Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 04:13

General

  • Target

    556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe

  • Size

    9.2MB

  • MD5

    556b72b555e97224f5e49f2e74ad3e10

  • SHA1

    3685319836e955eb42628ffd046b1324aa1edd68

  • SHA256

    fadc26c2cfe7142500358ab8cf5c0a678269e4f675f4ce759aaefe5bfff5a67f

  • SHA512

    5ce9fcced30d056b8c198047a9a8013d1cbfe7eeeb5de5d85fabee2f53a4c3afdeb395d115ad90ad4c243e4f86d14cdadc6b597cd7755fdba8fd5bf99fee2694

  • SSDEEP

    98304:4E2yIMzKpXOMBkMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMV4:4nyI2lLI2ly6

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\556b72b555e97224f5e49f2e74ad3e10_JaffaCakes118.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:4884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.exe

    Filesize

    9.2MB

    MD5

    d5aa4a9077b72da9b3079278dfbe9136

    SHA1

    6c02be409a707fc497818048efaaf38d18aab9be

    SHA256

    ab4bc4f243efc4c150240bdd180a5794c5be858b99c93ff955f783cc7828a40c

    SHA512

    544fe63666810707e9839574fad9a219b5ec10a4668aeec6f3de63b51d60aabae46fcec2e465e9abac8bb8ed9fdeacd7605c2f660f7d830f1c06b4ce4f92b5d4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    634c410444bbf03c55aea48e41bca391

    SHA1

    713d204e0abb250c9e0765d324e92ef17a636e05

    SHA256

    39cdccbe7d32c5b0ed634e37c1c26fba074b56bf7fd7c13066cd5a3322d151e1

    SHA512

    0312d1630b079056ca2eb47174a3acda3c2ef9662255b3defe23f2140c5d0a750eafb9129cc1b6f5ed74fc76afe6f2276ad2bf731df976db0b5e66a91f7bd756

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    ae56a90d55692ffacc68ec7f5ff22792

    SHA1

    6aef26f34f0ba17e21b1a7678dcf3c4cbcc28cf3

    SHA256

    36e7435247f1172f290754ccb78bec33b53f1e01d2fcb364a45772dea4a9238e

    SHA512

    418e52710a40a0fddc8be39bb6d15ec6edcfbb41c2181573acb7c74bac060cd1e28385a3de2b97284dfb6f48b96ebfe5fd2c3cd9cd14480f4a7a93a84f3f0e19

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    b9a265d2168849c523f6dce5892b7826

    SHA1

    5ab7dee54743f13fbfa22065c5e70564eb57a1c2

    SHA256

    341226b3ff8c927c7e75804084800dc0fb3f0914a2f2469e1070e07555c06b44

    SHA512

    d7266a04f563c9db004507cec4c14b214974d236d50eab415cf1a7e81c5052f5edd8b6cd8eba8e1205030f1c87cf0c57f4a1af0c0507101abc5ba43e35411865

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    55443a38ca1da25490901915f069fd10

    SHA1

    ab4b94fc351444e59f75041ce69171d7bb3a97fb

    SHA256

    a5f04c6ba0014669cf0e3b9689c03d68c0b9a18fd010bb4a6219d1896ccf07c3

    SHA512

    2932fb577f6456bdcd883099d9535e82c6dd16de7cf6b73f7bd6e67bfba44f8522a3af479f085b311f373bb8095642a4f387d31370ee6734093646d91ab42362

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    77f64918e216c5be58ae7ae057fcb9b8

    SHA1

    9882f96b9bd98f9b677035cd1621987e3c2e4afc

    SHA256

    6face5d9517e01cccdfe742b9120c47408d34175b10ec97a962fdaaccf4b3f53

    SHA512

    69f67bf860180e8c5e87e5e6337d2d68805d7fa618d32fb01f5f419624d3f1ce9706784edee92e18f73a72bd1ef2db0dbbfeaaf8024da9e96212f66fe51c7970

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    6b5b8fb0cd544dfdd07abe68d07923d5

    SHA1

    fc6dba9536944ac5cd18d532ecc46f194cce0860

    SHA256

    eebea3aac7a36a4d9c911c98837795e05b7d8617a306773cebfde323e5e6267b

    SHA512

    973e12988813cd48377f8659394bf96af5bac35a418bccf2ee7b2fef40ca57778f5ba0142316cee7c097f98b57aa7a64ff0081c598136b52688504af12666e1c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    b6762936e87929b0b6e1f50a49642fde

    SHA1

    f0b4e01ce1bd9df1f171e2932f3a1fb0a62178a9

    SHA256

    1c95d02f326741483bb2e303e27e5eb5b3f07f97dcfa6fbfb156e3998bbf5ec7

    SHA512

    b141a5fe6d9b186ee454686e32b921de432e41a932cf76016246d675a74c3e84504655d8478bd0ec692bf02bb87c5cac4ca6894d7928df8426542567b81346b0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    068a4d7603ae3f2196c1800209e961b5

    SHA1

    4b257b46d845e327986773cfc03012390535da7c

    SHA256

    ae0c7f0eaba9b3abccfd429f5dd62ba7505c8f072a8183573cd9d433bccbb293

    SHA512

    790fda4ea0028a67426a7d0c09c4506bcc185336f0984919495b05e6a2b95ce47d8d332e3aca03c888abe196193ec13e41f3208701cfe55871989e1f71fbfb85

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    ba8aa626271eef76c17a2d5585620766

    SHA1

    b2193808507bbbc9c0e79909d436f3f47c1bec4e

    SHA256

    04f597f017fe720dd1fb1512620a53e52437328f4226992b47a458628501b470

    SHA512

    c3c79b10f8373304fc54805ecfe62081c5dc756aa5ea52e89d6804823bc30c97025d499abafd73e3ea5d3d4ac7b1ca742ddb69bba09f1af31d806384ed27d676

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    f5f8b743617b704e3c909ee3a1b91b78

    SHA1

    36edb4d3585a2929a10e8ec3f47e77f1802ab90b

    SHA256

    4a4f9858ff8ee9c5345e5e30f3a272183290b0525c358507eda56e69c2abd42c

    SHA512

    1787b37002d3dbfae337d265f9e8cbea9450dffd93c436c9ee09e92537ba47a3182ee2af018c723c43e784c754bcfaafa3a3aa11349e89f0037118b891138bf4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    0b35ac22996b272d99e881e403826430

    SHA1

    17d4912f51058069315496dc2554d9a6a310caee

    SHA256

    8eff6c4b60995ef2e99ed882b3bf83bf5877bb42ad67f1fcf1bb5963186f1b45

    SHA512

    0f841241103cf78e8aa0070b7547a0f8b00fc7322d6d2dffa2778be634a2ccfc4e6c63fa36ca1569402d5de0ec5ee5716d70da177ddc667a8906ebbc8e8566fe

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    3eb0222610f1efb71314e454d7d4d3d9

    SHA1

    237c4ef6000bd2b071255f7b3ee3200b852b32cb

    SHA256

    2cdfb02e022716091dce22dff0f4f03711426ffe1addc8be807083e10d935ae1

    SHA512

    d132c47186342e810d67712c27c3ca078118b8ec40ee8f8d67151746cfecb1e87079312f1679998eceff9dc94475aeaef57804b918419f2cac074d0cbb753ba0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    76d0103cabbd36aee1f996efd062f137

    SHA1

    99a6d656cadb49722a11a3ad97ea21c47e24974e

    SHA256

    c3296954dfd2b28a5130de971e1eff1f3e29c3d67bea7c1fc4f421ac98b86f4a

    SHA512

    57168809dcebb9a2f298947d5daa6aa25dce9e3558cdf7049c252ae291113d1d08fa5ae98a5f507edc865d3d1119c99df5a288d4896877c004e11f8ffbc12aad

