73a7f75b1e3381531eb5a75b3e623ee3c46f019332852b26401b0c7e3f8809dc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
Size

7.1MB
MD5

b4f166e8b2ca1ab9f7cc326718b18fd8
SHA1

206fe3a4cae7faf319321a943f7edc840b727fad
SHA256

73a7f75b1e3381531eb5a75b3e623ee3c46f019332852b26401b0c7e3f8809dc
SHA512

c70da1527fe4325e6cc42757a86bafb0bbe2a1868201924159df0d3cba08d18ab9b3c446d2b5ffbfd97931f5ffa26298c90f112e407cc3652c4624a598118c3c
SSDEEP

24576:aEtl9mRda1VIUSu7KB8NIyXbacAfUSunEp+XRGEUvkXw6z4Etl9mRda1J:xEs12pHB8NIMI8SfpwotkzvEs1J

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
3896	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\M:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\O:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\X:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\J:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\L:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\I:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\N:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\Q:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\V:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\E:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\G:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\K:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\R:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\Z:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\H:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Y:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\A:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\B:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\P:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\T:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\U:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\W:	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 3896	4080	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe	82
PID 4080 wrote to memory of 3896	4080	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe	82
PID 4080 wrote to memory of 3896	4080	b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4f166e8b2ca1ab9f7cc326718b18fd8_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.exe

Filesize
7.1MB

MD5
36c72c5df1c20595f8c148bab4978954

SHA1
0da53570b88f62852217fbab1cb2334680a03e99

SHA256
99789d9db4e8f8dc9dd4e7f2c23db6f50cb7519928095d8ea249ece6f87f9573

SHA512
86cd4854ae582d77566b697c6396d550b53789162f5babd2c3cfca8f81f14789be6b9594a0020a60ec3c45ee7ccff29c1c58d7eaabc5b33332c95292c891855b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9061f16b0eef323b494418d56fd46adb

SHA1
b42c4bc524a5a08bc7fb7aa7e62ed17c019d2771

SHA256
831bae06b155a4e6aca015114fff523616dec5bf1c737a2365d0faee37dfc956

SHA512
f11cb8045e53af286640871e96dbe053413de3bd32594b7e72c44f1558bd7c8cdaff1e5cd46d746bc47b36d62d2c769273be9030b9ca839e4c6230c2aaa12ad6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cda22faf6e8d9a5001004742ae58c831

SHA1
43d8df3e5c71ff733a5bfd8aaa1cb6915b3c89d8

SHA256
cd4a9121fc3b4ee7d04fc8c5ad791c432fd35b0812e4a2779fcf1ce22f3c3e89

SHA512
d80a498f9b672a6de7782fd2f4ffea31e01e25b91153b23c72a3c014ad53c89b8d1897ebc9aae0c6a667ae830ceec3d66865f4b11a44d063fec6aa659c1e9545

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
92c346e21671d7155175d63a0f432942

SHA1
2bb8a708f0b8928cf885d867311b535c8c71a2cb

SHA256
dbbf2ebf6d0843c9f54de2f291af13af4367701b8ca302eb9021de9db56d4e0b

SHA512
699fb988c8c82ce052cc7bb53b64f643eeafa78e12079874dac739b66144e2b7801c89dbb069995720c763cf260a587b7bb0f3d173e84cdfd2156ce32cf48fb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f0a894c54366789005649d60359ea305

SHA1
547f98e410f9fbe9af85be516d198037a7623b8e

SHA256
ac04766b5bdbb6abb2fcc0ecec58d39451a68374258bc19eda27a540929034e5

SHA512
ae3574cf9b795236d5ccb056d049ff9a00972878a1c1ec84760f4193661b4b542a63199c67ee6f2cf378c132ed52207eed1673fb1f3ca7870fe58eca42aeac9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
da54fc97c6f1fe180b0a0bcf566624ec

SHA1
2baf57a325a06aa6b70c0c3b58f9e8708b22c898

SHA256
c082d09e936c7a08d52ab1eb6842244851999d6c8640d8b6c5433e4aca59f4ee

SHA512
87aa6e5ca6ca3c998b9e42093998d762a5e84c74f0a9e89e4a513b1ed899f48a9c2277f70e137720edb36cc241756c7a2cfdd2e89db46c056c85354a0ed19cbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
221155436fec980c8d0d1cdbb671ba31

SHA1
a202460d3b33b665cedec7b6e36111f0cd341cdd

SHA256
892326940c3ac9ca55a28e463a535a2293cf045057bb7481010fdf232c33ba8d

SHA512
54ae96763934870c4868df5d1d155fdac3a6973bf5c0f1f73c366b3e0da0e95a13d89cbe8426def252c3c5b305b4dbd0c3769aedb6a52b688c6d96ddc55ac326

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
845336fcb66458192d17762e6eb2f8a5

SHA1
9d0a46132c7427827e592c154570dad1feaa31fa

SHA256
0e22fe2b6d558a80e6467f525b4e95c7458ad59d47e5d297c0131ec9c796c5a7

SHA512
5df56b3dc3367ac2f804e7edec45357cf0b1c9e873081f4ed6cd5e446a05e448eb1baad7ce7b84ccee7556583a4177da3cb960a302121b4dc9a6f06dca502583

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
45f8c5ca42904ef5608a797adcd29699

SHA1
9870bbb4243cf2b06b3ad64228ff53fd3df77e0d

SHA256
a6e98d85c17f2485e2ab409479b532b224d9f8e398ca1143744dbb66e8938f60

SHA512
de8c5b8a769fc99c51225e021e9f7331996c67af7dc5f74672a9ab9fa9c8c2f9336a22074f16700f5a6d20993633bbbbab7244dd462a5358559770116d3f4387

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7e4cc1ad82a2fe9020b3862317fdfd35

SHA1
07265ca663508e43ac88ed67c6e83b3ecc07d35a

SHA256
bc900b229f3ef64cae2b684e1d030b6f3428c67416c8fb05c1675fc9754d921c

SHA512
356f1393363b7cbe797d3bd0cedf4a1deb64e40b4f04a261314ff7fd8a92207e4c1a1d2bea9c7fac01a8f404dfbd6c78e7b4b54d3a3c6318c5696f526f3d2479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8797b08309d9ab71d6289614b308f3d5

SHA1
dcf414d80c6cd08eaf324f9eb7e2c3a4ef27daca

SHA256
2c22d56a468166ec98b0ba00529c9bfe86c011b04ad0b04d9806d0a99c7a67d8

SHA512
392645d51162bd0ea42e7b8995cce6c7c20d42acd5c2481235438192a588377acf30d36a9130636e6eff100181d3933feb47e1db52eac445f348098e0cf96d19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
98fdd0d4279b423e830a9bb200f7965f

SHA1
707aab9fd445e21d34c950819dab9099b5d750e5

SHA256
e1e3b3a2704460ffd69c31ca54c239fc161f5dda7bd4c99d6a5ab18adec961bd

SHA512
a5a7f71d5802294eba89447b59a98cc99e8d7a61443aab83a41523fc795a5d9a750c8e75192469bea926c5e47bcb6f6792d125b26400a364bcb53e7eb21073e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
9a7eb9916f75375349612d78e5a41abb

SHA1
c2f7aea9ded91c991b1359ed8e2c7e7f97cf01c0

SHA256
da1702e1a052304ecbddd98a2610db60bfd792f0288b1dc01cd4c91c55e7342d

SHA512
0c25a30abf5c0677e8a486261e5d618bb432aa4869977974b34af9944a793170d44e9de0882d59d8afb1d26de64aa2a458b28f5d42c9fa11b5cf277adc4d1f26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
24113c010f7529b706efca00e3518f82

SHA1
8df2c7b11a2de2fb681225be79f510c552040fcb

SHA256
3a503a86c3e94ba03da1d4d6a395ee86642cab3be16cc42eff428a23ffb6e29c

SHA512
b9431c1ca23220af4ec04654dc4c836e377103d4ad29aad6dedd325d7f3520cc6bedd51020ab8499927411ae4cab90f7053a4325fbdc237ac2de86b81103fac3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
18f937902e5c782677d8e9a473f50352

SHA1
5441f74154fc1c9cf1d44805c04984d069fd20d9

SHA256
a294588422ffd4d7a3a311b2023782e1c997875fc56a7d2acd83f8af7d68be0c

SHA512
4bb8476c987e0e5f104e6092c78114365518874c39a08bddd68ca3e092c1f39461891a68462f1a940922d68d23d1b0aac81facedba72953346b041890302dc51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a71ad185eae5d6c6a4336d6c52aca5d0

SHA1
be74f3f2077e71974bfd656a72b4d6fb3c88553e

SHA256
a8e02411c7212e4f5cb05e7664e06fbd853c53cb2705bf181c8a26914c847ffc

SHA512
9c1194224af5723d1c7428f70ae2ad0dfc795aef80d12e66e2f0cd1444090abc6c7551998aeb108acf00e52e95222d336bd58f8f41a4175336915a52121464da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c9c467fe5e2f5e224226242251e26a60

SHA1
640b09d0df415d37fddd5fcb4fc2a8a0dd364608

SHA256
32e1351bd916996f19cb93a11571d57ec7c9c1c7a9a12c45a4277efb37adcd37

SHA512
189866d71887c72e9fda2813ac499d6ef4a9148e1751a93488505c1a5c4e1d1e48bbbd22f2c7ce5f097bdc328bcd80a439bb349e241805818902e8d4e3928566

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e7c449716c7d796e6bee2a94ddf80860

SHA1
0c8aad57d9f45e86264d1ea2a184097ffbf491f4

SHA256
55c196a9b103a2ff260560a94b839d6949bea1110f5fc877b8234d7eebf7556e

SHA512
3bd562c4f3eb816eb99290f232605279e6f8d0f34df0c66580c8b012e4a6821d6a057f69a4e99d6c31d946574600890d2c5836e864bd29f6e6a74298b989d592

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
66586fe2ef8106490d5f31df0d4dc76f

SHA1
5d2dbf97688724137bf8e62b1196646aeeb4ba80

SHA256
cfa743633a54b296d26f442c859cc3084c84ebe573654abb598262b63cf0f607

SHA512
8bb5ddce8ba935cccd7c510f28742721d1304a0fd96819a99b048ffc106e57047510cd65366e79f5d39801e710d2ad06112cf4672e0f579d859946a36b6c9d8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
32b2352b4bc29fe37a16f932a34e9b50

SHA1
cc235d3de649c8f312e43c8e1b92b2daab7a2242

SHA256
db7929217e3ba38dccea65d74617f49f16d9fbd3f64ba5fe6151a78f014d81ad

SHA512
4c721d08aa5f76d2e60306a3fcffabc0a762a6652d0a61bed026b7fad77fe87aac3d33a07bb1e46827570c6ae454b60f3de7e1ae42c3b8876916651e8761941b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
aaad98c37d9b7657ab7723bb5e3eeaa2

SHA1
adb3d1648b512872838bef188b7a70311be1e399

SHA256
e3f1ed656696752a5ac10c2d0d6c8c033f1b0959925d728650d2036c94e9c247

SHA512
ae70613f66452ac960d9d16437fdf2d3a7f7ff9a76e6d0d39b3bf3b387b9a6a9790be359a225566b1dcaaedbea15ad1ac8ec00fa6c53473240b569fd88fc5402

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d183051c733b390493f2420a37d9b284

SHA1
bf75dc51dfa9b02e99ec4046de2f056e92cf816c

SHA256
f628de044dbefc43d29f790fdd7fe2ae2a2f0c2921d1c49d207f691ddef8aade

SHA512
f4329aa9ae94d6ab9119555da7d2bf179bdcd93860e1e7fbcd62d0993fbe73c5d596ffa5b579936c813d5424d78a5dc5e7d7c30bb45ea6bcaa2790f91eb6cf43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8ece18249fc59ef9fe1a7a23d9a3c013

SHA1
9ae2087317bf70d5e0b39dbfe73a7df5b0f2498e

SHA256
37df0191298127fb9aadc3320499a149d2fb794b477c2b22f084b9f8eea3dbc8

SHA512
b589e95f59c65ffa76d9e2081ff2c020d7fa1001fbde325bcb9d673402b204eda3d53e1d09501a87a042b0c79c57a09ece81da53bce1a28c441efa451cc871a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
81ef4ab6a0ba2d5de52879b152b22d52

SHA1
87c0fc3666263d838c97249dd6940d6b1e26ebc4

SHA256
72df02c2481500b4fd5ec677f7ed03df9a09bdd38c0847897e4d71758ffa32d5

SHA512
9b563d218a0b3214dd41030aaad79971b031d24b37aaa63c7126acdfb115d2d858ee413e8015c5c3723d2ebcb52f343ec29264ba2b7422f7a9c3fa229f446f84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cfd0f07124f32f1ab9e0d1ef0ed233f9

SHA1
4826dc6435ddf3c8932ba878902963c47d8b05df

SHA256
61a8e3cfbd380e7e13ab73d53b4d1cd94848be2ba31afdc86f49b10beae3f2cb

SHA512
a60e6fe21407d77e54970fe6730074d2d5b359a31c7c21518829d59113a7462703bbf1541db50b149247e3444c26838b8300d2d7b2ea4a154b01fd01c0b3d08f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5a4da836f3033e69b0d1ef68282cf35c

SHA1
e26dabaddc2dc87328257ee769826928f1d94c50

SHA256
a0150e6c057b3745cce3ce498a6cc27955c15a1a5b7c8fe3a50f92dbba9b00b6

SHA512
a3a0731397abc7acbe0c947efa5a7c5bc4ed5533554f678086660205b8333fd991295261eacc496fd1c189da411a1f6c836e357f6de64807c2d20c44f6fdb8b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8201061c89019ce1c43bb24633bc5d24

SHA1
6d4546853f587347f15a30bb2b40ddb9e9f08c10

SHA256
21e38f0c8b9bbe08d543e979197465d51632cba9d5764765c41b18273e0c1f62

SHA512
7a161f211c9cc21eef3a1eea92e43e1d611ab9607442259955f4c35bbd7b619776fecc7a1720b5d3b51cf07d5ec9e2f27683807809e311a07251524bd369ee5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
125859f2e37fb553447920f685e029ef

SHA1
f3ffdb5e4cb3c865c46bd3ed45cb5f4f311e89de

SHA256
b18a8974e7df5156b31f691767a82b2dceb75872ac274d8fc0a9eb3fe58f8abf

SHA512
e71955a3e4a60837d5409ce2531e3347af3f87b12bdceec491e334a798ecd4c74dd40794fe0db1a57298b46c39d0e13bffd8fd18bc93952dcb3c6bfc9bb44370

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
99eb440160bf83cc19d013fec8f46e1d

SHA1
a570247ae9659c0737abb5635a94726eb4ce6bc8

SHA256
8e9092bcf150f5cc6f4743672650fbbc58755eee3a24ea297844151893fa0bd4

SHA512
0582a986dc4ced78a0d8da948d056bbba8c88276ec6a136b73e48564b35439d4b95c04077df227fad1b43224a9e08131ff6563ba5cf34306c6a4b4680888a690

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d28da2f97c5aaf54c5f3af8d553f9255

SHA1
692e0a8fe3c4f4b7936dc442d667c55d66d0a69d

SHA256
3980110ea3cd2620ee7bfea697975ff90e82f233370b7669d904fbf5df58c4e6

SHA512
cc7d4daa1028baddf616e88aa1abeea0e597213fd73324355d64fbb4ebea1e2a68a93d490757223c18b5ad60daca24092690b591d7d23bfc68ec7f33fa1209a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0206be4ce333f6170e3fd2ceac6b9abf

SHA1
c06730db96323b6af886a080e012692382ec9aaf

SHA256
ef9b10e40236943eaecc60a604b019e6fbc7a9dca1c6bd0be6a90a48d5076c89

SHA512
5830d857412ebae6fc15aa62a1b8f38fd0426ef1dfd5325b0ae5b5f603eddee870b754bbbabbe3acd19fa1c5e1f9405198601d327429e594c61a293289941668

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d41efaa2da9ba44465579ad5cc934571

SHA1
c6992a44a0ace9c7a4b0c81c4bc9960355ec67ea

SHA256
9b759bd84888f517e5c1d4c4d0c54c8e4bbc5b5bcc32e2fe932c4d816270159d

SHA512
8945efed2733bfdba9a3c81e7505addbe08608ce5faa0286cd61562ab44776432a810a419f94abba465b6f50d05411c601a59943adcf02381bfcfdb90f8f306e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
94baa99f9862cf9bdde6eccda4a6b570

SHA1
10d19e4154c43add4da3cafffb640f3da56734fc

SHA256
878c5b3c4cab2410864af2cfb1c78f48d9ef9c6339d09b280864801cd2bd4045

SHA512
ed9cbb702a5c0780422e252ffc941929a89a7c900ae46505ab5f9129ffd2e1cbf3807a1ee204617177560daadff60232f6a4203413200b7b9e158327739f1abc

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
5.1MB

MD5
b6b35f14be265e6af082fbe45a219bdc

SHA1
0d6e1e8fe0dd8de52f1b0b2bb43b5078c4f3d43e

SHA256
08e99794376781d81046f1e3836cd362fdbc99f5434c33e60198beb464c1d71c

SHA512
0287ca6a3c63a5896c1dff46f540d7577ae544d7c48b48e383fdc1b1184ab27425607c23314d9c9c68cc89726bd19492b1c76142aa29289dce160a71703a1767

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.exe

Filesize
7.1MB

MD5
3b9ef7064839ca416d282488a53df7aa

SHA1
d226adaa3dd3c9f72ce74ee6a8c8c3c0143b7f5c

SHA256
759997de9cae8acc0e8401a64e59e047e82c585a173d033d63882df5124810ed

SHA512
2900a415faf7617b4c5c6f6779693c0d70245ef0d1b0f2933083f7a5d29cb6cbeed5f22ae5d097e54b3d9e9ed71f620b5f6d470a9409b260808331e3a7932596

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
7.1MB

MD5
b4f166e8b2ca1ab9f7cc326718b18fd8

SHA1
206fe3a4cae7faf319321a943f7edc840b727fad

SHA256
73a7f75b1e3381531eb5a75b3e623ee3c46f019332852b26401b0c7e3f8809dc

SHA512
c70da1527fe4325e6cc42757a86bafb0bbe2a1868201924159df0d3cba08d18ab9b3c446d2b5ffbfd97931f5ffa26298c90f112e407cc3652c4624a598118c3c

Download Submit
memory/3896-47-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/3896-6-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/4080-0-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/4080-46-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/4080-45-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/4080-1-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads