Analysis

  • max time kernel
    145s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2024 23:16

General

  • Target

    26ea5b6c99e99420c980f76e9643cd8f_JaffaCakes118.exe

  • Size

    4.1MB

  • MD5

    26ea5b6c99e99420c980f76e9643cd8f

  • SHA1

    4b7b25a87cd490cb9b7d3ee9d062b51f416874e7

  • SHA256

    c4ed9b8b9c653b23e8a46f8d6a282c98f5f4ed4dbb0923cc3ca6edec018bbdf0

  • SHA512

    43de36e78e4a38da4e6e53b985529f4319093796b86d986d941790b75143909850acea73f1c05ce8b3db95979d26a5863c417aa75cd6ad25ae4441ecb93474e7

  • SSDEEP

    49152:PEs1c/B8NIMI8Sfpwotkzax/TKB8NIMI8/:PE2cgIMzKpXOMTIMz/

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26ea5b6c99e99420c980f76e9643cd8f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\26ea5b6c99e99420c980f76e9643cd8f_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3604
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.exe

    Filesize

    4.1MB

    MD5

    40967879c15d7aa97d23f3971dfcb8f8

    SHA1

    52d7805bbe9d13b2adc4a60c7473bc98229dcd54

    SHA256

    0c4e0af85e57b88bebe1074da3568efd2b48982fad631f3d0c3adb87b54e1f93

    SHA512

    f27bb289f7268f1a3f251a2b12dc355a756e823acb7c653c141946b432d9b27064dbe1341ddca182790e731aa9c513eb8eeba25bda417fa123358bd77eb473ef

  • C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

    Filesize

    4.8MB

    MD5

    c57bb416a451f59cb4afc38aa8117617

    SHA1

    0c55c29f00aee1e8857be9e674052de428f913b5

    SHA256

    6796563ea1ca27ec7a0f8a4a7096d4dfd8f89bbda24d91f2726d31dc4db25672

    SHA512

    3043c7474c365ada4a8cd2f6d4d41fc4f1cde14470e03302fab460634dc3c38bf7d490557b263a7dce1856d2234141552536eba907f150553bcbf290102cd624

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    48612105d617443101a836d42187b929

    SHA1

    e6977cff36e30136f30e4a3a4dbfc1af163ac667

    SHA256

    9f16a00ce08240ebc643d7a8485d863a193ba8c8275dbc99467606bfff96164a

    SHA512

    bb3c18fb3df8e300967189a625a5704306f83c1c8f9aadfd997f92b754155f100c8e7ec04f94211a883f695228f1136f0c6ab8c1d6bfc097c6f6198c1fe3a55d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    a7038ed23170ae91c11828645b7bc667

    SHA1

    cdb7a5cc56404b66855fe9ed56a3c7765eb00343

    SHA256

    c4816952e099b544107e69923e071df8bef74bb49c4272096652661fa47b7a09

    SHA512

    a50426665fe07224a51b6cbe8da8bbf96268f0bd5bd4de5aaaec02d0b57782ee80ada12e86e5ddb64369d05487eec588dea66ad7b188c958742dc19315fe4e2e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    5490e7722711aab078107a84e0a97916

    SHA1

    9ff1f4ce2f8f8e81766db69df1b29f0552122be8

    SHA256

    4c9ba1a7dff84783ea20b7996ef8252ccb2c80867b8a7d7350ec6f6a82ec13c2

    SHA512

    46121d604d903f123f9b308437f274a580e567782d9cea042878e3c4ec68260f1d8a1f2b461bd769c1ca95da0caa619ddf75612772995047dcd12e85c902083d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    6ae30dc7ee50223f528ccf52b8b07c63

    SHA1

    8cba84df6abfe02a3a5286a26b0e1c30f1679e9e

    SHA256

    cb19e2ce4294ec50df6a53ca4001260c6e2351a2e4709f520f9dffda61b14a1f

    SHA512

    d27c2d47cf7478af6541187473f353e11bba1096fe39e0b997325895dcfc36dc4ee8939d92523d4bebb338b13f0433b0b10dca36aab68fd1f939a7dbbbe43895

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    fc82397d72fd6fb2ee2302b461134c5e

    SHA1

    c4cc2423c82e6d739ed871faab4a35536f24a007

    SHA256

    d3c38bfc53d02f1c10fe23c95e71072cf9b83d0f83f9056b409a8bb3088efc4d

    SHA512

    eb88bb39b2accb4c91a1e04cc641e72d747f31d452699bcde81e3cf6bb4a13a24b0ba60263b3f696571af27ed75e15812f377688b31dbde8781d96a8b67c911f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    e3b594a1be17e347aa392968d1c6e266

    SHA1

    9140d99d5b9562dec019cd4d3f045daa05973826

    SHA256

    9b8dedd968fee98e926decb3b52b5411d600dbef9e57e52f8e20962d56c04952

    SHA512

    e1684c562f889b6eaf05b97ea772eafde5a5da4b0d8f84b3ff4637f67f70c3be81eb4b45cd5fc3c3369bddf51e089e0713c5a2900bbbb89f33a839afbeaa3010

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    15d3cde6639702e860e356bf57c65772

    SHA1

    4f86a12536a534f54411e6106b72b774c6412692

    SHA256

    347c91d7dfb3f3bbb0ce9b4898f4b1523fdacb46a06eaf462ca14cb071ce23d6

    SHA512

    4c07fd2b9d3bc456433e28caf5a2d06dea6771dc3ae8d71d59b8512075475733490c34a62003135e483a4a2f63539b330772c4e142a83fe1a80d8d7e958b9641

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    e291958a0905efd364ef4c160757e645

    SHA1

    b7b705ad739499c1c9b64d52068d809fb201dda7

    SHA256

    2c07b1c5149791adac55d5a9ddd83452b9786b9671af382545dce4c13ecdbabd

    SHA512

    5989ecb669e59cea98c7c4fd138337a3d4f5588a80ff081a7d20a98edd9a02754d208797e42784e2010a050aa14c52db78ac9ec686cee1a46700929091b5faaa

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1d8df01a424445ce09796fbfd4b6740c

    SHA1

    e5c66faa57309338de5618f2f43125d48020945a

    SHA256

    fbf93cf4329ab964e74783cebba25ff0cf4f4b29dbf95227b071ebd71006b488

    SHA512

    24118817f4e57e41006a60e959702c711ccbf7099732b5b9a3049d41fd84e6110a5d7523a4dd4ac1e3d7e3e9d381457ceb24cfc08fb401f9186d5ed009f0a19a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    1a329b6ecbd71c73985c5fc1d069f556

    SHA1

    69d61512d0f3afa6f140acba503069509d9a2860

    SHA256

    8bf719be3a6450207cd880ca53ed03a46d0b3523820d36842ef2d23ab6d00671

    SHA512

    954fecca078ea479cb6af947601b902943cce2e3bd970a7ee14daf99d12270f81486fd3b0a4ee26b8bdcaff6b4cc6530c91a489419b56b42e6421f7fe0070b98

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    de7b58fd6d684dbe8f69614a18b86a4c

    SHA1

    2d4a62e585012ca74220bd4f3450434bcbf98391

    SHA256

    c45b106c5153e563a6de5a1622832a86bdbcd19983501bf5e398768518cfefae

    SHA512

    2cf43812de3dc8c5aeb115eafd53ea4ded721a4141a22372ef2c456edd94e6b3a2780faa8fbe7d840b6a156e1d2ef071c81930adc4db8a19bd06270dda5356be

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    7aa7ec35f4366e2b40f1cf6e029619fa

    SHA1

    06e197a43028a09d4535c938dc2d035f71e7dacc

    SHA256

    6f16541b41156bc7a8c226a6e3567908bb527ac201ae69a05453a5e40421e932

    SHA512

    d7e012913f944d3509eb6e1966a9e9b1e21abacf6df4bc8b9bda2b4c2e526576a19cbc2e600f2a0b82b46dcd2903b151ee1e0291e40836b655e11e4eb2314271

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    ad9407216eafe5c56cbed5a71f44103b

    SHA1

    27188370d1119e82486056a44c5531319505f67a

    SHA256

    0507e479b3cf0df7f6874d509b20e6aff9d56a22d58f1dfb5eccaea3f0df988f

    SHA512

    7c84ca09b854e749de34fb987be0729c0bd72795b96822d476aca610a7e19893cc15481e526cb3798740a6dbd9dd72f21fee87b9a08d0801a61a1c8c527c8451

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    b49ffedbd16d86e399d26ee678e23f16

    SHA1

    3d199dd710948c6e720e41059330ba78e8bfd2a3

    SHA256

    969ab0e701065fb65810f7aa01077673d3267a8ef3718364ed5fd239825f9fbd

    SHA512

    a72622f7d1b6689743b99dbc160a787138147cc520a34d98e8a74af2d46eead8dbb1ceb2686eb99bbeb044336f30e8ec7c6115ac4ff1bf147570fcd7d0ef507f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    a54b03df58bdf30207ae1132412e591d

    SHA1

    3c8c3b9f8c1807a7eab0152c7f6a769774d9d712

    SHA256

    23d02be3d8ef8b8c7624483421be903613e73165ff4827d8ea66d12bc5693e7b

    SHA512

    b2e449a95975cb5936ca0dc7112f03c35e409b3d4cd9cfb82bfebad149a85f08d3058ed4611f8a949a384663648c4579b7ce3dfe6a27bcae73a57d441267711d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    a99404f06f2af9da8619894293320e1d

    SHA1

    39a5e3a5f17426028466011492ce58b8eaf11abf

    SHA256

    4f139844aa44ebc8c0dafb289223752abbf3efc14e159b2a9053b2d9cdc5049b

    SHA512

    9dc02639371bd1ec31fee06be1eef1a084faf5da1b53c2c164ffaf55a152ace97ec351d357d73e7e3b984fe4c8a95e493305f8de15c89f7315ab6354665388bd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    4e4632b80434c0067c0b3faab3f5ac03

    SHA1

    d8c0b21fd9054260b6ecbfae6570ed7e75c708b7

    SHA256

    29015369c00861fbb259611d871f13e39f4a0a97092ca7a8b7bc656a7c6917f9

    SHA512

    2c43446eac90cedae74b1eb29fad14b5a184204611075131b51f0d415d80aa828bcf86d516242971648d4c4ed2afd9be275fdafdcaca275072a84babdfcfa508

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    be10bc49c18c2b76884ba3f23087abf8

    SHA1

    67a0c64537e1e96b58788fdb55f7fdf329227a25

    SHA256

    1c7ee3a27299843d48509e310d1f3f3b25c2bff028fc8d60b071f88cdccd5c89

    SHA512

    60baad8fc1e24b79c2556d976bcc61b80788c90f6c53c7264dad73c030cd67bbd880d6ee4207c202511cb94afc704a7fbb7abfa957e888f4727f673dfc2fefb5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    0a92d35099be7f75c7a3c8cb4e4c85bc

    SHA1

    b995a46fc8f353c481b70776a821d49b509a3542

    SHA256

    874d04d3ad383c375125db21dc4131940463c946d6a65c8391c01533c883b411

    SHA512

    0933f729d9b68cda48aa7ea2b74cbe40282284723e2d9815bdc03ef064e65ab24b0c936a07acf66e1c5f709eddda6cdbe7c05501d8a41bd040c4257444307f3a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    d2e98912889bd94b12f34b70e22c17fc

    SHA1

    d759af94db0cbd474c5fb06e7be72b965337d1c5

    SHA256

    c9b2c67990bc2a01526f7cce152f408d966c92b98325b8f0ea56df43a94228ce

    SHA512

    83291898e363c44476eee172dc347955b110c53ddc4aad55691d72e19e1224e032c1fea59d86149f47fc73b4ec79919c2795823a49bd47be9d60dfaed25d2eb4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1e792e2611cb9a7d9b34d18e32f30035

    SHA1

    d96e6d2863e46cd5494eb8e906af5f852156e873

    SHA256

    44ccbfc577dfd42a49c61fe1d3983fd8b100b17a87abc91f8e6404c970f1c899

    SHA512

    9b32bd26d3ab48c2359fff03bd8996edfd6a8062d0f014005aa635a24d2803c708285d99498ada923a13a4d7d7731cf251c0278be37b40e834826b9ee8918d77

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    e0d04714125e4ec962a5f25f9d766094

    SHA1

    69792ec3d467cbed483c982b7340f6dcb64e5d46

    SHA256

    947e6f54c6d1725d27508b270f2d563cfd23aa99c3662f2fa1d90197683fc43d

    SHA512

    01665533c9c3964bd95b2e1ede5f1c5f9b76e74b52c079c54b456537ec2ca048b77a8af53ab437b367b5543ab26ef1ea146164d83f13dc53d62039a7c08c2e67

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    91726389b11689d1b87264b5d01264d9

    SHA1

    bdface8312441a61c52134499ca7652b184c6c52

    SHA256

    ba446ad76bb76f02e4ca454ab9c6ab1713c82b61ec4920b81f9c750ad7a66f3d

    SHA512

    0d259f9b712aa5906d940723e370ed1bc04640973b203be9ccf32d3c0554865074c4cc62a303f1f4dc32ad3e81b7b1ff961ac78a715ecb55a0027fbe750608dc

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    31860ab25f6e564b32a7821377caba91

    SHA1

    69ccc9bf7f04cf4170f5d78378398afdeecf956c

    SHA256

    8088ee27717f048ab22e24e5216053ba72df70e511f95ed6dbd5dedf91ffd6b5

    SHA512

    fd63f48cb5eabfd2999124c493b829b3d9e0f75cd1ce03a6be4e789b6bd1ff72be93cccd9ce1c266c4e386d63a4011b57db2ee56f6e7bce8a4d1130af29940d2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    6262c9e97badda95c99501d23b3edaa9

    SHA1

    2362633c593242aa35710335e055d21546abc1ed

    SHA256

    a555f7eb046896dfce1371d998ae7f19f6c165aff889937581351b46442b126e

    SHA512

    6e5c3e42824af3173338776e35457b687ae1709121c61b36f98c3b62da74d0476137794b47e8d02493ee54522c7a3e24acc63f7d4f6570301b3fbd41d5d5e84a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    10f9dc9a09b3fb426dca3b44d77006a6

    SHA1

    f51926109f123401af1ed1352ec67edefffc4dc8

    SHA256

    43e9a6df87bebdbb1c0e12df92fae06c0017cea236147ebd949e4dd1b25c9f0e

    SHA512

    1333cf8e95c37152050a892d002e972039b85649702a6aa3fd28f33ab7dc9ec9f5e2db1957e64ac21c8f0be4303b0ecb6fe2bf4444670c9467266b14e0e8fea5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    df9240c6eb485c6c8ba54630779f3769

    SHA1

    d5d86af0473e47b904830ac72cbd1617e219ef6d

    SHA256

    2e1d861f5d5b826872da6ed145c4afd3ea005b68f480f0ebdceeaf2838a20757

    SHA512

    191e2d1de0e4709e413369fd131d9587085b72c4ed11daac08ad57092953adebd0b55839ca4769fa85a5317322a2c68d2aefba35a451d01d2ac6be7288ef3565

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    c9f938a56a2bcb2d9bcec341e4a778bd

    SHA1

    11e83b052b209a713bbf918f2f08ecc7d8b06221

    SHA256

    f788af30e433cc2d6ff92bd8ab286c7218c38c38bbe84eaadcde57ce7ab92223

    SHA512

    6f7060db4a9be059dd00907f11795a288c4899a8bc304099fc6bf0e6dcea4daa02973b14999beb913e561dfea719ff819b1195d8e06742b55d362a1c4dcd8265

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    f8abcc2dfef3a0973db421ce9328b865

    SHA1

    6ccd25d6f4ea71bd36e491514f3d4b28972fd4c6

    SHA256

    6dbb49a32370e21c447ed5efd692cad5801f66d64c291195e5a227d9835251a9

    SHA512

    477550902581940d6349c2ee5171132146b762265dd8ea86974dd2fa298d6bb4f440a819b0963d6abf5195a335c53efd14882c94b9e1e9d564cee8319d9856c5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    38dcdbf930a2db11d8647f9d602f51ff

    SHA1

    6e2afd1835a05b32a858d0dedd86a225390c5ce5

    SHA256

    e45517f40fc5f24ca71adedd0d5466de7324e8615da13188207d6202c1e74fe1

    SHA512

    a464631697873015537553b9ad472a0bd12cbc98d09454bf9a811f163f53df445c0ef460355004331843fa7bdeb5ef36281eaeebd10afe103db34e1e92aa7869

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    c6496b797bcb274640b99dcc0b20c2fa

    SHA1

    81abc240cf264036621c6fc2687b9b7f4acec39f

    SHA256

    3a6298b901c1371d8fbbf5ba6a707741f8b4b957d0b8310074d36c70dbc814d4

    SHA512

    e99de3cffdae0069d2574ae24efce6338f9896ba00b2e3446dcb112eb0a1c0f212a62b6681663171b09a4f3beb59ba2f153af27a17fc9597bf01cf54542a6fa3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    c488f6346ecfb15d4c6ef8045662fd8d

    SHA1

    3bbd1ca7b3f4b2d79433b4fc6fa8c2373137fd1e

    SHA256

    a9b5dcc75c54b89ce65f47f2499d437ae0d408dbd2f115a96d13e370f59fd7e1

    SHA512

    f00d23a899b9809fc22b670c05b8188a29145295332fc7fa4027c7181e4a766743f1ef7ba73d26ef4c75b7144c1399f3ae7f58bdc67c6bc0f7d65e22a3d5f393

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    203b66945ba247d72b0a8cd1a9684be4

    SHA1

    07f0ebce19fae7827071451afe4d6b53b5aee288

    SHA256

    b5837c9755fa985a3c8fd6b1439b93a355a189807320c55db6e9e9494de5fead

    SHA512

    9ff0ad9cdef87b2d3bb3bc84762b8c2526c89d8845ea7747a4f057dedeeacf2ade977b3e502c34134d6c4a36e92999586485e22774bc38ef1cff7fb452ed55d2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    e258ed1867f6f7eccf3aa13f9bf6d556

    SHA1

    11cd3704204fa96be2c76cd31eb2239bc4ffd12e

    SHA256

    7b592c55ccee2480b57373bedf275f1dec9449e43b0e939ce24932b94ce2a9ef

    SHA512

    58ebac44147a3c65c6dd5391d29d1745d5bc529cae224a9412db9cbfb599af78e2a1905d78d58cb904d910cbdb3af54db0eb62348f0c451ff6cc840315dd0788

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    72f14aa09c42adabc44baf874781c523

    SHA1

    ccc0cf1aaffebcf505ea201188cbe89b1a7413e4

    SHA256

    3467e63a4b4a3c922e980282bb6108339e5e24f5b858bdc00ab9909d11221830

    SHA512

    59ebc4bc2319895f0614d86b7c8dc487ed65e9d4b74f27f8ddef01e2dc8f5a746cb26082438ab2198ae3c3f70e0b94994443cf6af09281356f704fa1a7997772

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    5ef9fdf8fb347d16aba5f731fafa25ae

    SHA1

    ad41dcacd11d3becb4723048e76580f374f9a2de

    SHA256

    94be078ba7676816c846db19d43ba33d191712cfdfbeba65641cefec7ab5b463

    SHA512

    c106e8dea1d01fbd991da975827331404489ee64e0f35baa2427e8d9e539b336b214b05e30aea6c2cdfeb6087efa182f083ce828d6239ea66dc7473f02f06186

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    fe58c832937a7279bbd68809f7382273

    SHA1

    a8d2b1f330a3deb42e97654ba02013bd1f3a3168

    SHA256

    981cee08c6720e6b61e492fe6b98869e1bbbb2c053c721b00c0393b079f65ab3

    SHA512

    fcd352722a44f2a9cf3547f40fee5b350c475e0934ece70b2c8b671e9804ce5a7b9918c51c3172e091fc6f3b7c52bbb5cbeef1578f803f5709c5707816362de6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    dd287fac970cb53ce77ee6b9eddd9300

    SHA1

    e854eb5e57165816d3c218e49e153ce37a422b46

    SHA256

    b0485aa0bf7bd1682db38e8c5316f9551dfdf297cfe9da92447952b6045e6d72

    SHA512

    190f80c28cf1a7be65e6c8359311cd86a62a305fb525e79862e9be15a30863d8b0424f408b6dc22b13b73a44ca7d80999d97abc980f6f515c18d3001251d09f8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    2f37ea45018d39851b71a532fef1ce7a

    SHA1

    81c69b8faba6fd053db8f0d9ae729e3b5abecbe2

    SHA256

    df47470547ed815ea492fcf01d92ec4a0afd0b5c689d1eb6718ee5959f420838

    SHA512

    4ca12e6e6e8d21dc63106168bc2ce5f5feb3a707b46da1fe2ed625cb1fc2a7c8743b8bb345e2c0dc751ed676d3f6312cbd870ed9a0036aa13c472a1da0596e16

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    3b16dd81d7df6d3db7919487cbd5e2d8

    SHA1

    a6494851fd7716561b03166efa3a8c2ced429cbb

    SHA256

    adc33addb11eddf9b42448f3c042194c1f73eaa24c73b9ffe62c7a51843c9f3c

    SHA512

    45fb6e4fba296433fe1e01b2ab9ba52984133fb7eef6d143bc7c7d20326fc60a89cd0cd24f1bddfd9b01672b8b1794a4f9e321f527322f644df21c1467211e2c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    a8c408073b666e275d001bacd0132f81

    SHA1

    d1a03c448329d840437ff952a8881d89299ebf6b

    SHA256

    9c3640347faec4429320398f62c8dd569d8744ab2bb51662b2eb21f0e1021278

    SHA512

    320922feb4ec05e01f5b3675a4678ec8ab4f4000ec3a58af02d06bfe5fe7ac591299737a391216db66f79d03da481bbfdad1086ace64e6af403af15bec9632c6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    baaa848c9248531a413f461c96ca7a91

    SHA1

    79bc9a63a7db694a55af5b348c52e9b487ee6613

    SHA256

    5e53a741096ae5c6713de48e60d6b0f074f30ca3cc3e3f2590653b6e19d4bd73

    SHA512

    4068a18491860e4db3603eb2e04640e64ca5cedce41e200a43a091c5c6e50c8fe8b87983e830049d1ef45885d5da683d2419c7aa09e9bb3dfd2973fc2c50fbd5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    f621f1c5b89537df31eda7945b4bee46

    SHA1

    bf635aa580e3aa414efe0b2e58fbff7703651c22

    SHA256

    fc5abadeed543e5b5a3a98a324c31dcd2f01f550e5129c114ec8e1af112463cc

    SHA512

    31e48ef70b181fb87b69eb08c043f57d56db824b0a9c77495e90df320cf601568c0a19f88f04f7bdea5cd0f46abfabbcef52b83c84b630c7a784b93e614baf1a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    97a6c6fd154955983fe8e744689c18f8

    SHA1

    915deceb8b6aea34a850ee5231947ff5aea7249d

    SHA256

    923489726d368cc066628a089e1295e4ff53211ea901fa1c616b0ae6da96c2df

    SHA512

    1ba27205ae4d7533ae49bc805fee527396f50e103561aff8fc75879765c7fd3ae019d88c9db0629b0977197a79e3d4535a599a90d1dc3b0cf836f9bce133fa7d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    5679d9d6514d0292d59cd65a1046d312

    SHA1

    b7b0f6b09e099ac5cc8029cad0873224d6808440

    SHA256

    8b8f5d2dea7c941b8e28ab495b117e0a9670ce3ef43565775c97ec3dccdf4862

    SHA512

    b746ea78ccea96c0295f2947cbff8c656a2f6f261b587e155fc6df7c0cb9fcf74563d4eba5c03c28ce71b413403943008ab6885b852535e39ab80b2da5bafb90

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    23f4b2bceadccba260697225560d5569

    SHA1

    19bf2afcb918fe3a576da95d69860a976e00213c

    SHA256

    3ae637d02a165f1b68cf29a8af258282549be369a2f019b137c33a811ce82d9f

    SHA512

    0e0eaece277c24ab9f393f96a577739772583b12b988590986296e617d0b775ceab85f71c1437cb431047d8598f6fd94095fb9f16100dce1db121a9b7db4deb7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    1c82c1910dbcb17cd027cdb11a32eb35

    SHA1

    d5b37d1a35dcc8c260b6485e390c96012f7bd301

    SHA256

    e77b61e1c058e14e545dfce58f78998c54e448df336f065ca5ef714b7d67b765

    SHA512

    f2eb3e20875c7278375a14af5b2eb662e8e16910284d85faea64331760fae44fd1109fbc30a97bca9c7ba4108c4fd8f00519a4f58fa6a051178870efe5b3cfd8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    f6400e2dec3496d90278bb9116071c32

    SHA1

    03c415d2c9a60fe9f3c0ff3bf5eabe53bc59c2a0

    SHA256

    59ebaf2c390ac90fb735bde941aec696b1c475fb798e4f1985a23fad9f2e9ec6

    SHA512

    749bcde9d9ce0a3ca0661d6d6df2373c6e9bde9d2acc4c6973c5a17ffe27e68e04d49c0bcdbea71954f3ded48a5199d41e80c0f9a061cb90b5e8bbd83405b299

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    fe7fa437fda2ed5002e60009002337c0

    SHA1

    7ce45c46f62d3e5da5e3d751d3115f31b1ba115f

    SHA256

    939aa5c582188cf279c261d66a25afd8ff132a07707b06bb532deaaed3af408f

    SHA512

    1a62f4f2812b853f29d16d3f53ec8b4c5110453b902d51e40558480b57d3739e9b88e859395b1773d224f2a9f66c0438465696be2fda3e4c70fed41581206819

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    7661effaf4c3c74a8b92d4b07c18afd8

    SHA1

    e0c16357eb11022de69cc41bdf97f24e1bcc9587

    SHA256

    b030da9a229efa4f56bbd3884c71167f41ec8a357573d6243a17e83144ab1722

    SHA512

    442d0a5935ad8beabd1a43f46c36a6c3c866ee99be339e46a39a8140fbe483f527a6041088a60d6760ae49de7c0870f95f0ae5d08cc982aa1e9aa9d52d9a9ce1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    2986c276936ff256b4c5439cd82706ca

    SHA1

    f5a1739d3677c89583bf0b95e2defeaa22947a9d

    SHA256

    cfaa2d6a17eddf9266d8d49d95f760be13fc597749d0e08772dc531809a7846d

    SHA512

    bc59e2a6a4423c28cf5c25a64d34602392442bcaaced3b098f4f7986a1852260764569552e436024bbeaaa617132abfa94190c08ecd9a5b5b3299afc30cc921a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    6f62421156dc89ed1208cb29163ccb0c

    SHA1

    cc6dc34921484686d2e7e16ad10af5eaccafc2d5

    SHA256

    2e74c89c9d2f6bea5d960e159c59e6f347e945bce16807d335ec3e6909017406

    SHA512

    d1903c91618d8d66fe59446d964b6f2bd74533d6ad216c7faee6b59f795793dd60be4eb9cd37e0d2669d584b13d9ee1e49368c5c34deae73ebcda838e96686de

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    d18bd5481e0502914711d348927643e8

    SHA1

    0ffc4be676c3231c765e5afe5ba932fb8206fa2a

    SHA256

    826414210e5c730424d3578b47117a85c4694fc703d70dc43d12304599bd5bc2

    SHA512

    7f9412ebb0cbe55b1619273381273cbd2a7f5f1bc8097569ecfb947e2f0f2cbb0726eae92692d740b90325824a756d0bfb827e4d69c446b850dc90624b337cc6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    c6de82dbf3ca71e0d5a470b47392cdbe

    SHA1

    0de4446dd46a7ed83dcde61c7eabe904c925a31c

    SHA256

    594fdc6fa4e8f8e5c14c6795c4ce5941688d2408370791997d9aaf78b3ec48a2

    SHA512

    ccca69c8394112bc2b1eacbf11cafbb342897cc0e0368f4f0b1d252b58f7ae91c11e4e163dee555b9878663463a885eb4befafb6aff1edb4d49cc8dfb50620af

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    556d740fc03b712df8d056f693a2b88a

    SHA1

    a74e75c35009b6a99fabc45472c0e2ca0d8f4518

    SHA256

    4bdf0e306b74141c8c5e6b478e91773c366d277842be42955eceeae00350b610

    SHA512

    f06102b4644786561876ab4b1955138e615231fcc7592baa0bb12afab1abe5f78ed1dd217f8d3de58ae52b8f42761c2fb70b2563687320d52b53c138167511ed

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1a7b24d3b476ac1d9d697d4a4e02ac5c

    SHA1

    2d592bafb4cc6a9ebbd5077b5e5d2766643d47b3

    SHA256

    aaf993f442ed36f45ef3eb3ea3bd3498d9f3b8ba1659e70c3f21fd78b00e93bf

    SHA512

    c0a13fe31a2367ded4c7683a89bcbecf08e1e9c503870ca07ade2db27b3a1ce7bced61595c90070df5b74cfa3954d3237c644f83893661ecf097553a2f981e12

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    db91ec7cd26f3bba3168f2d17968d695

    SHA1

    b767f033b9d5fd78dc46c0b088b7dc925e6a6db8

    SHA256

    62afc33b8a969dae744dc05163cb3bd6a2a20db5c18d34692e6673f6793f26b7

    SHA512

    0221a29a5d76e0d227a5618613bc75a4c5e1024d949e78cc6fa6936f5479a1d259c880251f2f956c3a8fb8bdc2fdb6f7d80d14df4e51643b821c970e103093ff

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    4.0MB

    MD5

    d68d84382d2e6784569e6ed89927e186

    SHA1

    b3d75cf8396516c32bf256829c2cc93c59050aae

    SHA256

    a36327289e17d87f89690848cffbc2474b49248ca5470368cf8658cd4a454ee6

    SHA512

    3d15e45a0fb2164ab1b7d69527d0553ae4b866681f1c06ea0678f1fd1fdfdb3a9e47828af22074327058e44f93c609a220d2ae001c2b74d1563534c4e05aa822

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    4.1MB

    MD5

    26ea5b6c99e99420c980f76e9643cd8f

    SHA1

    4b7b25a87cd490cb9b7d3ee9d062b51f416874e7

    SHA256

    c4ed9b8b9c653b23e8a46f8d6a282c98f5f4ed4dbb0923cc3ca6edec018bbdf0

    SHA512

    43de36e78e4a38da4e6e53b985529f4319093796b86d986d941790b75143909850acea73f1c05ce8b3db95979d26a5863c417aa75cd6ad25ae4441ecb93474e7

  • memory/3260-54-0x0000000000730000-0x0000000000731000-memory.dmp

    Filesize

    4KB

  • memory/3260-5-0x0000000000730000-0x0000000000731000-memory.dmp

    Filesize

    4KB

  • memory/3604-49-0x0000000000650000-0x0000000000651000-memory.dmp

    Filesize

    4KB

  • memory/3604-0-0x0000000000650000-0x0000000000651000-memory.dmp

    Filesize

    4KB