900582dc5bf229c9079123c12be9644d679a12bc649032df88883e4043cdb69b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
Size

781KB
MD5

38dacba1866ae466d8da0504877007c0
SHA1

9767ba433109611806ff53793d84a55b8ae3826a
SHA256

900582dc5bf229c9079123c12be9644d679a12bc649032df88883e4043cdb69b
SHA512

690364a68654fe8b7f3c679fce66c7fe4e2e6178497c3d0b706f9bfd50dab4ee9f5b0a4e576a2d36deac427ee2a25c01af7389a60429881b4091982bc768fa0b
SSDEEP

24576:ZMMpXS0hN0V0HZSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0ND:Kwi0L0qkA

Score

10^/10

aspackv2 discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000023c64-3.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-15.dat	aspack_v212_v242
behavioral2/files/0x0007000000023cc7-33.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-41.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
4344	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\X:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\K:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\S:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\T:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\Y:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\Z:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\H:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\J:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\W:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\I:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\O:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\P:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\R:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\E:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\M:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\V:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\Q:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\N:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\U:	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 4344	2876	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe	85
PID 2876 wrote to memory of 4344	2876	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe	85
PID 2876 wrote to memory of 4344	2876	38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38dacba1866ae466d8da0504877007c0_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.exe

Filesize
782KB

MD5
f809961b1a507b1f136a80aede730ffa

SHA1
76aeb7ea7215aeaba9b6c383d40cc5f795a521c9

SHA256
3a52d600ecbf7e216e4f83c325bad36b5d8cf21857fae77f5a6ff730457484a4

SHA512
123729a4bb3e18c2725919de374781038dd35b4b4d6bc7947b3d6217f0512889b26ee490aecae37d622390148dcb7dcfcdf7df08b6decf5b8b3b1969b22324df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4dba1daa7df01e94c69d675e7a297d39

SHA1
daa2beb697cbed8be8921999348be2865abaa2b8

SHA256
b42f6194e4488bb1579ef9999529a5230bada5d5f749f68441386e71cf76af0e

SHA512
1b26f8612486d4f92a96f1a78f5a0a8739d18b37bed0e98df4b37f8941de4a30eb9e9063549a84e1fb73f8b83c92414986cd6ad2eccb08a1e18d6c1b4bfe2e7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8b1ff869124e6f4daad0b78c43217ac5

SHA1
cac675eb50418d2f0a759c323b7ac64a6b034372

SHA256
dc9e0284da80eeb655375b8c656baf7bdff6d0a1f3e71aa604022e26db89ea62

SHA512
391cbeaeb1ae8dcd8b50de9774072bd3147fb7e8a47d80543b8fa75e435d13589a945436991c28cacf91d91e2257593b9132b157afe9ead4611d0cac4773b72f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d442b9cc3b7fe9063e46aac91cbf7903

SHA1
3b871ae6d45d896c85e1818c0d1bdc0840faaa51

SHA256
96615af6ce4e10843b196fb6f6e97632549836a84e338b1a058c3fe220e74e6e

SHA512
cef13d8e219e94cd95f448efddbabf9d1a4d882a2ef2f18b12d3aa10f019dc3827f8b7f9c6c796cae4216c52cc50f4dcf7bae25ca3416bc68c7da033afb6e83b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
017067c1d9adcbd6ff05ac75020ce5a0

SHA1
7c67a8e2d57a853d841cb10f4fa931f345c59927

SHA256
2060979b00faf86080878e452fba74b47070c5c5b9106b99843ad7068f158b3d

SHA512
382821e7098a7a8ded47b6fac81ba1c93452e8f032f6490d74f9865c96609275005091125e4d4f7d300afd8f65a73a621532c048a2af8d26ff65bfd1a8fae780

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c87221fd93744f5b6b431bc79734cae5

SHA1
68e967ab14fc09e634f047c82548d35c2279a364

SHA256
4f5ee7a01e3dded60c7cec3e9eb9623e3fb25e38925738d8886399e76b3a0ce4

SHA512
2d5c23240474d2d0295b378e7873cf3824c900e9cb3950e25eba3f46e64109e32a0fb22bf8830ec9aca3ab395058a827239b06d13dec7558eb15caa3cd01008d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6569d0a55ed5e4e3729400bddf50df90

SHA1
789a4e1086546bf04e37b1c35f6ef5b918282777

SHA256
a9ba5918a82836d2914f3442af82757a842f5c9ecda0d0f1ecb84ff35704c0e6

SHA512
2dc4122c3e0b3e2d361d76e7932f40d469d65ec565a7a15a80b1f1492abb6330ccc03e2f2f565369f0f305e1f220b678ee97180e6f938cb9019802330f3e0114

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0d8d628cd1fca25ba1b354962da98cd8

SHA1
9ca62de97083cf0369c9e9b75d7c18c803a120b2

SHA256
36dab2792a0e470610881dd4ca5d749f20e2adc0873b2734c5e507a3b2cef146

SHA512
589d9919ed303813ec584a58c2cb3442e15219dbe3116d695cb24fecce9781cf8adab1a71d1c46d9b2cce9512085f3ccfae10acda85b69e62b6b7e9a62e0f646

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
727d438a8b5b7c9990c425cbc66c6aee

SHA1
a5f67d4a1ff4cca11ed3616d4fe2c111b5d13c8e

SHA256
0364f9b903628e45972ebc6549c3148ae8f24fecda7e35f77aac1a1fb7cd61d6

SHA512
473420bdfb2339042da87ea009ab74a3ab00b1f2b5943973d488dad1b1dae81acbdafdba8d5fccd98c85a984bef6dd3854162513f9ee8f33df1191706ad23627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b8813bfbea7e25146051f78e86756e1a

SHA1
2afc0a6d9cd30ffcbd557ddabece8ebd50d95464

SHA256
38735c6b716b350c7ce98ab72e8f3284fb2dfeb701064c7e5222d0053d78f443

SHA512
7ed4c2a8b27e161ec8dee2d03867718ddeb709fe97d348fd3c4e5e933f5c8af747538a1db11dca0efd0f0e72ca5f99b228009a3eeeaf26e66e28957fb163a506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
862ffa1a71c7706607409d3c80e77f35

SHA1
b0b1f3978fd3f544a9e57992dfb93b5aca2a8330

SHA256
648ae92faa76511bdc837dff0ff04a23f4acc0b64c775e78eeb14e8dfda9f75f

SHA512
bde8cc190fa982c9ccb5535bf65569ecdd7bca49b516b8cee7e46218e4da3de53e475125a74b5862c6ebdbddaacba92f782022da73045c49005d3fe91ba94580

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
42d4f4fd7e2f0305339e955f564b6297

SHA1
cda4af229924151458d4559c25a71beec42eb537

SHA256
97bcc60c749feafb63505084c07817eb4b41edd231e1c018e3805730c2fa8763

SHA512
16854fa1d346005c24dc0cf74308130bf29ed58e34bcf9c26f969bb02d35e1783e1c3c5400e782fa09c0c5adc6fbb550aaed12014537b661f8386737e6fabf93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3b5fd82250a915b9776933abc702502d

SHA1
52fc85b38f16097c5bee5106f2d6a11c0b610c12

SHA256
00d4ff02b441ef96cf300332b951d30b76d744a03ed4d5c7a82e5e56223edd3b

SHA512
273018b92f2358ddcb368428beae94dfbe44e9448d2faaa44939017f579b113e38c774d4f37276ee22a96730b445efdd83867e96f86470d55a69ee50ff0427e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b8b85ec245e15a20748a07551f6f05fa

SHA1
24b3324f38ae55af7b92af9e42d8c356c3ba6444

SHA256
a60f3ee1c2b212c9c3ffdfa5bbd63785c46f9152ae99a8a72d692d4491df9696

SHA512
e9bd5800c3ebaec0a19c4d21fe830b993ea28070c21dcedc29b7bce7e355a583a75f4af3551a523b50274831205e5d3952c886687c7188bd8b979812132e9e2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
12801d4e3655fd2866c0e67c04c45e81

SHA1
9037f4058dd26061e3261166f4d6b076c10d08d0

SHA256
ce62acba1075faa535436e32e7da827620668542274acf4496a007cbbb1308fe

SHA512
04e7de25510eb49f66166cd627fac280e09b41d9f7edf561ff4ba7b08cb01bef7b4c3c0f7c34fa29e3b465bfe8c8ddbcf69674d0ec5646d18e1f5d1500fea6e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a694e613990dac1a4c7059bf8f384004

