Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 17:33

General

  • Target

    4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe

  • Size

    919KB

  • MD5

    4e21121a61f231b5288f3f795bf80987

  • SHA1

    1aaea300f162b85c4034d24aaba40d823e7832cc

  • SHA256

    49e77e045d00f2f8db630fc82a7cf6c9242df80270619a6194297ed7d88cf8d8

  • SHA512

    8ddb522f6606b73b8bf1fbfbd9bb41d295aee2e94883bdd1fb369de20377abac99891d65fc38bf151205abd5062d7ca1876b3f13a66dc0539d45515bd647694c

  • SSDEEP

    12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltH4cgZD5+6aYMasAYXG3W5o:xEtl9mRda1MIHYPyBashXG3W5o

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4e21121a61f231b5288f3f795bf80987_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:3936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.exe

    Filesize

    920KB

    MD5

    d9730aa9d3ca3e37b6cf2c8780e3107b

    SHA1

    145e16f5b40d123873b7e6d7d4bfd60df86f72e5

    SHA256

    11af077e5416e11b66cb37e95f9b65f63c4ceed257adcdcbcffe7ffb20302bc0

    SHA512

    d2b1efb5f01a49c9d938f2a8d19c2b89ee4b85def8bcb44dc8ef11ce496c73874b97bb975d864a369bec24e86896efb503db2417da1fa0106c4f4934fc122e40

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    fd0e8ff202f54c5979388114bd4b56c6

    SHA1

    2034c3ea09017886404a6b0e3d63d43def51b2ca

    SHA256

    44d4819db9500c5222b757911fbb875b5c18a7c727466839b4d136ea4abe38c7

    SHA512

    1744d2bc76a274a8a1b96a5e82f18fbc823c69cb0126e7708f6c091f1cac9ab341ccfe4f53a3047d68fd918fb20edf75ca5825e2806232c8b5cd7ae0f2a57fd8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    134a7e9849b777d908fe2c76b9622b5d

    SHA1

    c2814e171524a5b59e776df3ddae70a363adf6fe

    SHA256

    bfbf9b3ac9f971a98cca3072d81173c660c2d110b4c5e33679a29f7a4df9ce50

    SHA512

    fb309da3aca23937349d6ccf6bbfcb07b1e6c034b94af1b2adf0d077e45a3ddae0706d605377eda449f1e5e5edb256ca5d9fa25065eb14abd967956283a1e452

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    de37632c0adc22497c385379d2e0d732

    SHA1

    5c2869b01ddb7237881171c6cfd39df330bb9d51

    SHA256

    aa03ac7d2e565286101448a9f4385d86842628e387a9b58fc4ec342e3c27b1af

    SHA512

    e850f4d5194aa7ea940b05f45083bb316e79bf03a35c4c86ff5d263122780e9b6c29fd51b8c794cdfb691d85588aad56b80dbedcf636f1c5ab34f638e4eb2e15

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    48654daecad74ff1c491c3b0a764feaf

    SHA1

    3c9dc8da2d2d4499bac1b5621371be438f3b91d5

    SHA256

    586a5825224ad0587d249ac34e0c9c18e1b0fab335afca3c5f0bb5d355b3dbb8

    SHA512

    7583d10a7fa24b3d9916230d0d0924986d7eebe6809f5942d43841969145b5820584484f2d16536ffdba94cb51cd570a921ae16fdfebdbeccfb488b83a0d88b8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    7c52f0b3e7b3a1bed3a9a2f6157731c3

    SHA1

    2f455d5788b81fdfb03e47fb24e166fd1a5d392e

    SHA256

    5efce4469a537e24f645da07e6a2bf80f8340ee9929cb8775c1e30a3de27b453

    SHA512

    892f504872713b90e1851e89c94247d0461662066ab45b5f3b3f50782a41a8996627d8e0bf91aae2af255317bd1e7a240d1c09480f737fa84f6894e6553d0833

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    6d1c15e30f9db617b2c76a5811bc636d

    SHA1

    5d90614b5fc579b73fb5a06e29b13217cfec81d9

    SHA256

    c29bc71fbd2054c726869d3e47f16c2ad38b75f3c1c829a9d73432b70a39152c

    SHA512

    dff1b7f521d2e5bddf8edd90ded4bc474427c3456cdaf34cbfdec9f2bcf98584e6d3c28861fb59698fb13b9c82fadb14dcb92af9e3a4b53f93660d8010504e05

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    2ffec7fbd465e78699d3e20b67241d37

    SHA1

    931663f90837f66a2eba6847637bccfb26b95c0d

    SHA256

    b7b22105c46434e9aeea7464035d12051a14b7aef5a507068c71ba26aaef8abc

    SHA512

    f7bdbbd34957f243241cc910cafcd933cc4e5f8c8744023e530f3e3e84c053eab3fdd4567ce90d3e23d5ac69724d4f0eaf43f2da2c72c6c5ed671d3b17a9dfeb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    2b21c64dd91c0b9db9252521d8b81107

    SHA1

    2687b202e20ab895baab5e9ba14eea6e2c4cf2bb

    SHA256

    a4daeb7d78e46af366ea6683b397d603a7cb7aa77d7fca9fcd252e22932183f7

    SHA512

    3b98b455841c989c624f3f5e88e9e806a42dfe945b7ab530a4e86ea9263dbe84f305748d55dc8120fcffb701cacc0abeb5db26a699568496a170d7b35eddd87c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    d38396e5637ce4d3ca6ac64eb3a19635

    SHA1

    4c392a82d21f454cee2922322077f93c9b73ee27

    SHA256

    1e35ee8f918dcfa812ba74bd176b8a77524567246db7b65f22d9ef3f8620f81f

    SHA512

    d9a6dac73c070c4e46d6e387026874cb493b1216485b84c553b6855c875d01f5f0352d98102c3b6335dcc0480b25645c47581c71c5315feb532120934cb8f09a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    c2fc09f244d670d079b46101d477417c

    SHA1

    30b91621380c7ed81bb48f528d37d6e4016802d4

    SHA256

    640a818264b4460ede62744c151c31a2a1681b7f37c3b7b232de21f858af261e

    SHA512

    b69497ed4b9b44f884236a891473cad677eae3681e030f604ea8d07158f5f9b5231f7a7a1556cdc31e66913678450a0eb3e88f4ca0d3870e6aa7580b1313a3b0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1cbc55ebb39877755e59f1dc78470557

    SHA1

    dff66d616a02001321211de61271da12b4a87e17

    SHA256

    98973e24585c5c06e86d04849af24046b8069a5b8e40a330d659bba897dfb640

    SHA512

    cb896b739b3ba2afbc6503f44b5502548a8e63eb2e391893587d9e0e9b25bdd8f1af87beb533d6123321de2ad6b9698e1f539a1436f5c8a11e37148588cff2b6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1814652264d99e384895011240799615

    SHA1

    081b1e09e7c0546655f9708f89a96b57bbff4d18

    SHA256

    cd8de0cc04c76efc868e34e8d4c5b5da793fd17a4d13a32ef8379fe3c9eb5699

    SHA512

    558f93cc8fbc3c600f010968a301faf46f39a0ea78cebbbf02fe153493708049305d2da477f044447b82b129b9d07831427d0cc3130bf82fb9c497fa47c1012a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    b5a552fb3ec02ea71703018d368ef8ae

    SHA1

    452d92b6bdb93e1021361a0dcc20bfbbbaa6c303

    SHA256

    fb5f74d52b28290ef91bec61b575b9a1224864df322c87e19f47143d0af51af3

    SHA512

    74edbf593b6bda4824f22b14ddf5ef3e2849b034dab404250ae391e07dbaebd57281d13a6f3e0fb42a9e0e63ff37085c3841f6f467dedbada636d711321ae17b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    9046df3727d861b85cb76ed27ded3b24

    SHA1

    852d02760c95a49e8a581716b9f6a8f0d04200fb

    SHA256

    96e2960ede5d5acc5dc5988ea7b9f2705f9e50228555425c5c4f2eba9eb15a6d

    SHA512

    a92908c5aae6ccefb848d73f625dd3cc1c18c0f7e8c67d8ad70b35e2e394f7df164abc5cfdb8a61e5013c6546a0078e4343b702f021cc3ab16381d7fe7d75b1c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    19624d0a9fc977a8928c22a320ac2c62

    SHA1

    7eaca66aecdfc2832ed0964f6204719d08f1c075

    SHA256

    14ca56328d870a5c6e8c023d634b91434c47bb49f8bf7534a6b08bb31b76fa5b

    SHA512

    72ee3a5e6a88de86429820ab855ebec663c0023d7f0e5773a23a892b704aa1738120d67f5fd8afb6db33f4561685fa49c347e0069017510b9b8e1331a15cd53c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    e2eb62f3473f8efe363be0a9d23df1fa

    SHA1

    13d214c0ff5da063a436ed77864563df5d596fcb

    SHA256

    4090caeadd7940b9ad0a8515d3213b9ee238ea05b77c3b99930b20816ebfede2

    SHA512

    c58bd786d92dd17672a4836e962b544123e1eae7052488074dc4e22b5efa3839d81e52dc55e975584802e90831efce8b5137b4a4c6ac44c82537a49577c4daf0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    14e0c666d0bf3e5385819b9f43e12c7c

    SHA1

    70d6aa0088c94add463c07dbec190481800879cb

    SHA256

    96b3164523423c54e31bd1a25d402aedbdfaa9cb0a64a8528c49532d0e65296a

    SHA512

    636d0ecd2a716c500e892ae48cf381cce8e86c41d0f0224d6f0c62411edc813d849b7e861899aa5966b7c350c5a8bb1aeabd58b31a630007563226012d26401f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    0b047cdb37b7b59da746c0f2ee81a08d

    SHA1

    ad8ade5b363d99d245ca2e1d1afd08ba580764ed

    SHA256

    281912a7910ec56e4c1b39bcafb66d2d9cb2a292b1fc231d8503a39d6a23211b

    SHA512

    d5bf96588381127b6e63d62e1e5c330a407471cb23564cbdedbb334d08918c6f6236c52bef2305fd6ed88b2c580aafbe3b90150f371dc1d0ee0c4731399b7f2b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    537115f493be990becd8ddecd3a77a09

    SHA1

    03b620e99faedd55e43f83a18ef38d2ed07f0afc

    SHA256

    1cba23dd3c21bf7c5b5ee79d4bb1fe4cbdd00dc4dad9c9ea2ea8c4db2585167c

    SHA512

    bf6e041232366fceead7b1770de2fb5bc64d971ba18cc8f82f7c12256c8bc7c376bc25e24bad72adc99f4168a8a605de7a061a1b3804495f6b35f67f25c2d57b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    b9eac0b39f985bada706d31e9dae62f2

    SHA1

    743ca60202135f455b7fee2c0dc1b0007e29b5a3

    SHA256

    d87f63d17e95b3a9a06e079bd2c55e2f5c7c3fa8808148cfad78909445a3656d

    SHA512

    a6133311467d0849ba58199935241baf0514870ae58266863324bbe7bcc84c494a349549662e7ddc4e6920f93311dc7932857569ea2581b120b191864a7b87aa

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    56257ea4057323a4403ed8f649d71066

    SHA1

    a5db10970be8fc886749c4074bb58a4ab3ec95e6

    SHA256

    199b7a978b6e2355a4991318246cecd1133e98054a671a294678f82232924bdb

    SHA512

    b9e33f2912284ed904b56b09a1801dd8c77a368f784859176cbb1dfa4ec7dcda87af9783a08b3c893c7e650c799c1fd689bbf59dda0cbd7095d48e285e390325

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    c059706938f618c5be8f1210c544dab5

    SHA1

    d33a32c73817b94833b69d7087cb645962b5d71d

    SHA256

    6e1c4396d379f4b9a0950306aee219f654258944f060cbe4459ca71c36b7d72c

    SHA512

    a0845811373fa782c3c5ad9d55b84a26d1e5794db549a7062c5fe4a7c72f65c47805ac7b24d0695805be266120d15bf16df0f72a8f641d4bd4eb79416d620817

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    e8e9d71cb69e425ead094ddc859bf228

    SHA1

    706547deeb4f70a57ff8320fc3e4225b97c78de3

    SHA256

    b0cbeb6ed5b17fd0fcc3bdf685fe3ed262b83dcb44a8b2aac2697467df2d9626

    SHA512

    3caeae713ee59cbb9e6f457cd9d7009691873ceb6f153eeb0007ad310dfef220d56ec7afd2d0ad1722aa38d90c19e03a8cb7ac9da42d54ae589a7b034be64ee8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    cf8de2ab56cb35d804f7f51173912e83

    SHA1

    74562fcd2fc36529bbd3c1fe2a18dde6bf752360

    SHA256

    14e5a118487c7e6f9574a7d8d14c4856c8408ff522ef13d888c7f184f52fcc96

    SHA512

    93139421afd656d454067ef93c15ec518f679143655bc336c0cd6588e57981faf1c10cfd262c82306cf0b14ec766b449153b713fd77a670a8e436137927c22df

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    29410c76589a56e47b51b1d42df6e667

    SHA1

    69c73e3d691380842cca9d8ebbdd16cac704edc0

    SHA256

    00b48be3fd0052aa9f2e1d60afb13657043798e0b47612776608e71676a500f6

    SHA512

    f5d4db6ee31cfa2617d8e7662b7fbbc4808b4cfed9a7bcf556d28217033fe08b53e551749da1850988b3462924e6346b1491cac52c148e62072d24c32a9ba009

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    a473939b8eb87f46cb964a41974f6b26

    SHA1

    de6bc8f894420e939d47c0174f21fa20702ec648

    SHA256

    b0c943090ddd85d6c9879a24adbf8b87745711f1c2cfca7abbe68b50c2ba3883

    SHA512

    c4957a5c476740c12f879ff44d502138729b0d7e9b82afa7b3996bd23b49d8e8694b4764ed0308cc2d631317624fa9bb315409be01c0c223de398c2ab1565ff8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    0016442aba8967e23fff6db4efa06cc3

    SHA1

    2bca7db407662ef22f09ac2df212d5a431816a84

    SHA256

    9cce93ca20fe22e757b0e86bd82575961fc0ccf2c72bfcb3b752034d18eacec2

    SHA512

    120ea6c4034641d1d0535a8da265f26e36f48c84b4759d3a1317123f322ff1c5326e98214361e8bcc5a4e7ba1b74f91ae4e3d80a216f7ec58dd41ed8e6ac5765

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    ca3b592ea9f128ac52447e19b0fa8b17

    SHA1

    e82f3f59101beb8cc8ccae3051519dd27eec5df0

    SHA256

    3a21ca446407fb6156f240183c0dfd59145d61ea270d9b1a28c4690f7519f1a4

    SHA512

    786e4f706520fb1deb4abf2f18426f760c205fec9af17b39ff635f5e4a630e80cf54d18a3f3a337ecbfea5aa37c075644c744e09fde6916a35adbb50adb65f59

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    8780a8aa7d84c7e4cb9013a50fb4dc86

    SHA1

    e6fd483b3c4fc28ceba49a8cf051b029ef33f641

    SHA256

    ebc09672e08ceaa89b83145801ab73c486bbc01cbcdc025a86c751cd61ca6c6e

    SHA512

    78bd7590ed172c440aa21597b4728ada62f7125b875f4e926b3c8f92eb0de9a54e867e5d99ff50e58c2da3d4bba471c18b01581250ab61536881d0ffd88b8dae

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    c42a8a794cdd1d8a6512e285a5209536

    SHA1

    1df304a65d21e9b7d22dafcef5dee7073edb95e1

    SHA256

    c92950e93a776b4d5fa23551cc93aa1ca83dc6864f0db596e86b9550779c1ade

    SHA512

    8cb4bcbc3493add994ca8d073ab5989148f663f75f0c51c235d1c67e65ae716b8e8f657b5d38be744b39b2b26f0711602892795c9d030b5edfab371c8b33b4d0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    5e56c698591d0f341561264f44aa1d42

    SHA1

    6b6d950a9c2b46672c6c2a0551aa54de84978468

    SHA256

    6878a392b932dbfa24eea3013110e52d3a71be18cd0a1abf3cef6bced1e4afce

    SHA512

    15108f1332e3f7a97ab2dea0982a06a377fcf6c1b6a375e4d40df23fd0f4e910ff96872e7f0243116463ef526c2a56db091b9a86e1358ad538d3443e4bf8b823

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    8ee394bf3831b8bdf039dfa48281b5a0

    SHA1

    5a51c292410589d138785f69c296d495a8edde03

    SHA256

    3beeb7d185390467958a3a706d3ffafa64b7ea0152a914192b0bc72e2db6cf12

    SHA512

    ec965471723a23ad8f7fe3da256adb1ca2494772b25ac4ef552d9a44e73be9cc0793d16a3a3ecea29ac32cd4e736407914f0c24a188da16503db86934ef02597

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    444b0b029baf516411df2d8cc19fca8d

    SHA1

    d6795147425ccec74c6b7e43f9818f733c82bafb

    SHA256

    beadd168c10841c4934a9e55823e80ad5dda8ca59cfd41a8f64b04d62aef4c1f

    SHA512

    b4f349397601324e3bc88092a49a58bc0531cac03fa871ffb0881a827c2750742b3209ec5fcf5ef075a42e21a982e7157b2d2c5758b1deb1f758fb50b8af75dd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    94946f129c9fdcf226d251a109994056

    SHA1

    3c9fbeaa3653eb8c44a22f93d3b2f863c47a6fb1

    SHA256

    cfe1fe941aa1fc92d9f7448ed02e35c1649919e521fba99045e162e3c38b494a

    SHA512

    16b85619dd2dc52414f9fcf4e8c54c56fd0552e813befcec09a34a345e18cd263fe5f1539c0107b3bfc761a12d6479806ce9a232d788c014b5ddccad98750a22

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    9468bf476a6c1980bff368208c4633bf

    SHA1

    06712faf29b6dbb5754280949d721dd541e5d4a9

    SHA256

    934f10469cdb2c98c3dd29933c6e3fe7d69f3ae842fc610de58a7819d0e6768e

    SHA512

    0bbc83171a8ae14ed82da76e926fa9be105ded30e9a65aec227ca19e27282876829c867badf76d6c6648e548cb2993edbca87f7db686dfcf58dc532ac53e5e56

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    455b67f396fe925a694a1c2ddbf61c2e

    SHA1

    05a5cb571a1b86feeb63853b7acf070715819a6a

    SHA256

    282650785bc2bffcdaafec4f5ac69e3700f9dc2ed39f32d3f1bd442162a187a6

    SHA512

    fb9d4dcc27b68c50c46a945cc2a51f6d350096a246c2cdb464c98283b53c40cb32a38f33855616fdbf9e354e592aa18edb006dc189c84cb1feb10bab24231198

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    17084fabb05a11a1eca696debc882be3

    SHA1

    240bed9f1c2754eb38e5e985aa8b9b8fca48cb75

    SHA256

    0d66a2acf8c2751d09242b1c4d35b0338cf140038ee7dcef325f075cf571cba2

    SHA512

    86a13684a220b91ce0763a4690ce967b6b3216b1bba3139c97e8033faac54ad43b10aa1547cb19d0ce6e673f890f19f99804a2f329c8db867fdbd4697304bd90

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    c88f596cc5b16398c3d378b1e3b5f6a3

    SHA1

    ecfba95d30a63fde7e0d0eb397c2fb7264d0d1bb

    SHA256

    c27f0ae365083c09c4fb034ab9c65663f477b8671d35bff276d90c141edf505b

    SHA512

    427772b15a0cf095740ca2fc6c54f00b6790d431e6819ddb8703bc1702b23dbfd241cfb6f07cd8b009c77560b72959c66f3fccce6eb26849518769fcc9c6310e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    9c4956d7e29fe3b64b9fbd0bc4799df4

    SHA1

    30fd059a4e0d04a01a017b0570c79de21a618b86

    SHA256

    3401fd3c369e9d2f636fe43f799e9241b542a74eefe46126ddb58c052475fbdf

    SHA512

    ea2d89e2ae0af30365ca3608f199c8d0e3785c978bcbbbb1df4de2452e80c305d287a5e21329dd16335122a892462bccc4bf27c32039ecce87d491e2d54154bc

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    99515cc7f54974782fd8e8ff26ef7ecc

    SHA1

    0ac1527f0617d319c1aedadda7218e0509ca65d5

    SHA256

    0f0c8a5c4f3842c0d26d00f8e6df0d53e21aff43583c30fd95452e163e309074

    SHA512

    c8df5258ef6331d5967a36e3967f266089515220bdd02045fec5c4059e3f0e21f337e0c4d7c81c0b240f4bed3969351918cd711494df64e889c29262c17f6573

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    ddbc6b118fc6f1da424bd7f66ad4ad27

    SHA1

    cd6312fd43370a37327a5a32ec0552d3ae86146d

    SHA256

    ca7023c9c8c90e59e5851bafad35547670da68a5bfb803889e28dc425f09ee53

    SHA512

    f14261bf81d715fb107c543e05e9c215ace82eb0134583dc8072bbb62cffbb636d5a8f0d81d646fb6de802153bdea71b91d8cd5bbe5c69e96d8b4b9b8e34a895

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    89cc1bcf1aeac5479cbbe5b6931822d0

    SHA1

    7d1396a6e1655ef567a3c931dbc98ea544432e82

    SHA256

    a1c18213d35f36a56c08a5f0078b35c51700da97d2376933dbbd7c15d83951b5

    SHA512

    f48890941ff62854b2ac72ff3ab0f2daac7df07ef4e7bc001d6dc971764bcf3db3b01b02b1972d4f93f2d08e9b69edb0ceef64cf237eb4e5a9284b98bf2dc558

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    79a7003976ab398785281e9f5e7f2102

    SHA1

    ebc0f0030638dc9ddc6f701210890e5dddc50a1e

    SHA256

    cc099e5cca6553c6be4164f4163b4546ea245be2dcdb264b7f04bc46cdefa888

    SHA512

    70545c02ffd1e386c153c43c45b84a785a9e6d5ee2002fcb80d0b93f6d08ada94adf5415b15639f041ffb3356918b1b37bad9ff2e1ea9721348d3bd822d1fd7f

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    915KB

    MD5

    d366f09b45829980a4389f3803b2f1fa

    SHA1

    89e72610077a582083a2c9ebdf30115f04924ae1

    SHA256

    ff979c46e355a4596575abc136c245a8f5931faef96771825ae50312a9186fe3

    SHA512

    f53438ebfef858fbba99fea8035fba35d5eb5635840552dc62382adc5a851c2d82d768ef08f5653b697e02ae2515ff29002698e3b36186e44ad898b8823da5e0

  • F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.exe

    Filesize

    920KB

    MD5

    732160158e8abb6b3aadad6143bc807a

    SHA1

    0f919fa390d5ae03e54031b5269e58e829a4e2e2

    SHA256

    2236e2da08ea95412c9abbf62483e08a97926daefd2cd20d991730441fe9a8ec

    SHA512

    02af7cc440ec619d309d66451755db2dd369a6451f1ec4900589887babd42ce1c2f1223d4ccefec4403de3acdf7cf3cf796b66cb23af8932d166511a3059f8c5

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    919KB

    MD5

    4e21121a61f231b5288f3f795bf80987

    SHA1

    1aaea300f162b85c4034d24aaba40d823e7832cc

    SHA256

    49e77e045d00f2f8db630fc82a7cf6c9242df80270619a6194297ed7d88cf8d8

    SHA512

    8ddb522f6606b73b8bf1fbfbd9bb41d295aee2e94883bdd1fb369de20377abac99891d65fc38bf151205abd5062d7ca1876b3f13a66dc0539d45515bd647694c

  • memory/3876-0-0x0000000002210000-0x0000000002211000-memory.dmp

    Filesize

    4KB

  • memory/3876-45-0x0000000002210000-0x0000000002211000-memory.dmp

    Filesize

    4KB

  • memory/3936-49-0x00000000020B0000-0x00000000020B1000-memory.dmp

    Filesize

    4KB

  • memory/3936-5-0x00000000020B0000-0x00000000020B1000-memory.dmp

    Filesize

    4KB