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    fb5278ea6c6bd4a6e5e45f230077d878

    SHA1

    43b3694d3be22c97fec2d2b9724cd5a4e47ce9d4

    SHA256

    5f5e662e93ad7e100b23970d01bbcf671b20275f1991eec4c990624d84e0335c

    SHA512

    411bee976bf70ad2ab811c8b9cd05f77d21157d7de7517a2cd0df2bd984eb74b18091aa9b171ccd8fe8656d00de60cec39d3753968c17f7c227c4cbd1556e4f0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    eca752d5eeaed10d25f1eee586e5ab59

    SHA1

    268821161f479f067cad48200342598bab6b3b1e

    SHA256

    5005fa96e7dd198db6dab96fef1fc4825152eaa384fc1d1cad0fc8048045aaa1

    SHA512

    704a9a6d24e4f1896e5a663dd4f36ed3d64a89f980fb2a003754000b92b7dca0ccbc4ac0e2b16110e1e8dd05bb6489bcb8ee179cee17cd9dc10b3101d9d43518

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    1d67a8186fd1d00c819cbca69614beaa

    SHA1

    94be37d5b147dd918410d7213b5bad98dcb6389b

    SHA256

    46c44c2c54c8efb85e46a58fecd9a2360084ace2737cda2bd1fc20eb92d3d470

    SHA512

    0b7e12812704a6cbc54d580d48deee6c3d4cf3b07ac94a18b70e3db00faa278265de9d407628f837419cbbb54cde437cd31aeb5d19a49f3d83826df35a0f300f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    a6b0684ef248305763ee2abff93b15d6

    SHA1

    45f2cc2d5d803da79dfa63d1fac5bc84538c6b0c

    SHA256

    fe6337b4940010fa6bbaf3918bbad97f31b755bf384b11765c8c25f13ec2aaa9

    SHA512

    aa52259659c10214e7a2bdd435ae28b7171d50d29a33f4b067e2a6eb68abae1e665ecf164b5495f173bf04e8baf6a754cdc5f6ce37cadbe0221dc2e3dccdf92b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    008955669c9c7361fd3bf0664ec2603d

    SHA1

    f719160b6fba98926102e0812270fa7f78d5043d

    SHA256

    7397ec8f38ce996a734acbf2bbf18870774b193af56fcabed9987c91ebca2e7b

    SHA512

    9be0bfa88f465329d32ff93f8bf39ba9cdca6f04b6078036ba6b52c3d5ddbd5751b67655b002eeaee72c1f722b71b68ce24f9f34015c406aa6846bbcc0a82ad1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    4fa5d595f87f6eb25dc9b105e5e78b5f

    SHA1

    123f52f7199825c544abcb1064cb2341c3b39147

    SHA256

    3d7de3a5daefb07269d94b512f937bddb786c723f956038d2d67e9797fc063a0

    SHA512

    634b51c0e929d338c41981902379b4a2bc9bdcdc90c1cfbf5b4a239caa092afbe3fd1ba4eda8029b2549fb5479a9164f61a3b74c37b8c44f47a28c46170df9e1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    2cfc5bb87e6a0756c170c29fe3fca66a

    SHA1

    222a09ea9eff56a4429bcf62e41779d588b573c7

    SHA256

    6e77ad1812b221197d2c3f2daedb3aff0e3266f077c1bdc14d1f957d673c8f10

    SHA512

    584940aa96b9d4d087c1e3f793dea671db45ba7f84615874fb8a3b4052e0577cd85f2d9abceaca8ce9cb114740c23755ead9862ec6ec796106200323f0682505

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    ad39a089586e848bb47c23d0eaae734d

    SHA1

    defb8391c86876dee3bb7bbf28b2565bee0fb8a1

    SHA256

    e822d8cdabc87b2e844592415580d47832f6ef48d7fc9a7f48500dfcc0e3bf3d

    SHA512

    88e85487b249839e279d88e2cb688396c3c776f0edb87ec55bb944f4f5e3f9c7d460b23f166d88b910d65752b6cd46beefcad8db7a70a4db8218e8dcea2658bf

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    af005f0a291be71f98b14c3d356cf9f6

    SHA1

    c1e789170cb606bd86846e00988ea8b2d9950959

    SHA256

    9b30dcfeb89913d332f29c40fb60a2175a1783058cc601e3c208f1a9a27aa4ec

    SHA512

    c37711e42f1e8b2c9c2ce07cf9e52633659a250b0f4bbd0cc8a7701e1b2af09a3812c6e66b74d0e9b77e90f15c18d24839ad51eb6890a03f40b3dfa056590b54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    9df1948ac31fc3bab676072a8ecd5b33

    SHA1

    8e0b3c8416a16c041f98bd40b5684f5e12c109de

    SHA256

    d8470c99b7461ecd4faae77a11cbe31ea44203e5eea5788508fd3db59775207e

    SHA512

    6b8128ecdf3dbe83ed3dbcc180dba1ad02b6fbb210e4761dce66b009c610c211454af3b2bd9306b4966efd621f37c6afbf30dfab6dea2e195fadd732c83f84ef

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    c5f5038cbb9c0ca042655d7f50471f59

    SHA1

    40f43ff95caad9189b12e76e65a35af42f2d916a

    SHA256

    5ebd3e5cafb23eb0e7030ccc52c564c4651a1ff2ce5d126ddb4b271dbfd03ef4

    SHA512

    d8bbb40e2f7d6fb5acdaec0491f03421dc7cbc9a5fe0d820d7854bdae70011b575702f4d158d9a6a460f119657d14e335918d5bb1a0c741391951231b444a32b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    b24ef66a20cc174705222b1d436a72e8

    SHA1

    0f3351e5366d089a4749ae74548ee1b8b8e5ed60

    SHA256

    ddb724eb860c9a7b7d8b00d3861b546a57a3677982439b670cfb1b2d1be95025

    SHA512

    aa536ec7ab491d41fac5c1d7b16724ace800bb808987b79a0c845ee635d24ef0ca7574b2e28d1cafdeba5f89f567fd066410125bd50b490f645ef81424e72666

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    c6cd4c7edb4cf55f2b1a26730e7e1ac1

    SHA1

    a296d8e38cd49be46eba95fbd6b01f08239b2b5a

    SHA256

    c9d152b1b41b386b37a21446ec476f78c5fbed07b326c34cbcfc8f6610fe1129

    SHA512

    afc01e3f2d376001ce874d19a45e0b359dbb9247250e26e0de2c91ec724463852b7d4d11cfb9680d54971ed4cf448d1cd8433f0750c983e2aa2aef6b31189e36

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    a1d6f614935e93f25fa8d0085d08e6ed

    SHA1

    e92de08221cccb77531aec4de56c1df128a089d8

    SHA256

    0e0aba653a213d4717698c7d7b9d537e86d4b6df06e0e757176e5b278811398d

    SHA512

    5b3fb9d960faabb4977a3f547b5d882e69beff2bfd21b019ce7b5f89476aa952193538265f8ed589a53b2a1ac94b5c581830be170d2ed0f89b53874d58bccd64

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    d142937ca9c110de99cb332d0ae8db1a

    SHA1

    11fa7e2ef7e9cc7e26bf71292a9e1471146866bd

    SHA256

    fda36db1c2844bebc4558b003c05bd7510d57a1908b6a561fb695df0dfd3be20

    SHA512

    eaa876d30188ea52a60fed289c74416e2c01b18acad5ab362fdf2fc27490d7077f2cde36ebd20df536a6a33a99a8468110b9d18c1fcc13f7e682d579a25c40a5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    0413118bda879056fbf496cf16ebb5f6

    SHA1

    b9ab0cbf701a6ce886deeb59ccb5268c7a4c3758

    SHA256

    41541b63c33700a4366d9b2ad0479b961691cc0c3bbbf10327ddb0eb0e86cc98

    SHA512

    b56acc26ee4879146d6299996f058f354931d10e23fcbf710e2aedf4f65f4f3a6173c19a70ad0ebbbc76da4b79c4dd0841106009fe50b011dfda5ac51a495a5a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    28c70a742d50d25580c2830e518cbfe4

    SHA1

    41d09f8a80c1083f71572195d2950a649ce19de8

    SHA256

    f11d3613a5e1276df967ce1079814978825a95c28333c887a692ac5a0a384277

    SHA512

    c4850f5b5014c4e12ff49a0df84c993d98506921cb93b4c8069b021a997fcf34edc8a8182c17ae223c3e4511d94847aa6e0514942bcbdb67423be0dbcf066915

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    da4e5ad8edcf5e01aac0b5e1858bb037

    SHA1

    e5c635d55f682911ed7645cd984207b394184d2e

    SHA256

    a5f6b764b65c06fe28bcf28faa3376af062edc5c7929a6aca1d5e03f3c2bc880

    SHA512

    c33c59c02e893dc45cef21ffea5db682d7e63e18c37cc90935f3d06e6148a26c2031d01ca95f3d1db4b0208bc4ba9dc9d2e005bc1841639142d4e309260c8345

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    ab6f2de6ec6411f4a81d1e63cbc7ed20

    SHA1

    7d68488a5ec2a581571944b28241b617e8fbe483

    SHA256

    80654726dcdf4ed1a1197a72f5ca1078091612f08a383f6638baeb9ee36925d7

    SHA512

    d9ed97254343957227c2a14424619dbfde06904983ff3f89e2bfbd5447290ec86151a8c3734aed906b6170ea065770ef719eb2ac16dc4cd10c796a842d67737e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    01e389dc566f5ac763af4470b8b3a40a

    SHA1

    bf8e22268cc0f409a3248e16f402e42eb627de35

    SHA256

    5e9a9de13c439d76a80396101893bdb99e9e011221876144c5b87f2f014475a8

    SHA512

    4c30b4faef74c41a86f25cb0c03650f2fad46d220e8fb8dd07714ec6f64408f5fefd76b10e079345d038edc5ef3c4ba5ccafd047f7595d28c6c8967234b7a9ae

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    cabe90eb141513fc67937a68c6418537

    SHA1

    a87eb00bf01024c26608e0b8d1a4b1ffbfd15a28

    SHA256

    2c0afbc13a48a95f71ace6fc2bd63090f2f4578a6cf6b9b61e12f5830b279916

    SHA512

    f8835f4126a1241abb88bb8aa1e3d990a2441b823c2e2941923b034f6e21646f19068b4ab28a085905f7d6710c2a79b5fda328e17053e4a305028efa175fbaa0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    f2876cf5d929adb51d59ca4b4b00de0d

    SHA1

    1f0edf97154fd6ba53f0f82bc98845d2fc0e0209

    SHA256

    9ea98bcfee0fc70e6f32439e09a555fce3bf11ed63b118923acd0a2b9e82eb97

    SHA512

    f39aeaf25310d8664345076e6b1f4ea71fda05b61b5894af81caac199ebd587d1572a651f5b0649755d408ec7dec92aba90c90ac25845d3b7f2951008d3d1cfd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    ae661a143aa8d14603336b910b5aa58b

    SHA1

    a460119aa75b7cc272faca7b641a1ce646c83d6f

    SHA256

    bf53aa06ca908157c90de46adac4d2fca9741c6a6bedb92a65759c67a2aee4a6

    SHA512

    a5f52b175738aea9dbaa9251ce5cc8b4ad9c10edab9093d8b8910d2fd8cfb1959c03cba2535af97d44f323d93bda9e376d93cafd1f5d7c1234cf2277a816cb48

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    3e1dfc255c068e10162e63befc13b6c8

    SHA1

    92c918d254dcfc31857806944dcfcabff11984cd

    SHA256

    042c5b23bcf78fa2bd9c6fe91a62eafdb2ab1cfef11b5e98f4b72ac3ddc10ef1

    SHA512

    46f3d72d434618922aa0f3afa3611ee8f3ce05727a1ead8e3755cbddc08ef4238cb0d28df9a78d1b3deb6c338c9636d567f0c65c458c76e317714fcb46898cc4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    864b737bc5e4af110679ea328069c2c2

    SHA1

    9a9f5117608383116467f729ef9429a50a83c8e7

    SHA256

    9a469870e2c4d87c2c52df19691bfbdff50152da92ab1d5894f7582a6be48fe6

    SHA512

    585a34da384387a3a3999e9f62e36a079453ff8f54cfc8150ffcb109ca07041bf0f8e25f2e35a2618a16f916823e11ab124df97e06e89a94a76f80df8f791cf0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    436c1310a44b053d07a8b45764b83e8f

    SHA1

    fa39ef8568179f9ba7efa5d6e1906c635db81b26

    SHA256

    e4f93f4d3b55456a07002add92cf5b9a440571265e3f80e66da7d514d867216e

    SHA512

    323684e097af277d43a32b11d8fa0f2944a5203708b71545d41c55750bc595b660e3c2da35fedbb383db5113b4c92815c17704d3711f8a22fded3b561587a9cd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    9cf99c3e467eacc6f7d9a847f7350f39

    SHA1

    08782d0ca72bd8404d5811ca2056e077a626270d

    SHA256

    3b63a7e70501976005e15e57e8999f816330c28bb2c826a70824de81454d5921

    SHA512

    459457f40c7c7ebf48dfae59403198ab196357d0e54278e714a20cda5fc5416c21b80f1bc370848eb0ed8c2494ce40b7e9631b9c6702a230bfe111e47f7b99da

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    f146705e9d8777d3d546c099ae0372d2

    SHA1

    00a126d2858c570573c138a3e61cc4143bb1470c

    SHA256

    afc6643abaf44da46418b3ab9de21082c6a62dcd08a3aeb37f14ede1853dd918

    SHA512

    fcd984a3c8d4883078df3219d212e140137715161ed8d85302bb8713e508e35f7272b7031776a4862c979bc518a075bd359838bb74410369d87e50ad33d0ef2e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    42d36c0120c4e5d4ef460001263b996f

    SHA1

    09f306ee535d4d862e7d71c033618da9c2bbdc08

    SHA256

    e68dbf9ecb23c2c0c2cefc65f8baba0d18e8760c251fece552b135da6ae6937a

    SHA512

    eeb658bad00c93a6134d4b7b9dc66ff908532dd0602b09cc49eb8f2870a7e234d9cdec07ef1a7841dcb77107c054ee1964494b6310cf5a9703684ea206c7f67c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    80496036a0ec5dc48d268aaa03ace045

    SHA1

    3623bae83dcb2809fef79ca27ad74efa29027651

    SHA256

    63d988180ef1ef7e2a61a16966ca7119a82072875ce76e382b25639699dd4899

    SHA512

    828779ca46e43a77769e1a91a43cccc031f0b216c5d00d84ef352f29a9d1662659a8edaa57b08f87f9a8b0d625db00d972700b757b475e9bc855bdb5da003697

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    a471c5e88b5abaf16f0561daeb87256c

    SHA1

    eebc7502a541c8b8ba9c13adde76d809f46bffaa

    SHA256

    9afcaefa6bb93663701d65fa711ee47a22df00c0f0d05142a38ded99f8f35ba7

    SHA512

    16540a595d4765aef183873571020e84e4652f2022c2fa9ebecfebfd437d194bde56750136dbfeed9fe43505558805d3db51d563eef028478a3585371d42233c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    e36f163972afaeebbc2fcd29d93fc5b5

    SHA1

    598be3660d6f3178556a6469ee7abb21c141d8f5

    SHA256

    c5455bdd5b15dea33c8b4822cad27e1b82a4fc7ae5e4db3a9db41da911bb5277

    SHA512

    3e3f55eae4cbfc5b0131952f900e3e1f72045dd189ef2be29be51d8cd4a794a42c4acaae2dd2b746cd06f0550b0e2d12f5b6b18b77751ea1fb21bac23f55612e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    4baff99dfa8e670b9223f40055250b72

    SHA1

    06c2ed7deb1389926827bb144b48f26564569295

    SHA256

    a941eebb56dac508b0500462410a6c19c31712ba2269a741732d1b40f71b547a

    SHA512

    38dbd4fb673d01d67dcfc088c32678c972c460f6f8ce971fad6498641d618b8ca9f5fba68f7ebcf9b4efb2829a883ea364dc2e1cf19639f0fbff19207fe84f97

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    be7ee66a39876655f09337325f142ee1

    SHA1

    af499f43998d55b5853b61c860f69ef3846018c6

    SHA256

    fb371e69cf46bf591d87e156239973cdab0a31c1fa528878dec8700b530636ab

    SHA512

    fbe53176077011628539fbd23e3c2f3779ac62b36aa6a955920ea2002ba4a2f89a484dab97c98b323f3840a3b5268c17fd12872391d2096c0f80ae30556375a4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    b7ae188b29ed0972b106600310075123

    SHA1

    d51d19cb5538e0859e400958f1911db185894d5b

    SHA256

    9f5634eaf645f046b7b498d82dab646fa006452df1adb224c7498af991c278af

    SHA512

    130fa4430ac1937ea7b86bb80b8ab8e108bcbb45cde9dc22fae67a54a4f3b77b1683498cea2f0cef0be8431469d686256a76cd2d2b420675cdfcd5b34ad03969

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    54a7b3edc396e6f093f54ff7b1f79500

    SHA1

    2ff9a2ddbdf765cf9682a841003229990f935354

    SHA256

    102a972a1684e075138d2d7c6260b59a336a2a7c420c33f5511a48f57229a45c

    SHA512

    db736f5b8d2b6106c88295237740ab5395bb8bf3689dac51b1be31608c188d611dfe9cbd54bbfef6135663b1a39502660c60b6f1953b7642da404a3fad31b663

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    ce6a70f585f54a4bc3d8148bd192edb0

    SHA1

    2bf7e793dd457c134b056f307ba0f5b9a4df6c72

    SHA256

    8a7c460fab46cce25f5c32d94847d0eaa91700344b002ff433e3eb99d8f74f73

    SHA512

    1f144d4f6bd63e079df677796ab03bb2310ca71d2b28c2665163c8a9aec9ee9343d7010d0ca79b3d0ab1511b7245f2f27f2414cb9ef45d03e2651fef67d224b1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    3d3c0c3129a74d164b5771d3a3935bd2

    SHA1

    a2767645deb41a77d2a1564890265de4b4e3e5c5

    SHA256

    922088b2154098a675d0afcd23c1a0985912b4e541e63ba12411199f6ae94227

    SHA512

    aff34de29fd0b1f1a3710391f10bc66477d6ab82db5a106814db3d156580e7392f747a4904559b402455210b6304e3b7dc970f93566797301c4b7fe634d6e49c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    d4a12a51e01ae86fcf1a304b2b02cd16

    SHA1

    ba71c1ee2b8f42fc360d544c3f9d615494b9dedc

    SHA256

    4fe27aeb7c5eb5330c0b49f8e6a30ed09546d395424a614c330cc47fc8f128a0

    SHA512

    4c1414cdab651862bb4079ccb5ec4ead3d286e1aff09cf4dbaa867f389ead2997ebf03d9da08b7d82f5b538ce6f2e07e7526f7c419ac90dc29e599ffd7305e2e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    406a874e9fd6d9b5db9c35130fbff180

    SHA1

    7c76a86c7aca44292b3910d3d8d4e7b31117e5fd

    SHA256

    66d6e0cc938e5232908f8a62307db839e04091e4c19f1c01025c3a04a28836af

    SHA512

    d08f56c87aac4515c0378449eb5ad615fdd724bff694b6d6e72b2c19c9d9d773a5b160c3806891a4de9261ed94d5d0bc668e5c1c5f3869d3103312d3bc00e7fd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    debc27dc93dd5e72329cc3db8a5336e6

    SHA1

    f3daa3ceabb71346204209ee5db880ed2f68c844

    SHA256

    37571c1bfc4e1ab1ca398bbc84ba14d8916c875868110c928d3c4dbc167fe331

    SHA512

    ad029ed0583e76068ebd47e91cc968e1aea93120fec532d956a6943cad76a8f929e43ad42f517b18c426bde638f87497017ee0088b0d700aad8dc92568f7267e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    efcb711847b26cedb9ecddfeffe5bdb3

    SHA1

    2657ba35b995e97b8fe6564e4af1f745b73a09ef

    SHA256

    65d8de42bbdff1d81323d2bc03d6a8260be03db2c04e42010042be5975c2aa7b

    SHA512

    9e715a8f1ce40f757e115605f5e11064ef50ca5b728d8d59c36374cca7a06ca96c4cea778d0f9705fa88b1893fd80ea055ce52c595cdf49bdd2f898df026506d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    d2c9ae217985c246d2b9b3e7c872a54e

    SHA1

    89c5d8ec9a7096b9844808a70b4773e7f4d34795

    SHA256

    f9b8a898ad7ca4027ddc25d7d93692a3e0b2e67ee4b3695721666005f859025b

    SHA512

    aa130479294aca525fcaa7d61a0b07004c9fb2c338196703f77e98bdd996b2b38d290048e55ae7e7be701da7df978bda22cea683fc42d6c3dd1df8292814ff78

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    9.2MB

    MD5

    6bdfea67ebd2b403f9edb0e3e01e56ea

    SHA1

    9fb59f0fc0b4b1cf77dec0b7be2ecde67fa795b2

    SHA256

    06071060b1a3e3ea38a4589709d1489487844f0aa5dbc070561f57c0da103ff2

    SHA512

    dc1193e310973635cb320979f48bbd89da4a5c464c91d33db331abffbcd9aceee93120346f4521e098e5a506cd1cfdc681f9e6aab83e71aec26f6446f464e3d3

  • F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.exe

    Filesize

    9.2MB

    MD5

    f279742a7ef8f31a5fd7decb77fd16ce

    SHA1

    ee1655b88017fbe40d59c3591bb8925864ae97ae

    SHA256

    56fea53dcc116b76014630f4a4b97e14b67fae89a283743559efe054a303fd1d

    SHA512

    8b0525f8867d392ea66b879623f91971abc09cd6ba3a97edaca614a523c2e70ef888617539e8175cda80d92a24523d306e54f73e673f0d384f625fd40830f594

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    9.2MB

    MD5

    556b72b555e97224f5e49f2e74ad3e10

    SHA1

    3685319836e955eb42628ffd046b1324aa1edd68

    SHA256

    fadc26c2cfe7142500358ab8cf5c0a678269e4f675f4ce759aaefe5bfff5a67f

    SHA512

    5ce9fcced30d056b8c198047a9a8013d1cbfe7eeeb5de5d85fabee2f53a4c3afdeb395d115ad90ad4c243e4f86d14cdadc6b597cd7755fdba8fd5bf99fee2694

  • memory/3948-45-0x0000000002220000-0x0000000002221000-memory.dmp

    Filesize

    4KB

  • memory/3948-0-0x0000000002220000-0x0000000002221000-memory.dmp

    Filesize

    4KB

  • memory/4884-48-0x0000000000630000-0x0000000000631000-memory.dmp

    Filesize

    4KB

  • memory/4884-5-0x0000000000630000-0x0000000000631000-memory.dmp

    Filesize

    4KB