SHA1
959bfa3bb5a4e722ff7677b17338c097ad283e88

SHA256
899b46a891486d666106989b926b6e6735b1290606e2abd22d4ced702b2c575b

SHA512
6c07d73f17dbf83292991ef042b8decca0cccd6734cc771b6f27cf053db552c1d5a186b6222ddd25a762bc83e003287b3a7ae01f753b255d4aa37cd7f5db5d13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0d3e85ad28981283c12140ef2272df60

SHA1
3682bb85f64297446336b8f660ec45a836166456

SHA256
fc7dbe6712214c35e064db11c42207ffeaf25dd1608065bdfbd1acfc9bc44dcb

SHA512
37d85ddcaedabff61f9b03f9bdf79c52a049db40046b8f33518205d98a25aa5075d3d170053fe3ee3e793ef59bb93563cf48fcce8191010f5c6bddc623ec8af5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
967ba59c9eb66872c07333fddddc5d19

SHA1
65332c88c04009302548441b8ff89022a24b40c4

SHA256
c495ebfb09ece479839154f7e7c07cd5ed749fcc98728365b7d0b63fb5b92b99

SHA512
3910d9814bc97b143ba56067e10b5f8de16c9392b785d69709d7121fdc2e9e152244b5b82024b2e2e9c43eae1825b358d62518f2651f1a5e91d4edb646dcb2ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
68315c2dc188042dca86baa0686d65cf

SHA1
8c18d89b75a3db44bfdd9a6957391b6d98af4b03

SHA256
655ecd6fa65136c5af90798e5927efbf83fd0e17a285639b61b12ef08c2ac611

SHA512
5b8607415cc7a239cbe707bcc967903e220ec2d7ea2a40a09c09d3e4eef27c0a988c715687f41c77571df5969ffb989178ed73bea7c928812b00b32f357abdbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
32d4c577712353b74212cbedd4af7916

SHA1
83fe7d08f3d9b5da5696131e3294fc246f7e2375

SHA256
9a0b38effa20df2147b4604fbc456574ebbdd148ac04e311e063f866f38777ee

SHA512
375b1d4ad7a97c4c4d07ae25136a456bc3d7ac12b97e125955bf0e581b931544456b079842e9f3a7ac3966ea940ab0f09516878ff782b8bf9080b613abf76267

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
987585c3eb118e31f38aeef908516868

SHA1
2caeb28cea64ec66dcee0f32cce1d992a561a263

SHA256
da80250d840f63ffcb616e39294e4bc841ed9959a424a80bc086652dbdebe936

SHA512
0540d13086955da860768ecd83c4366a1bf1bf5a5991f2affb475fa4f4ae1a6250fd356d32d29c38a6bca7d445872e29366be2819f19ea852ceb4fee5860ae79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4cf34461fec2cb1f53e59c9f2d6576af

SHA1
b862d91dcf567e253769cc0794667415135f161d

SHA256
51aaf618bd0e2b6c7720b0f42d9cc4505bd1521ff3da5ab868912bc13073949d

SHA512
329c5f96accef2f05a0f50b77f6a73b372e3ae3c2922182af6293703309c3da66cb7711ab5fb146586d28399d22361dd187b1f2495ea6e7ab4b3cac6c84d46dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
115900d585302b5ee7f52286c986b304

SHA1
6572e9fd982ee4071339f55bd409dec7e1e88b01

SHA256
a26b95ea2c4be7b9bef4bf12a726fd6f19ef91df79d9f124990956055f926806

SHA512
ba8f0b8ad9b7fd1617aa5772c33402cd3742e2cc2520de601ca05af5d05b00369424b06c63744d9461cca36cb63c842443edacba86bfb4d8a007c5ddf8491a56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
dba3d79ab33d07e472fb50b3bdae7493

SHA1
6c0ba6f240450bee3cfd92682f80b10efd2be192

SHA256
8e7ce6372207167a8d23abbfd8841015127a8f30d9bbfb575dd084071e4216a0

SHA512
613b9aa74bb31c8d1e857562b7bf12f9b0ca79083a94edb0b049bd5c06cc3f0dae6b3e1072d675f535ca0b85a6ca7de1bc20ccb0a3e3d34b636b327ea7d69098

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
942c22b62f39b5e2e896e9d33936b93a

SHA1
28bf57be3728073a8f15b6e55ad7ecc09e627def

SHA256
238f77e701c368e9fd3f349965f21098c547e31b9cc15b071fcf34a202ca2d55

SHA512
31de60eb272a67c4ec950f889cd1ccb387417e8be4c7387d0586ab46be8a36e09b0249afeb4b469e47189b4c7dcc6d8ce1b0aa2d743cb4f6b485ece9cbafd5a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
01a3f90eaae3368ef30fb9bb8a43789e

SHA1
c8a5388141e5ece9e1dd5758edecf557f5162c7d

SHA256
db64eb52727f42037567f84cc5f2ce53e81b16ff0655d9910a84201bf4a294ed

SHA512
cf7f473f63891c6b362971fb1f4d85fc4a101e384c1a25f3f819a95716acf66df8de485be018273e67842deccc8a073051a51caa125bca04d992d282da951d4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7fc4a338e81ef32f7aa67215d761606b

SHA1
d79e6e475319afa87327896c93e3fbc249d83ba5

SHA256
b836b7bbc5692d242be40db970d0fa485ca57207ca642e2cb41bc5579c12fece

SHA512
b2d6f7f3825a4c64830bf5516aee3a6adda16b54009fc437c43a93549409900d80f1111b0e59ce9853e0025239e1ccd0b9a11b32b56734d5e74ec919097d5633

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
56df090145e328a7734060a3935c185b

SHA1
943e02502233591e493929f7a978d1694f327a04

SHA256
7ddca164ef33a5b4499f003a09fa3199394f15a6b705ec8915c33b30d3d4d955

SHA512
97f3b5054dcbbfc7277fd006d0810aa005ddcd7b434b3447b63d5299dd2afe8baaef93779abc5df6bbbf07fe105db0102b8268d8d29ccf7fbf5bf5af229b34b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fc14053385cf0fb7845fddd9f59b32fd

SHA1
02dc3737cbbe8eb35cdf78fe3760ad07b7e59318

SHA256
f372943025ca6381de1e80f635ef32336c200edbea7a6e41da30857a35903dc9

SHA512
407e5c3abc731e22ef7298e729267eeeebe6269c47368c2cb3e619d7924fd77b73c3848c17158e0a64181fabbc46762251c0a62aabd2afd6435980c34ea14bb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
273427d9ec0b20b873e655155b3ac96e

SHA1
d2c218012c008c21a18d3ea02029e0a5100c6160

SHA256
feae0cd086575ee44489da238ca3653441a5b1d5df3745bf7fa884fb98c68b20

SHA512
c66f5b2b49fca9134c8ca5528c7dd5b27a2a7b97d053638228b2467b90ee76a99c904118b49d2df8e600d912dcb35120f21a4000113a0898f693be9bc17f9975

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
345ab95dff288c07ed2ab69e25f2a2d6

SHA1
2efe2c272903ed93ac71209f6c07d36724f4a5f7

SHA256
a5731f0d771d2f3ec288ad0e53d4bc98a511edb968bdf6472a2cc0a0dd28851c

SHA512
72692d733e7d29d0f7e2e0310cc530266efa9e6ac54e42f5aed4e38d8577ccc200c75fe41a3ce889cf45258375a1db05033505f04d528ab969f79ed3f83b62fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8f4e95a5aa674635c94ca2a8420a449f

SHA1
bbd2b5e40db1625a3640d4c314c000af83abdaed

SHA256
dce1d508d6c2c76d4b27d4b9acbd70a2aa092169a588e4dd65358f51c3fcb505

SHA512
aac3e0262e29207f066f3cd52f154a8abb392b1f897101ad8e5e0115aa2cce6cdec876166072fdc42624f134bfa151ea1508aab53b332adb805423aa61bee8d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3aceb5f8d06662f38b6bfcc11fe56169

SHA1
7b45cec17937ca96d8df784ca85d99de06a98dec

SHA256
d03f8a26d5a4de78a9b25eadddda99dcf5892982c9ba3c4e50d8ac45c49c7d89

SHA512
b268fc206867f8bad1de7070596ef77bdf847a84ad8ba9142ab3d5b5554c70d5ce89dcd0021956d16f545bec754692c1841b1133e5fe3b389d501c90061c668a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2330112a81ff4b2cb55cb4c2acf99307

SHA1
f1b447531a7880d246e3c39f285f477cfae1823d

SHA256
b4a7dd123e4dcb041d12257d516e5045f25da87126930f50cd2b5a9228f9108a

SHA512
48ba8056c48469a38f01d254a28b67cef9a1b95abf6c30e2636ae239f4c661e1968f3398c663c73e40de217c793e59fccf57edf06057709069c26a7b858c66ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
692bb2f7fb38e7fae683c9698f19efd6

SHA1
9ce7a9c4e24b55d9c3618c176f7a3a934d740f2c

SHA256
610c8504919751b0b8664cbb3c9907f80846014f7bb03dc2be0c7decd1de6cea

SHA512
cfbad38b7697a5d309a4c889b95f240395d71bf52f3d919b4f8085b439012546e4aba3d8124b2c7e021fbab6bf11b613862af7fef075f13e0fc7fbf3e1d946fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4386a64e56432a753ffa6909ce3283bb

SHA1
c6eacc9a6df34d6f7440bc2210b764c94b5fd230

SHA256
a87cfb84198d382ae9af32bc33350f2dc6e9dd66e993efc7318a2d5983e2df18

SHA512
cf4c2211c43d4dd9d29d1565be1f45db843353fba5205610cc7d8f65fd3a1e4480d788d8d88a1c8fe33aa69db5d42a297c9c11d1f63b9c2d26cc8d95473ff82b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
30d66876033c7f8d5467c77658e5eee2

SHA1
2e520811defa5a322e1d8559d3083708d32a41df

SHA256
71d6e125896eb89575f003e976fdb29aeeb2a00fb4f51f2e667dc4e924bc9f6f

SHA512
1c95adc483a5e56308f7531326e784e22d4fd3bc9f2b26aa7dce3a6420a0b6e0bce56dc5fa96d33c7653b462a27122aa45a8e258557e0eb033bc383cb2ba2581

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7fa583fdd3e45ec91cee4d8bca91b34b

SHA1
2ffe3dd6d9e766a3b9ba22fb49f7fdff95333a65

SHA256
cb405ebb530ffa8a750a01ecd57456ecd845c349e24b2ccaafaf4b61894dfad0

SHA512
5353ac625a438a0eee9e1ee4479de3dcb42cda6faedf5acc871ade916b2c3f25ae5a1623d049e596d7364cd209f62ba25759ea73f62f4c39339cdf4b41585a98

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
781KB

MD5
e0058ec846bfcb87cb58ca800c718bf7

SHA1
43d7630a34bec6ae9a57e05f196f836feefd8e14

SHA256
de0477babbf4f8025356342c9775814ee9d5415b6f502d128b3649778e6c3418

SHA512
81fe62139eee134f4ae964ad07e737fe4af9c800038dbd2b632b6313bd9f4866ac28f98cb456f0d49723d163ff24774b18c7cf7e5188949e4ebecf0ed7bdd386

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.exe

Filesize
782KB

MD5
bec3926b72fc0fb8b52de5465851afcb

SHA1
7c80377fcd3a27372486d979e2b29c95d267b402

SHA256
c0ffaf9ce9d3e62eccad7b6c8d8d00b2a32ab282fbbf78c5b16faf2dbfd3b3ba

SHA512
d19351ee7f31aca6434698b77a306b166753e0a12365eb3992d5932fac5828472c5b1d00f4402fe81f01b08056ad2d165323552126053e843145466f36c0b63e

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
781KB

MD5
38dacba1866ae466d8da0504877007c0

SHA1
9767ba433109611806ff53793d84a55b8ae3826a

SHA256
900582dc5bf229c9079123c12be9644d679a12bc649032df88883e4043cdb69b

SHA512
690364a68654fe8b7f3c679fce66c7fe4e2e6178497c3d0b706f9bfd50dab4ee9f5b0a4e576a2d36deac427ee2a25c01af7389a60429881b4091982bc768fa0b

Download Submit
memory/2876-45-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2876-144-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-112-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-102-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-80-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-121-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-171-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-0-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2876-70-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-130-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-162-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-90-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-139-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-153-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2876-49-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-50-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-91-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-149-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-81-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-140-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-158-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-51-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4344-131-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-163-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-71-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-103-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-122-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-172-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4344-5-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4344-113-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads