7f5fb8bf7df415d22

SHA1
b213bcc767c50aa34ca7a2da4a67fb9506d5246d

SHA256
f94cd6d776e3f23d57bb2d09f80c2488df075d7b1cae166aab2fe0c2b35f49f3

SHA512
321f32841964cc817df57ec4593fc3447a2110c9c6bfd698af3a5517d6dea4e875b837f28cca563a821b5a923210ecd6c7b817fe9e78656dab50bdc593954d25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c3280bbff10dee0f1d547116fbaca749

SHA1
c14f27ab26e722b19de3f3e4d1fe453333bd6697

SHA256
d3911f5a7277eb2a27efa27a881ebdc807713017bbd37466ccd4e844c3de2ce0

SHA512
c271859d84639243fd49828b4ed5446d66955c64dcad26e3f12566cf230e85c5dbcc9354e2c2ebe6d1b20855b7a61fdef23500e9c173a60d163c8f8995d145f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7e170187a7de6a5f29a9b625dbc9b6bc

SHA1
3dc9aaf05d54b8e2f10f786d447e5093060f6765

SHA256
e0c8c01b354975331568283fff88ba7fb3170f193f04bf360b3a862531439250

SHA512
549b23f089d8fdb6df19731f2254cf46f0e2823120a5acb903bc5814bedf59fbeb3a3915acd5d570f4e1b1a473a4f6345db99b74d6975f0c504279c7a1d48428

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
12bde25924c477f8561c2a9f3a35b0db

SHA1
96e7395c9dd659787e3e93d67e93199cdab8ea04

SHA256
a3c6dab9bd53e0b6369e51aeb1fae881613016d7adfe32774590c0fbeecdba81

SHA512
175d3a4a5981f48a6a6605a52ed6f07c7155ad4ed88f8b12a157bfc95ad5b803ac718190b2aaeeeee0fe537cdbc6df70c2e73f993cf8ec05bb0a15296556e83c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a83cf020da2ecc9b204e6263c451ae5b

SHA1
ae56975d95e642922eda6f67291ea2a8ec763b3f

SHA256
130adda2258f31aa0362f2e0cb9af10cd8c774eb1f8a7b384f4eecb82116db85

SHA512
f49b517a3d8f49abee76eeaa9ead3b0aba1e315922926e4914e101470b593918f48d9799f6f71a1365b7669df2e1e7cb392ce70cb25a4de3ad1da413f9e81186

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5ac46b2ae28114c59f076336e23ae218

SHA1
abb12b28acfa52489d4845ab0f61cb27d9bde719

SHA256
5eb9a3618b3e42ef3a63b98e6030c17d9f945d5b274831da4407bdb52ca55567

SHA512
82a2deea4bfd19446b107674be2d1eb564ac921eb2822f032973a1739973b57bb20b77e8a8c1d7554d5e7819ce5d8bf41df7602eb686472f2f2d55552f528615

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f00550510f2d560675015aa7566a953d

SHA1
60ed384d34259b24f2dbc6f6b3aa188c810511d9

SHA256
0609c72df3ede7588a19fc56fb2a644bd5105f670a76975f6e1ef85d9445670d

SHA512
8c71b9753133d24695c91d243e816e51d4cd25ff39ba6e5e925c2f135be7f19de463cee162373db13cc21b347a9324f75c75d4261dd478ccedc07731e7847df9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bf5600cbab6688010a519093cc23edfb

SHA1
70114aafb9309bd5c142e76fa3266cfa2a02c8be

SHA256
f3edd1b7f822039df1d653f382481d1c16f0eeb7d2cf7eef839f8683390f99d7

SHA512
3e9c332963bee2871a0e6abdbe02df7e5baeee2554153f217f6943b1cf831913a12cac1662f49f0e931ccf3a61e32c4916e6f6527b5c307a87a35683a06548ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
094c471e1d741612b3caf1522988cd31

SHA1
1e2d4f02b78a6ddf4f6b23f642f377eb3b7507b3

SHA256
68dc0c58d3d4921cf0da7498875bcdacdc6bd2ad824ee11fa801cb85607d1b87

SHA512
99b532e381a548386bcf57ec37b664889f01af091e1e4dbd51ebc4a5dfbf3d658b02208dadfc5a258d9b61f5c0404064c72e711a480a01ea64894042aced2dca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ba838f37ce00e733816fac428259b7dc

SHA1
3d885fd5a9954d951cd2e5326bfa296ff804eac7

SHA256
04d92a4ad1a121c980c36338fd7cd46bf58b57ae6e34c5ee78f6d8979419e58d

SHA512
ccce2cef85c473fc8bed671f1cc5d94e6568b5e38fc4b79d1d82ca5e93a4e02b3b5bef8a25cd72d313472f3e5d855cb46359881ef6ec29c3bee9434ac3a0842c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
84405981cf69919917c023cd91c05090

SHA1
4f41467dafea8206df27cedf6e61cd7b8804f16c

SHA256
374b1cddee74690b9e363bc2eb458256ef05a5ec7b90aa08a1dc3ff60ece62b7

SHA512
774d70ac1a8d1d6bc7c5d9171be7495087a91748e6e539706c5c68f46f43f90b2395b306d8cd880ffa773dcc2c997efd6d5a4d304d364e58175e34a2808eb67d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ab81a51022fe7d4301d4580825bd8dc9

SHA1
87faa61b009ad25e14023c61159668c2c71a2a9e

SHA256
e4bafce860ab58209285330af029bd87d1a4a7924270acb193c6b9a7c6634751

SHA512
d733d26ebdd7144d90dcf035fbc1e39b9523171ef411a2299ff809cf133b2c32e1a3b7310d17fa25d4cda4d068fe64e767b77f6e5fb59d1f298a9eba471f7184

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e44d58c0311189f8dad3aa87f5e0b6da

SHA1
21beff2a91b208ae66601c0ef672dae50709845c

SHA256
bc327322d6b7c2309aa5bf32d62d8ab69a1f142239ebe761251881809b6170b1

SHA512
c12e1b76ace86148eb98620c42914ab3ed663ef8ff1b807c29fb7ab7129fd7d56e7d692984de4dd6043299e4bb7354cc74541863678812350093489f91e65611

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5153a1cf7c1ecdfb98de16fbacfc0ff6

SHA1
e54b354d3391d2acc35489b3124a93f1c941ca7e

SHA256
749148a3d144d1e10b56a6b4185142a4bcedf7746f8b6cf1938ef285ec86c47c

SHA512
e0ab2bc5a18bdaaf72053fa450c23f80b67bc98e3f32e9060cec08a5b606f12930a6169bd0c3f1524d0f9f3b7d6245e65c511c16ca15741038070ac0f6e42184

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bc1a82b5ca42439d7e007ba07b3168df

SHA1
67e2dfc27c91f3c331cc35bd3765cd8080545676

SHA256
fa863e79799ddce73f7bb0bd6e030d90180d5663ac6d89732629951399679a86

SHA512
2a195c881068ad40f22854f4f3d86458e1d20796ed98473c58351220fc8063b18f7c955417f3d71943960a6be7a37f5057e43790806ad54bafd4551a05f7b345

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
781f0f2894c943fb4ccc0f61656fcf30

SHA1
c2ce615a108dc0ad6bbb8dbab6cae1e67e519ad8

SHA256
48147eedf6f877f17b013624d04b0191b0d6c0c7ab7e41cd108fbd716ed391f2

SHA512
86019ad3feb2b7c0c2f8f6509dab5ff41eba9e2f15ab9d5bdeb090a2ec90f199d79f876d601b80288d0dceeea3637b71f6304ea44a26546ee2758ed02345b43c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b0796f5fb50c6cb6a38e013b12d4c806

SHA1
92db9aaa7ffe30873cdc7e84ce0c638b369100d3

SHA256
368ce3d1e489364adedfcc205562baa69f15ff41f4d0faedebfd6513a202f187

SHA512
b3266306a5bc1ebc234388d61f66a95e18177ab1397bda65c1ec47ea7a3401e56d1f1dba8ee055dd9d155d90f6d47e3c9ea213861869a5342c7c02efcde681e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8af5a9f886ab5461f1fa845418eb2602

SHA1
7ed3e20f1c99fbe38bc4e6d6ea87f58e72310fdd

SHA256
efe7bd4dd4ab7d615b06b8d0992fb559d86027c231ec20a240ad1bdd30e2cb39

SHA512
2776e39d1e3f79564c89ac45ac8b9b2717d603afd6cd627d2a2e26d28d9c764cdba9f58e8a357b2b1c70403a9dee6a63acc4e0d6bf6daba36e5eb25cfae09357

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6de3966bbdafa98095201cc3a1c3bb8b

SHA1
28239beb367f4c21ef1d865d0f7562ec2d33b254

SHA256
3fe7e8be2acf50b6273d30e25b356256e420b121ac7c97606635752d9fa6b84b

SHA512
0e2d07f4b9494f0a9d0ee72083d88b286c77dc5940033932931580a02c1c862fcf3c825e0e6607fcf3f5e02519c055d944115675983c028d0dba510288c4b36e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
653790f9a8b3a162d10d0e5f33fd0ff5

SHA1
b46d8ea5f4577f8e86e371df6b3c68abf89ebedc

SHA256
2de40a053971284563b14c05058544942e0e9413ee1110ab8285ad87d955b1c5

SHA512
85683ecb6c2f76d53fd189cedd9d3955963650873ce64697be9176e0c1b5ee5689652cc6e1bdf27056eaa512e180c3f477a88240becbac0b745163bbd53e9f08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e6d3252f6b658302a2ad6b62b06a643d

SHA1
7b93bb43193e617d448a82b430874ee9f3ff74d8

SHA256
0880d7be0a9009e02c4389d668fa8dd2d77dce07f8e6aaa344b1d892f93d247d

SHA512
71ecdfb41dfb2496f5ae747e5645d71c9a24b257a8f8fd1e2d58df536f047c7ece6d4590d28a52f82a7b0010a30273057fe9ec485538386490c407cb6d123450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a266959eb7a6184def914af7178684e6

SHA1
b5a68c8e089aeb19a02d8dbb8ce6d0d021355292

SHA256
63bf27d1373a42880645455e257988ad59bb89276742c5eac01eaeabecb484b9

SHA512
8bcfa8151cb8fdff66913b92840b865bceadff765525030d694a6c016ce3d3b40179f1275ed0d195e7f48a19c1ea3daf2fc63e5f31e704e1c94f2e84ff5e689e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a7392e126607584cc98502bfd1d532a0

SHA1
90fea313e1bf426ca50bdb99b9e0c8ea0ff46f2f

SHA256
f268f3f04ffbcace3b197c52042fb9859dd8df30c6b11451f0366e52098efd80

SHA512
6d54851cd008658f08d8ef1e80d0e5d420b7e8181cbb12ad75f28315f1a0f82a4d328ffef67a114cbdd913d43628e3b498237008af3dbcbd913cc2b74e37dbfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
659786fcd5066f47c730a830de7d967f

SHA1
339f811f6339f80398d906143213b78527598478

SHA256
91583c3d1e45a240f73fabb413c0d1e32c7bd406d6947319cf8901abe1771d7c

SHA512
42959a42c2315ee940197ed0b3d44226abb091bcbbac5ffd91b5445abb276d3a0d8cdecf0007a3d6f869a5848f56888ecb4178b537f6cf4f85487424b0565153

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0795271f9fbd7f6d12efa3171abace5b

SHA1
06097c733683445761120c36a9f4aed3c95c4ffe

SHA256
8a4dcec69903db64f1d82f8bd221e11127595542704b167d7a0523b7c5b817c2

SHA512
c93e5a6c2c066465a808568b26a8c414b138e218d91f0355276bf8eb06ab77f31f64bdd67aad3a48be245fbfb892759f5b24336442feca464db539f993512f68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
014c34ea37ff1d1a81dbeead14a32328

SHA1
2c2776b557b1209aee6ae698a21e11dcc9df031d

SHA256
bc5593bd5917cf88e7af13efd6266ed6fb58b70385b23e07099fa290b363fb50

SHA512
f5f36579b69ee59b65e6ab29cecefb3485b80a8f28038a61e0852796ef8809cca5366671fc90688bfd3c43f65341a96bfe27a34b1bf8bae5b1213fe5bacddf95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
174a718e360f7cfebe1a15e1fbf7cdb0

SHA1
df3ed7fb70dc1e06f6b011ffecba48b4f0ebd17e

SHA256
5cceeba1250736ccb68bf8b890c26b55675720c59ef2a9e6575477277446b678

SHA512
bf8a276e89c913a9b1cd7c675c8fcc9edd64451130d7f08cdacfccd160f88550d9096e1a228f49f1506c28731d3be2f32831ab5d45c8c6ebb418eb74694812f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
85532c5b2b8aae4a43cbe351f1d55a21

SHA1
244c5a74911ab188e05285f8611cdf9b0f9e03b7

SHA256
f809eba65ed7b418b88668bdc9f6e5e3bad7db4600afecba8a2b96af3f4b63f2

SHA512
9c446ddad3083fbd3120551b93723d0959fffb17d2b895c552106a82bfebea0a42e5def9cd16759a32bd0760486b1f6cc43e24e5ff32114def88f7ecd6e79bb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c58405be1254056c6ceb7af3414b367d

SHA1
edb0eecf6a34cc731528e22a139039e11f498ea6

SHA256
a6f12821d44322e72c3b7da8158378da9c4cba20fab75192d26314008ff6302b

SHA512
a3a4bae90747063719a855ee0baab114da47e59ccfa135945cc2d88ace93bce03cc9e616ca1ae52c8f5cef905a9131e19fe5adde690e8de408aabbb6cb40fce0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e6fa9d1da6d000d876dc42f69ec0bf6a

SHA1
bbff6a290a6ba302e9de6a08e684fc89d44feb88

SHA256
af48a594319d78d0078cf81ddbdbe7fdd61807baf4ee834bbfdf0d6b1b20652a

SHA512
02573cfa4de611128ae580af821fd377a51887bd43f6645dba2d15937e48c74f54007fbb76f0546f181bc26831992cb0b693b37a319b5e9d08d5b73ef10659f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
be00d271373401bd0f7b402c0c5e74a2

SHA1
dc0a3307d739c597038eb1831489cf73ae67e2cb

SHA256
0d8e5f12ddc527d3c475ca683d579c9ac52235046aa1e21e969bbca39942d2f4

SHA512
73180c5e995760451d15046113fa917793bf772eb61e715470b4cd5c0678b7138b1b1e7e94d85d0ab9cbac62c97564f8eb0fc1924b10e37a3efa59ec6dd4f56d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5755c47b2d212e9ea96467b6f60a6767

SHA1
3665f245a99cbae03d6b7404d63cdef5dc7b932f

SHA256
626840a1b13370e44fded46aac97a29568cb704cdcfe790b305ee57d47e6b742

SHA512
d4e1430ee1276fba7665506c55f394b8d3d0fcb5b6f34b570ec9d0da0317966bc7bf959a3b708109ec221d66fc1f1c935380e3dc334995072ef98bae598b1f12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3dcbdc6e94c4c891e6574208791895cc

SHA1
5ba8c91b3c3a2bb30a4b699bc47dee675d679365

SHA256
a0b081c94bbabd2e4b46a9f04b46de2c4b77dc78c450661c453d5cb71afec8da

SHA512
338a76ede09f8aae4cc919a2f42e0599743f5cf6a9760d7dea45be4147159c84b93bd40143100716055ab1633f30119e6b03c10c0cb72fcbfb9ef470df6db294

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3ef5f0a12a31f379c2f32bdfb893ac3a

SHA1
cc77a7dc787d227b76009a0a68d0c2cd08af2369

SHA256
12bf4275319cfdb76eb1fd9eda003198efb9803efca349c4b091424e0d907925

SHA512
f8731df6832d8b61bc249fb003b9a5b302e8cde1c7d8afe626568a76107f95972682ab56f811a48b8aecc6f96b1f787c8872e52d20826831c7207196ce967fef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
65e067782acdfff06c8c9a869a538ee5

SHA1
ef92dc97a6fc63f5b4e5449c2629375fbbd2c9ac

SHA256
4f66ebdb4dd299c06c4ec09dd1ba92c7762a730add797b1635d930b0d5db051d

SHA512
ac540cb1188e9326949fbcd6bb47adde7d8e7392274be4684654343a30bb2b2f3d29154cb4311c43d34dd6de3e63b259aca428c93cfb8ce364f8a4a194fea0c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
db04ce92df6192e385dc94eacf271462

SHA1
c94433dc95ec6fa2831361d4bb04d9fde2067388

SHA256
f39d57e252dce460f5fab230d5dbb0cc0cb036084faafadff4ceb7652556b02d

SHA512
c5212093e7a2cd498f0b1a81ac9a1dd9eb786227f7e71cd7dafd3643d410c20c59945ab7d31b17bc9e7ed8aa5e43a47787f85370a6b3f29d8efb4563ef66b245

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1fa52911c9842040a1b764d92a48f4c6

SHA1
24000f99d0a024271b754e1319d1d364016df07d

SHA256
6c8eeb413a89af66de41a93a9b8d02f2bed5a938f84378699f67f9b887bc6a88

SHA512
3f3f4bc5b6b7c7f05e73b1d63bb03b2b5a0d734bb3e9b31fe24809192910b7ef73c26781d91db5066528bbc036c338b7a481b78d5487c4bc9026a3b1bf3665c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1638b7daa01cb76be048cdc87ed0d904

SHA1
1a13b582555dae0db318e37d45c7679a71830d66

SHA256
8d6cd79fc2c3bfedb41d14c470d428d9332fffb0159d06d584eda16b9265c23b

SHA512
f4bac8ae67cf3f3104a2c143318a3a06656cd8a8b96467b8864ab94052d78d2c286f670647a00a60a9d9a88a68be734ea1d77745c7dd5bbc70162269c3013505

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f6770aae5779063e18928850b0232fb2

SHA1
1d6735bc826d94dae9c0d8c103494e6d975f3b92

SHA256
42956d0380d09d64869dc263685016970769fffc4ff5ebede3c2db83b755d12c

SHA512
20533afd43df929c13eede7a1927dbfd600b20a094777dc24d297887c0190762a802b3ea494258f4293b7b6f1878d1744124d58359fd3e23bef388b5bcdd9c9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
39f88a1ef0e8cec73c78456470963e66

SHA1
5985658cb29b2e682ef5dfbc007294429fe000fd

SHA256
2a7607e3b86adf4e96f68417bc2596eb0755bc30b2c104cf2faec1b691c5ed66

SHA512
fa907adebf5ecd2d3ba130d0f5a93dc2771f4608fff30aa361587a433f30bc869cc69c4a567aabe9aec8eb1e8b08d57c7b08a53744bc9362742d068327a91505

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
597cf8171e23f1601de981e190f29302

SHA1
24e9a68681a153fafce57ecf5f301852e2049d7b

SHA256
255911ba08eabfbe92137364acea3aa6cdb6557bf6639a1eb1f3e2359c3167a9

SHA512
8976d684207e82acad98cd0c8e29d5ba05896e1f82a1373d7d7a23e1dc1d4894d52002d2e06f99a21a635734fba7933fe62d62748993b549f5469192926d7164

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
edcc3dd0c314f9b072c20494d984fa08

SHA1
aabe0bb8e532d2938239b894e8511ad633309037

SHA256
301a20466098c21bdfcf53c74b4968543ebd89568b88807a95ac46970f949bf4

SHA512
aeb975460f78ee1215e9dec46061392108d01266e6f4a1c0b69f9d8f5148e1e80903a31460aba024ece4639ff857937c4328afa009af6e93b5850dec93c2aa97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
91a2615cbe2165364c586442c54400a2

SHA1
0efb0cd90a8cb3596128a2d5e5ecccba1c5b3f72

SHA256
e911f11fdf6d5e4697aae7de8e5c5d77fd8c4d386213eddadb99091d7a5c14f7

SHA512
2e97b5825835c2ab9c22b50247bdd9ca65d2c2682f74ba5056ba16798ee4fe26385169c673f3a25da5c4128973665fafc17a4e76aebdbe135c39a01e7acc540a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
82c0ddc13b691765b41eabfdd8d239c9

SHA1
ea6039120dfa3aaa0a677233b67a72c58c50d4e6

SHA256
bc3c72a6cfda1919ca5ab2da86f30aaf7d3c8a6a30806ca287e050f6e9ecf0f1

SHA512
0e55cad348bbbd63981e83ff8321528fa274dcb1c45a8c0adc8761f1265e0a4f88d1a6c2b1f7587378363fca83bcd37962194530e414d23d9ee6e33bc8804b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c1bc177614b8d5d05e08487d73886c0a

SHA1
3f222f56ae9ac11c784ffc52bfaaf0059808fa21

SHA256
3dac6ff7192cb9636cd726932feb8ebcabee03c4c306871c6cc317c41e3d2001

SHA512
225066d1821b5e6cbfc51f8f9b52eb5bae7d13fc9fecd523138745bfeb7115393bd14aa0dc4e58a09a9ae21407dd42b0ae6ee77b4cd2b1b0cb0b81dd1d4ced72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
693d9970ea957c2e8947b11cb2a45909

SHA1
a67eed2c7ccc66362f68e9d7c205efd02e464728

SHA256
8f3fb26a8752759a5591dd8a08e95570c7d438936d9bacd6128365959ed039f7

SHA512
b783811585131d426b0dae77c4cca42aa5173f5a7d8b0f4e17edf43f5017da348071f30c2b6e81dba4ffb0e4a14ffcdf03b348b0f68e816c3d5528b0b5874687

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
5.8MB

MD5
4139196f29b96e1205491cf1412aa1cc

SHA1
f88e119fbc723ce29135f4a2f598e4257a99dd2d

SHA256
5ae297ad945e61bdc53677e81fb433e98f8ea605ddf7400646956332cd537845

SHA512
d7adcb91745b435860ac0b3c3b5f4b0e5b4d29b4e5e0a6eae6f0c27bb245a1e1e2948a128ae71c184b347ac109543fc488b69f424d0087a6efa96003854a9caa

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.exe

Filesize
7.8MB

MD5
d0fb6c7974080ea9418bf5a9f7e3d67d

SHA1
6f6d0df080c473d0d4a6d342d9318af0453b798d

SHA256
f9ae6ecad0ddfdeefa5d936039427d1e6019c45659f9e93041b019ecf565dd4e

SHA512
5476a16ece62edd268a9b37a89bd9fcd7c0a3d2f42f926139bdd242ef6a40d5efc0cb836a514db98351dd55481e11bd5d06c9672aed013e9618768c28d2337c8

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
7.8MB

MD5
2ef7ab99a6f493e6057f8e2cd3038b98

SHA1
46a74eac26a3fe8ba7da7c7ba5f5f8482effab03

SHA256
ebc2297d17d62e0ca3d7ff0265e79ab1802b3dd37485485f04a896c7277fd95e

SHA512
23d01d06c43d63aea624bfd1ef1a4db6710bed29bf913b0415e88a6328f9581ff291da9a173c4b146d0652e7479ec0987b4f30d9b7c0f58abf1c48e6f42b9107

Download Submit
memory/1164-0-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1164-44-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1336-5-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads