Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 17:15

General

  • Target

    4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe

  • Size

    2.9MB

  • MD5

    4e0f5f12d55728e3056fc3f9efacc75f

  • SHA1

    cc73069286a96ce0892aca0e8294e3fd5fcdaeb0

  • SHA256

    bb68a904e007f0d082785fc6a14530e18108815560ac7977e4eee9e0437c581c

  • SHA512

    d03e4d85bee3e805e2a1d964157a01b4d83a1ef216f761127efa216a4a040a968e9728f7a3149d4478d2b0d3e0e74b84558044d6887fc0691536c23a5cda36bd

  • SSDEEP

    12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltH4cgZD5+6aYMasAYXG3W9:xEtl9mRda1MIHYPyBashXG3W9

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4e0f5f12d55728e3056fc3f9efacc75f_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.exe

    Filesize

    2.9MB

    MD5

    d532537f76a9f906b89f0b30971ef8e8

    SHA1

    741aa69b102a4603f7bd3194bf72719e1178c918

    SHA256

    553b473e3cc562991a01fe8987be8639499a1f8d555f8896db2888d330e78d5a

    SHA512

    7d83aa7a03abdfcdaa08e0a7201d5f3aec97cbbd073723ad469c500804d8f07260ef3f0d6b5972ccc7bbb5ee7dbf0f7d040d1bd0058b589490deac2d095af025

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    32fc0d047db480439b767c2caa1de31b

    SHA1

    c2506c93e5160d23b6f302ce38329331a9af35b6

    SHA256

    2488796931ed83c7e9e7c5231b0b48e6ba287c689710d439204f7f4ec678d67b

    SHA512

    8bc66273cc74fb1e004802a61eadf7362c7bc9da6c18f76c27d11f9074ba0bae2ae666f30e0d1711c92f63b84800511dc8c1e91bb5e733879a92ef844884fb13

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    cc52b3c43db412b7877e451dfff42778

    SHA1

    d5705f76653a5c981a31f00df299db4c61e25d38

    SHA256

    d90545f1f8a9f0f12302018cd01647c38ff8a082f93ee6fd208790964ee1e26b

    SHA512

    5cf72057617c7936327d0f6f66b6e58cf092c7c3f90bce152c12e0f400b853573460eb2a5b96761e454c7b064a47687ac69f1f99dc036c70d2526c84a181e892

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    7bc8bb60b6f3941387fd97bf263945c9

    SHA1

    be9b632364d115be6653e73e2c19beca440789a6

    SHA256

    96f89d406302ffed6d7a736b5d01ab07659d4d91bb81fc388b32ce7a37299f06

    SHA512

    34b329947552359752937d2a34e015379e8bc9aa813e7003392ea81a412f33bc0868501ed8739632fe9d2288d04874e172de6271f2fab4de71191e576a7c191c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    35cd9024a5d48b5094e63460ee24f1b4

    SHA1

    23622bc03597df4d55905cfd47a71bce24a9685f

    SHA256

    e924f78a5bea46d8c1307b07d108758c73bb9188784f5e5635de935305da7dac

    SHA512

    b5d0f6a155680f1ed78600411b9a812525faaba40e40dbdac2fb62361e5d0157ccfcbd66da60f34895fb5b9c98d723dbd15d4ea3ceec939845ec9031bc0e21df

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    95e441335cd9e6fafa145dec9993449d

    SHA1

    b82db8639eedc144f3ea45a23b46d1470ff0aae1

    SHA256

    e30f64d3a6e54b471bb8e351c66a23a0de2c135db229b63519db22df92ce94fe

    SHA512

    690dd6592ad28cf236adc63a554498b13aad80a0b4d76b60738be94a8b5c620963e88013201bab2f61baa668aa0f91dd63cd6625fccc63f800323cf6b5ba719c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    ac874aa47e06cfe1f4bc3a10a4062ee3

    SHA1

    fa8e124e91790400cb729bad53675a5d7e584b7d

    SHA256

    16a46bab610e64cc6c9d10419707757ca9ee9870688a99d096cd550ce1de1a1f

    SHA512

    b81ceb75ee69289273570b9eeca670828fcb0e782f61d5236c1fc7dbf7b7318003316223c624b68a4d443868762948f640f9f4cdd9c313734926eea8c3f9ede2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    5748b6e119feba653ccdce064915a424

    SHA1

    34f3f4d2c9051e54c54d72667d92c687f9fd33c5

    SHA256

    5fd70b64539d53e1209b911caf46093971756f3e5e8d9b8baadaa199b60d4b21

    SHA512

    52440d9408209e54b6c5a04f4f355dcca671393f0cd06b50188aea643a7de515076efa108d029ee2a4dcaf5b38324ec8f65fa13ca1512519238c59ebd2963823

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    4e5b7697430623543cef4e6d78bc9f44

    SHA1

    6e63fd6c683e9cc30d6fbee61530c7ec531457e2

    SHA256

    4fc868fbfab96041f567bb075b3033d006543065b8585be13a4cda5729f80fa2

    SHA512

    a04bf5d31c032ca10b2ed19f4aee160c2386024164e33c4a2412f85473d2bd40f8756c5821f27d8dd1fb2b734d33d43362efc11480902c6f9995adf49e9dd93e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    4b298cc23a7fc4fa36638e68f9f3bd62

    SHA1

    66bdffea3d8516a7735ee9fcc81e8357e380f660

    SHA256

    2ad67ce8adb65b5d6db0c951dd209dfc4312add27884de0d3572352c25639343

    SHA512

    2e6e0f1e1cdc74c6a20f2c186b96dca17a31dc87f3a0c2903e3a24c3c820d8fc3f2977b643c84f2f86ed402108c61f05eb4b0f381bf01e85011e507d99799f40

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    1644633a50f819a1fe0c63bcd80b3f59

    SHA1

    567ef6b3e5089ff14d776d52a32159da26a09a9d

    SHA256

    00f783fba63c94c71b2644a792fde038e3b21d5dd464337d15fb95e9bf83eeff

    SHA512

    695955e87c22d2b8ac35a1455d7c42b2cc46499d12e2e58e65e31420101f9ef96c49452554ee7ade1240fba6c58c9c72cad3ea12987c6f35374d2f7068b22866

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    9e8537f1f16585ce8788616a44db1eb8

    SHA1

    96cb82ade5cdff661ab7ec6af248edc04d432e97

    SHA256

    63c83f03ddb82482ab74f7a13832c52e4cfa6412fbb79bd52e39a25d81fc45f8

    SHA512

    385c87153d4a6f2aa975aa2e8eab0717e27f6d1cdc50deaa3c5ed2b1d2352c30c109fe8116cbc17eece54f191e881f82599e0a117d001bdeae7064015369bb3d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    a1d94f38d0fe4e50cbd229405dc63032

    SHA1

    4470208ca6678244f91e45a1a0c5d6369c54ba50

    SHA256

    a2c2fa783e097f14cf95e2cc8168638a59bb37a9f534d4b9735f322e2547c029

    SHA512

    49ffb12718498c085967d54a01051ca58851209cc73cecef073f7087d6d8642b9e67d4ced5facba9de15fdf71fa0df0b64669be71c9dd77b9a63fed0d30711ba

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    ab24b2f9bacdb690dae82f3cf276d5ba

    SHA1

    d13673a50a04ee1725913f7c5fd9103932e7dda4

    SHA256

    65de458283e562e318f98d961e02181dc5ba9c854144cf56e569f447eec2bc4e

    SHA512

    2ca842f55d38d50320dbd87739ca41350c7b19b5d96cc85a877084b3ee82d2cff9f6831597778d82e0be17c45a008bbbce75c99842ba569c40694308d2815814

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    88e1c02af0df663c49aed99758c8f0f4

    SHA1

    b295a8bbd4e2a2e8569eb203ba1d9b98b0df5f84

    SHA256

    b88540f94fc1ef2c1c3e333941122b5f53b6b7bf214f645405c0f1684d86ae68

    SHA512

    e453ecd950297951ef1ac7659e0855256426f72e789bbff1bc75f0032f1a0700309d149bc130622674e88c79a0d0b5ba0eb6fdb593fce92483c34ab961069d0f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    7ce258f888cc4bfd644632635a447764

    SHA1

    3bd73abafb42b8c13c5f165f4dac986c950bbb7f

    SHA256

    c31c00a62677da18a2d6fab72ebba147f41284baee591e9fc7b0cc6b503148b9

    SHA512

    c21f1d2851d4a2906371b62083f6c5b5886e1321c42b0755863b3356299d786e30cd6dd4bb2327d436bab5f1801e81a6008ae0730c3f3484a9f05dae43793a5d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    e6068154d5dc1a94d775402fe593d0d3

    SHA1

    a52aa850adac24d2215f9beccd5779dc2018eb4b

    SHA256

    f76bcbab8baf6402b9c5bd51d37c4a9eb4f79dff78fd5339912c71131f8e9a1e

    SHA512

    36ebf7ca8bfdd3b13f683e814d9d3dba4a511ae41b3e9b0b4a9cdcc4c6da6fc1e7f290f5224a03a5dde188306e9961d5e7d3347ae42147412b070a4adac76aae

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    e7b1922f580e9ea64037c956e02c209b

    SHA1

    2650bcb2c4f0fd5ea27236f9101cec488feb4735

    SHA256

    b63a56af4d5359499d87a7711e93d4796d39b83e50718fca3aa388b67fada16c

    SHA512

    216132decbaa11b33cefd494dd7ac51808e037deebbff06bb0eaea8ef35d680923c9b942b5476f901d330264a4c756c9ad65ab7b727e69badc0717666b170155

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    d2d4c254595bed5b0ff2f4d166f64fc1

    SHA1

    7ef41316f6dabc35a0482e122d73b3732fe4c3c9

    SHA256

    f0136816633165c1ae3f9e4af6562fd26afc787c40d803701d321ead1e7c2cb8

    SHA512

    0a5a5b158b20034e4b24467334e7c03da9c04335f3be49cdca69dca2824ba198ba755d0d203030ed9945b98e3813b406388b29e689b72184835a8af9a0ae262f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    0bc9f39a9bf17953976115677f6c53e6

    SHA1

    426cc822f5c2a9d94f79850ea0d0f1b6e8cc984d

    SHA256

    3d818386e0e6182474c4e54e0b47022ca6ee877cd762198d4cf8a638ef7d2643

    SHA512

    28673bb5c68f43f5cb6d45c3fec5db44ec0dada024fc53fdb985777012b793691f9d5931b79236e7eab9115a2fb55ab1e1668cdc0b6852c80879e46174bb5aaa

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    bc002f80d5a899e5d4e9ce41607b9c26

    SHA1

    3b132c531a91caae8d47211f632a0cbbffe354b1

    SHA256

    2ea23f47ef93d1c77361d14c690f0cc59b8c75dc1da6d043995bbe25153e3afe

    SHA512

    6c9a7b9599fb4820474ca30d0eacb70f9fcabba33c077d3a6f1500f8765b4658060d3bd08b05a6d56058a67bafaf71baed0d7034d491e323eabeda7a26c0a50c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    fbb07eb619f3477a8d290c269e1c8969

    SHA1

    03fb219054cad51042c11f6333ecb4f490f48329

    SHA256

    dfbc2d4ed3e88e7a6ccefb70331750d9d672e801b70dbdd85c1151289553ce73

    SHA512

    6a375d311ee4577dcedcce81dced945ceeaf4b2bead9a82d5ccb73690d01c50503896e738bf9f48b9b3c29d2379bad7aafac2d69c5d8a3de87322147983efa97

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    64a302c95989a3ef83e7da888a672793

    SHA1

    1decd65a0d27081ec2979513662ee6719e367bc0

    SHA256

    055ddd9dcf6521e4fc02a0e49bef86956afd00f80768abff3211b73893695bb2

    SHA512

    cc29c12d55f06eece55a453629ba0fbfd82efe6db05e88bedc76827995328b379805bc9418bc0c3fa9a8631d191febe61cdffe4fb9e8759957073941dbd0858d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    029ff11a552beecb98a473140c5ab0a5

    SHA1

    8f5a747947c3d15d430b2bb6fe9a8afbccbcd532

    SHA256

    b51cd3c482a615a0a1961a09d303bf4862a91fe97abd5959448051da77b73a43

    SHA512

    fd5e76b05f849e722d65124dc146a40aab2a6fe13dfb926654b2ad570d6707ad3f4c7b06e0aecb8191b8127b229d25721d9189ed0e7a09f4c74cc2fc03157d27

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    fc66cef1a4dad0c1a966ef2d969b2268

    SHA1

    d674e525c7463b6dde2ed80265cab5cd1df4d922

    SHA256

    250ba8deefe45b6e86670bf937e930950806afb658e832a67e25736401d39840

    SHA512

    5db82d93a68f4982b07f480f0757c3f38ed359833395c5612fac1aa583d83352d5768c7936efc54b7266f8a352231edb1e0d77511ba3c788168c9fa2cc101c7b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    7ad3ca4cd8d2c2d21779809a9659fa0a

    SHA1

    0c5aab179757c8bef5da99c220980be7815f347a

    SHA256

    03ec5e30f5fb0ee0719a6bbb1baaefad443896567927ca3b81fae2a15b1ce840

    SHA512

    abe3b27ad9bfef8f44da697c58b867b63ad4c85ed0cb06e126c2730dc24843a022ac9f9f629654033b02ac96e7c777062ca48467fb83f93e9598cde88a4de3b2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    453f27cab2573c6edcc0baab02be3939

    SHA1

    a4f6cc74759404e73367421a9b6deaec1e2ed5aa

    SHA256

    c28d88c334076f2062317b5f076b80c914d2081cabab2d0cd0db53db8c64bca1

    SHA512

    886e426525a502a84c20edf1dadbc40a80a78e29009470b43af2e1f9975e16c4eb211277512f8a92ea6f53a6165d6c568038d55591daf6c7c733123389951510

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    e95764c7a9749ad3b244e3ccc42d7953

    SHA1

    7715adcde59b116586996e50b3622e4f9257b091

    SHA256

    8a0957f60536e4783ba25d83861fd02d20446ed120b3201626584a97c90c0c4c

    SHA512

    5496c8cd85d471fab856cfcc7d1416fd07f94f532374b10a1b093aa69f165136524501e0df06c4cd9ea5ef0f79286622a6bb37dc946cf0b641eb10bdc75e4aa0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    f1552d5ea9e65dcf49ef3ba7e1ae80d5

    SHA1

    a6a1ca145bb0eb2745cd4f1cafe2ab5d63d0f0ea

    SHA256

    8d4e6d857e85dd9be20e6bb74f26a381dfec7f940207475eda19a80bc713b32b

    SHA512

    6ccf117d3b2ad36cfa2f20066304b2046d6684a7d8c291be168f85018696c248d0e545ccd0b408305e1dd3788b3c44f706341e9f447a11bd2ceb5812c0e2a7cb

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    07bd81dfdb6fefc13e206fd6518d9b75

    SHA1

    dc2466b912b4a636533184392b5fb6ec3af7d0e9

    SHA256

    8c8f5268e743299dd68f2b250e6c9660689be477f75e43db7aa9fbec0df15df6

    SHA512

    9a8a18158ddd22e132decbfac0b7b2ce595888ebf0a9986ace2730a80a0123b079f6cc1ca0a83d3a1a7906ba81771b668dbfda1291758aaded1265a1e89b9778

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    9fe456289bb02f759f1c6aa24cd41ece

    SHA1

    59c36daeec54e40402df183fae1d8577f7549cb8

    SHA256

    0ef79f743927b3cebeaf7f23fec05f980c9eddf888ad1b2e9e444c24347b949c

    SHA512

    f7243b4fbb51eea6e08eef765c4bf91ea8db8176f9a64d97b721a11ef5482b69d647a6cddb0af81e23f19675a238d9092fba8fadfb75716fe64cf0572055e829

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    265f408e60ab6a7a947e1d70fafac643

    SHA1

    9a79f18fe4a055e1db5038e891820dd63b5e2f6e

    SHA256

    88f9e6f92ed5fbc40494498a41e30eb7a429152001c303cb35d421311532939b

    SHA512

    4b489b72a2fe8fa2488048b5e08393fd87e4ebd649fe658ea8e64aec1718ee5535ab672855e92ed547986e50ced06617c14b4ff4a23697bf1bf88281feaa63ea

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    4edd511a0339fd59b7799b5f13550b52

    SHA1

    332de97be26ac2880706c15abff1ce9761e1df3a

    SHA256

    4c26dcae5696002bba4a8bb65c1e7ccc9aaa44b108d92cd6658be41fc2c21773

    SHA512

    6035a6bfca6e893d50e7f67c283800ad90d20acfb039571b8a5a6f8367d11464cc1ff7023c759c4d0121af3839f6ba2e1cf07fe3483ebaf852d2d814130bab46

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    3971212e0034f9a4840d47b48592e221

    SHA1

    a5e1891994a2c5b56a2165e35982437c15f0ebbe

    SHA256

    4c421a1706f014799cfa2dfac530dc437d90d92e6c3c18ffc67bd7dccea745a6

    SHA512

    c80540ad1cf1c83ba84f93d017d415f4088e20669f077d7f4f0871244e190d40b623e69701e9719bd523be390e64dcf7358e68b9e849ac812849aa146f28842b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    a6eea6ae3cf025c4a3592a48e218642c

    SHA1

    26444104785396d8a412ad10709594c7dcdcf9ac

    SHA256

    193e7a137ec898b2a1bc85e50f9b4a850424560ae768c9c84168997b2967bf58

    SHA512

    0ec3e998ebe659ba31381cff3bb8027e97ae27c8a1d26d61abd13efa87f2dfdf2d850cfea6fa6766e23e6aada141c12878c1fcece32a90937db8b008f502061e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    e386e4b1f374e25c92c24da20972870d

    SHA1

    dbe471e1c3c919ea8d4c47f0dcf1394f961f6213

    SHA256

    235bebbb313601e9552133d32c8b549159ae066b069db7980e935fff86a607c3

    SHA512

    051c001192682269efed9efe4f9c466e85fbb7cbd5525329e6a6338bab012384429c931cf448f4ea59b928c2d5cc00adcb8498ae7522a4cef2cf625d4b1442c1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    9535c9f3c3fe08ffe660b7a7d5e58d5a

    SHA1

    cc017a0bcc0ec6650671ada05dbbe35c7ef237aa

    SHA256

    4bedb3f902b06dcb29a764d514012d93d7ab291df23195008b08e0a6e6e51326

    SHA512

    c3dcc37ba7d288e638b6b87dab262067040b2aeeda2003090bfdf2c46f3d889ed51c4e0a6099e888c035f43889449165c7a4276accd9fe59da1a46e4f2410f14

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    ca639b4575c214c5d26f06a2335134b9

    SHA1

    25c8b5b348d746b186301ab1a803cd0873c51656

    SHA256

    0fd32c7ddf3d05058c2456628770930b3a10c28e793850e25fb027c4ccbc62af

    SHA512

    c4fa168fe908682f379e354c36b6a3e640a63d5a852e404089bde7edee58e026eb8b60932c07dfbcf228b4f11f4cce8b414733885d28e8ef58ff8eb3a373837d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    4a7819279618d0a915fcea0ed6346b7b

    SHA1

    8b76894b119cc59e42bc7f28dd62373f1e891b6b

    SHA256

    a8b5eedf036856a10dd01870dae03347b5d5d7948a18b98361d3acea89cf8ff6

    SHA512

    3f5dedefdaa38c8a32268602dc469397eedb4e21e8453af69c6b64c4e12ccb40cd98ad37bd88f17f8830a71e83f148e6129d2672e219d2b35fb06876d342c5f6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    262a4ade83f6257aed28ada7883bf2ec

    SHA1

    eb79a685d6eb4c0c3afd03c46cccee57b29f8734

    SHA256

    636f022af1b13a2840cd6933b62c1617a95510e118725ceaec191f16d34d04c6

    SHA512

    fd4e54c0ca1b2d3256899c5ab64091516d796840405a6e37803438544ea3fc12402caaeb9891767d87e7bd6df354c1c6c1a30f66ee1d6ec4b38c57d746f84714

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    e63382811a2d96286b7a7a573d16a2ee

    SHA1

    fd14574dfd08b73fad7e1ebe599a62763aeae953

    SHA256

    00fd094cafda8202e04283d8bc5775c252853086db304b0b8622b498d13897d7

    SHA512

    3c96dc2bd82314f953764c531e56b67ac58a2ba220654b0a0d58a9b5cff3ad796ac1cba25d4153dfaef9b4021e9c12a40888210314e455f39c315129106015e2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    aa3dce335dfb7a03c8b70b81715130c5

    SHA1

    e4ee1f6f526325a154d24aa5a8e86bc6f4832444

    SHA256

    2fe712d3de3781bc7b3a7c4d2f3dc9d2079fa13ceb77bedd510cc1cacbc39eaa

    SHA512

    bbfcc659255f81f26c0ecf022b4e07f1f4e90290cedd900231beb9c458a4d8702a0135ecfd48ead970a5f0a02cd1a5876f26ba13c2de4910fd7adad9708786bd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    e99d1a3086991837f725bc5b908ed204

    SHA1

    2ae7328691d712d1f8c886b3b00ff77e802d3bea

    SHA256

    271cd90cba2f9098ec75e9e61cb9088fc69dc2507120ea3fab458c467318fb45

    SHA512

    1ed3f4aa8254d2c2ff2b9a57f35ea73914a995726a63a5c3e8c11091d3442e56457bfe674077aa16bc805faf2cc0e00dedae52396624508b5ac8cfeed4d16251

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    68162cfd67fc12b6152d1bbda67ccb17

    SHA1

    98bcbaa6452737ae179985a308fad860296360b9

    SHA256

    be37917c1daed919863e9458733cce6443eb0ca6aa054416fdba3cf1ed2d7083

    SHA512

    f87304638eb605a49be2081948a5b3ab41647e9247726850fea4bc5136a2abceaa10d21ee89a18be37d42b01a4651b2ebee536257c38ad5594a3f57d629a7417

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    8af5e8b571b14dbb1054a0733a47805b

    SHA1

    ffcd184e207992e48e6e03674b1f72400bda3546

    SHA256

    b00bae88be3fd825481998f948bc554dde8bd3c73492f97bff365abdb995e708

    SHA512

    6287aef582de74e5af0f925a84082b5e67f031a4711b82a1b10196817de09e5974f7e2dd8ffd9586736c90d06fbed3700c8f49165929fd07002d9fd2b60398e1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    b3b47b154061f1c1d1eccaa1cf11f01e

    SHA1

    b4cdee721f00a52656044e243072b2c3e27be319

    SHA256

    ea5b05269ff10856728d6923d1cdf3a44d5f1df2c621ff00710c3bd1f52c21d2

    SHA512

    da250dfd7dd1195e63d79522a04cef2b322e523ed05244406668321d2bb1d3d31cb385ea9cfb6a65df6b71f2dfab8c663824b1a66258d551438689ca35576877

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    54c292133a1f42e4062e7bc9432bd1b9

    SHA1

    1727f5bba8287b4aecb2c913cde769650f3d0faa

    SHA256

    bd020dbd42d42224a5c857834f228c802b8c1249aacb0caad984d2ae31af5978

    SHA512

    0e8de6899ee149f409208c603157172816fa9a468d86ac51c399fd56cc2c57b8c053ee1c787efe58be65f9c806804dd546b62605e6dfcd91be5d05c4418fd281

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    6c9a1a84a2639610dc3765c8dd378daf

    SHA1

    1099b5c7fadd57397107c5e4276db204d96079f6

    SHA256

    d2b6529b8389bd89627f40e88a04854a25d30f64382587b9d5e50261138d88fc

    SHA512

    ff72a3416439e2344395f6b157b699c19dba796ffeb7025545b0a67ce32ec3d2ccc15cebfa8c526c7b76f009b979d7f8e4fcc393b6b1f4c4ad8920419f0ab893

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    a2d4f50a36e74ffd098427f90ed2f1de

    SHA1

    8b76c9b6f37328b4c3cc2a9db16513a5315acbb5

    SHA256

    d2c51b0629b98bb5855e5268fd0ea9388f3dfb1800e8798671f9c558d3cf7175

    SHA512

    58c59ca1b88ea3cd25c6009bca9ebbf0bf1497f69bd058604efa87484a963e0901ee7180f4463927e361a1f36dd4f4eb8600f33f30e9b96041a935d8076d8081

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    a6b2cc663f52bd61647c87e3b7851cbe

    SHA1

    7ee5e56e7a8ac060facdbe13c79f250572fe66ad

    SHA256

    e426dd57bb9be303f0e3cc28796c17236c16cdf58cac33efeaf234d3f530b1b7

    SHA512

    80e02f939095c34bfc717ca4c08840e76fe21911da042b4a5989033fc8580cab63b1891e0fe4b3167b4f9cfbd44fe6e97825e6918b72fa0c1b25fa1b67232fcd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    1124e28dd1c386dc4ff6c9048c835c9d

    SHA1

    8b2e3e096e07b73a6acd82a92518002abce53f4b

    SHA256

    29823b9111c6e828c7f4bf02ae9d32ab6495f6011a4f39d555f815d9efca2630

    SHA512

    817661f89f873036fc2af0f19047c1866dcbf8ec0129a6e2f660f2262e47f9ceb4b223e6dcdf54a07005f00fab4f1e8ab8d0642decc72bf4c21e138d531cf26d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    6808e954c0c3ffbf798ce8fd84e855f5

    SHA1

    a0b32b39475d5fbf5dc0f485dbe2f50cf569f56d

    SHA256

    e43bd1d9cacb2e537c5888b14f7fab2437aae027177114309a4c83445703b551

    SHA512

    e220087c0f6451d6a3ebb39cbfdc7fd6c93b77b3166ab16a2e92a36390dee93bd351b972d1f4cea81829c2c67843be960207b60e42b7eb1abac037fe20ae95e8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    b45f43c10fdbcbf46845209cdf1a1969

    SHA1

    1701474423e5954348ce08dd1bcacee1d6c3ac3d

    SHA256

    36f98526eef18d817cdc9f946fe749dae9137ed14ca9a4e4c90a830420b3b3ab

    SHA512

    efaf18a46116d98dda9542467320025552432f84d2a7b6aae712c594c5893cdbcba0530cc54eb097b3827d9fda246fbe90864674a11e46fbe5a1db46d4360780

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    37b349ff0d807272da9f52158086c81b

    SHA1

    cfd08e35384cc9e6693aa6b0c468942d556fa727

    SHA256

    c881d41baa28644d1fb042c60ecd0af040577a849385edbe3a9a77f171a9a960

    SHA512

    69b1cd241b4477994793ac79623a1341dc5a739ebd44e38a773525f80a9f1da54d9f2eca717ca67ae6dcaf75c9ddd225bba17e7728511ad7586619ebc7fffd98

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    b36835bf2cc3c446060f178994a9ee96

    SHA1

    31e8dd3477c1fe44d3e60b55559afdb319bbd4c1

    SHA256

    182bf911843628ab7da90a5c623c0951b7b921f5ffddc07663797d4f97133c6e

    SHA512

    2717fd90f8ab91794d4746ac7f40652004f26d507570ba7439a4684f395d7b0f3abd62e792fe3b17cc1a23ca472fd5924f46c080ad8cd13dcc4fc826c08592a4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    12c42c8e53f41aeda4ada61c4ac9b400

    SHA1

    afedd6a8570bd341a74072ebc1926e1106307335

    SHA256

    11dd1ac64ec42001a55abbcd926921e478358b00273a9a74f392696891aca310

    SHA512

    0d949104a598c0715dda82e16d94ccb9c7b8338f8d2162385d74cc6271fdf055946de3b6e4af160d3a5ed94eadcf2e851cd6bd97c4945349df495beb2e63a707

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1023B

    MD5

    d9b5a85057611780f709fb6347efe3b1

    SHA1

    96c30371be9a65764376ba972e424e39c39500d1

    SHA256

    4dd98af52b639620be9669c80a9cb56593d08193afbe82a60e021d271b2a09da

    SHA512

    0667f7a21f7228617bf8ad37aa3b2b264c5e665441f94d0656919dd9417cd64cc24fec6cb3d3dbba84fc9245a74f55285dedce0bd4a3f90342c3b04869fbc2f8

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    2.9MB

    MD5

    ad829f24697ab5836b3e93d3c014f7a4

    SHA1

    b95d212648b5b57abe2a84190c351def10c85132

    SHA256

    df8ae02c0de4737a69093223c13326818f8e7ef3322ab1252a7e2d40b79221f2

    SHA512

    01c110bf6662b0df58a3ef6f8db64ad4bd5165998603f5d48dc7388cce27a306b0c41ea08985d331a44f8f422044cc44d8fc9048a6a346519776630c8ac72888

  • F:\$RECYCLE.BIN\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.exe

    Filesize

    2.9MB

    MD5

    8b6f46d0200e8410c1623abea3f7e8a7

    SHA1

    1bd4f2b999cb9cad32588c599f8c358a0fc2a59d

    SHA256

    bccb47ad76c890f55afd1d9b9321457659bd2e85e0fdcf86eb82879402de5f8d

    SHA512

    33688cb400a9e292f7166f72e8a1b2c0fb1006a33495414531461776a4b3e163f668b2d2d2b0f3dec27ab92efa8fc645882ccbec8790caf9aeca96d57d0a6a30

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    2.9MB

    MD5

    4e0f5f12d55728e3056fc3f9efacc75f

    SHA1

    cc73069286a96ce0892aca0e8294e3fd5fcdaeb0

    SHA256

    bb68a904e007f0d082785fc6a14530e18108815560ac7977e4eee9e0437c581c

    SHA512

    d03e4d85bee3e805e2a1d964157a01b4d83a1ef216f761127efa216a4a040a968e9728f7a3149d4478d2b0d3e0e74b84558044d6887fc0691536c23a5cda36bd

  • memory/2620-0-0x0000000002210000-0x0000000002211000-memory.dmp

    Filesize

    4KB

  • memory/2620-45-0x0000000002210000-0x0000000002211000-memory.dmp

    Filesize

    4KB

  • memory/2692-50-0x0000000000640000-0x0000000000641000-memory.dmp

    Filesize

    4KB

  • memory/2692-5-0x0000000000640000-0x0000000000641000-memory.dmp

    Filesize

    4KB