588fc95593657472cd6f82ea5514e30f268f70cb11fdcefe26453a49e3228ba3

Analysis

max time kernel
145s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
Size

791KB
MD5

01db687f901bf71ab085868bcd4e8153
SHA1

96a7892ae24f6b8548d2dfcd503cfb4748eadf21
SHA256

588fc95593657472cd6f82ea5514e30f268f70cb11fdcefe26453a49e3228ba3
SHA512

d97ed9b671589a450dae84f61bcb86862784eb90229c442463d96f23f89bbe5b7e6b0964f8f034e71f55908019b48b3d7cae9ab49c98679dffe6fdd483e2c633
SSDEEP

24576:8Etl9mRda1FSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvE:PEs1Y6

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

4180 HelpMe.exe

pid	process
4180	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\S:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\X:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\J:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\U:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\V:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\I:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\O:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Q:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\Z:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\K:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\M:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\T:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\G:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\L:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\P:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\R:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\W:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\Y:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\B:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\E:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\H:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\N:	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe

description	pid	process	target process
PID 4876 wrote to memory of 4180	4876	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe	HelpMe.exe
PID 4876 wrote to memory of 4180	4876	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe	HelpMe.exe
PID 4876 wrote to memory of 4180	4876	01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01db687f901bf71ab085868bcd4e8153_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2818691465-3043947619-2475182763-1000\desktop.ini.exe

Filesize
792KB

MD5
5f99827ded849bcbdcfee3bf443138bd

SHA1
a966e41b418850403dd0df1cef788ab0100656b9

SHA256
517a3abbde478ad5bc0fd93c955b0bbf6a5402d89e4193a66c64b889b323b39c

SHA512
7e5fe43c77742f6e1af5e66023170d5b2204590ded1d35a3d0bde9dd1a76cd6812a9a8a756cc6a5605539af454dbf0d084e54b78cb302b8a2ef7a0f0a478cb97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7463a0ec3f672b029044089268bc31b5

SHA1
3cdffc99129d36a569a0d40a9ae94e18507a8a10

SHA256
b1f83a93436d84ae1b8ddae8f1e32f351e42f2d595ec6cbf7cda8ed1280ff7e6

SHA512
34b73689f760ab653e5a106faefb02305bbd0d2d3609b0d01ba47f2a9fc8f06a57ca1db6b448fb8b8c3fea44dd117cd58d4af35bdd2a92fb4aa1e26c0e7b2f55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a14e8983917101e0ec912678b0fa9a66

SHA1
9ea96f0c5e89280e3cfef63cfdecb02ed5ce600d

SHA256
445a4135db3ea72d102fe6c0e20604ef861d17a8d7684025d7728e8d8e17c5f5

SHA512
0b653d25a21b397140f1a83b774a4cb918be955b60422734617953157da9196946a6818e9b18e963fd4357d12368bb483f2244d4cd5c93a9a78c1f9abc854ddb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ff0517e7e0abf7b9b0df3c8ccffbcde7

SHA1
8d42cfdc261e87a4b9d6559276fa221ec43b8836

SHA256
3911d2f696c10119ac8872845331b40bde545f822f8f9ed68c1938d1e7ffbe4f

SHA512
889a6d9a8f3ca8eca68fb23601e9de8ec638437e0890c9ca4e9108f8bd3bfb8113c51964683bc1fdd03fa960b2782d62eb46f68a97765700ebfdd6b6335e4416

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
653e66ef8ae3c339ddaf20c4f069ab03

SHA1
5bd3ac081f0b9473894ca62338befe6129e54240

SHA256
9d12d975d1aca7e9f9ff3cd8a751d5beb0c0f1075eab60380699ff8f5ed6a383

SHA512
44f154804e9c08277246d6f188c7304443bb38584e1d427408f4efcb2358b4ffc74550406eda24d12f0cbf77eea73451b126e296679200f7921b27296abb743a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
09ef1b6fc8ee4bac9af14cde23fff488

SHA1
5d494579b0269be7097cc1a1fc77cf09795fce89

SHA256
7f4d3c1b5c5aeae4bd43f45a2fb52a8b583422f2aaf5e1bd39993673f0824afd

SHA512
7a233bf5c776043c995406082abaa004b167e67cca3abebbd3469317bdd4e3f63a17c798b4aa2391c0e839bf6e8d8e5adab073bd257da180e15bccbdcf8e987f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
bf36a204ef028a0f1c4785cb0f905e38

SHA1
a5a5714a2bba9cfa3856ec08023e86548a323f72

SHA256
b1fb74aeb297ba5e5c1d4eb0a8dbb9b51e6fa4f0960b823a87b7bf7a8f42e883

SHA512
633ded40d3f867810cdfcddee1b48fd650f94eadcdc28c9784e970859dac2963971f68c3325cd147e0d1df0b77d458371e71a54d45f4bd929675673d8660ba0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c983e7420b0b4a2a514cdf92658c7894

SHA1
a49e22883abb3f120b3ef32a6d5eb10f9cba7f92

SHA256
00b2858646a09a1bb8383af30029cc072a6863708b6ace1f1851a8a6f777be9e

SHA512
ab69f702241e93654d0f81e5f1d40a8cee2a0c0cc4408ab1cf40cc86e8b3659beebe4258727194301cc9e22ad934936d4277a2e5e01d225e962fdb4c8a372a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ae645c094fb50a97b38cf087d97981b9

SHA1
aff1cc18b5a5efefd9f0047d7838d750bfd73104

SHA256
ecd8979fe1a835641263596461b49950464cb2818555fb732076216e0d8e0c5b

SHA512
c30b87364be68da020cb359391760cc8984ca8661ea2d95630d1795cb188133b73ce003bef39a1739c6326a036b28c46da466af54a88bb059e6f76457d0dc249

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ff51c96772e10665af472728d6fe62c7

SHA1
d327c64209c08b58db189482b32a2c002e0c114f

SHA256
b0ab63963b048933ebfc0fc251ea6a82ead13f8b742e464b13e44c844c2908a5

SHA512
064a745f3f64f6361b43876605eea8edf4d7c83a897a51006e1a251109eb5f198bc0b319dcf17ab508a3feab82dc7c82ad5666cbd78c40b1cd7771e94020daf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
24066490bb0a62e0ed98dc4826e68bd4

SHA1
2e66d692ae28d799d058fd91502e9913878fab3b

SHA256
5ecaacd15016a86d6fa128417fea081010fa85a0e9b6e17d18ed830731ff478e

SHA512
dd31ad08dacf958b9192e9d88f6fff23a0208ca09e522318b3fff11bba4783df60d669eb00ab5fe60063aa9298bff7e7cac9bfb4719ed9c842d1fd0b45999fdd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d81305e3fc2d083f9f96bd10bcf17c08

SHA1
e4d9eaa7b962ab06adb707a216d3e93313f2932d

SHA256
33762e2aefeffef5118077b1721d79f11d7d4e0ea11453d4c83e713990a615d3

SHA512
13c1dbb3e46211655fc242ecb6bc13385b39a503924ab5cff891f2b19a7a879c050f9dd1e6ce104438c9092225c8a005fdcc9b07fb1deb8c41cc7f64b0d8fef2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f4c8493268a408ff84b562c19f6176cb

SHA1
ebb4dd4d9d79d4b53760c532aa8258f8ab76c618

SHA256
bdec7cd85863846bb877a364fc4c9dbf9a6c29a5f5b1450d2a470a97bf4413d2

SHA512
7d728c8bd26714b63193b6ae457ef9a657e4a81ed63f3d41d856b0cb91e055c9966de94e11896c3d0d4b82a0303e144a33279ba5fd3d3ccc432dee7d2265cdff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ae3d19f0d41bd1e412fe5a8fabbaa2f4

SHA1
8c3c99b5700d8cd0aa5c2ac855a10cf7682bc28e

SHA256
e5139eaec6eb5246807c55e06ed9ba4b94ca8abf171aaca2a1988a3f39ccd5a9

SHA512
12cf036369ba77921e2842228bb34f9f1054eac5ed99e1c60f167787c6566b2889a151810319c49c2fabc333503240e96e5ae1505736692bfc3cda364447ab8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a8876d12eb3f1ee4080382dc5746b24

SHA1
15ebb28b35be956796f9f3c34c9a7e00222ad232

SHA256
509162c7ba67525a2c80aeb59b2a687ca6b72a68e47b9e07f8568dc6137b21fd

SHA512
1aa80cc03c6b931343ef5ac5c47cf3267f34662752b19c7ab2ea6941f15447b91067dc97316f487161e351abfe2356da48b20e2ee20c4a03b03a79dc7cfb7c92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2509eaf6029e6f5b8aad3f02808f9afe

SHA1
5ef266422585897b92859c549134799db6aacccb

SHA256
afd12cfc8bdb4a819359bfb4f9721514cf8850fcf97dda6193fc11fc77302141

SHA512
80f532a989404ba09de9aa136c470f65bc06d47330981af06eb7191959cae3084168a30b43ff1c0c7a03d8d2b1693ea47abe5958527eaedbbf571f14cdd09993

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3f6ba7280efd6567cce2e53b56f97ed8

SHA1
bfe361ac3f057ef96cca8a370a2b766e82e68a64

SHA256
5b8cacb89b6d136a20c0d897bf17f54ca678f4d753fedd6d5af1e9883355c13d

SHA512
d35ba3f571d4aa242d8318808a65be6d91c4b9ccaf56ea5482df8a2ca7799236864185ac039d30b0c1ecd03718de22c2b30d94412c56e7a18ef94c2e8e0005dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
219fccac856d304a64d18a63af32f280

SHA1
a489af21949fd39cf8b838118c81f15ac134a6eb

SHA256
3ac4b6335197aabc493e6467b57051e5e5330e5bf938cf02d3940dc3802e91f2

SHA512
f94f6068eefe61c7c94d79b3fd479c9b5db43dcf45db3c1aeb13ba19f59fb5153b0d28ce3770daaa3d4e552cfa627883134845290b80350633c4b4d7efe2cd72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
026bde6b6601f3c6b7bbcd50dd269140

SHA1
204446c5216b4a73134a37aed92ee625d07de974

SHA256
e3d31e1f133e401c1196440d67637aed73a1c6d0173e949f62632229b552a3e8

SHA512
65890fc9099ebabddf96d0bbf5b21c7d57c7b382d3cc8869d96af3c2b7cc1eedfac2fed1273f377df537a1738efa7269061d7e0da93c4edf5ea87fe936583cf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7368fd6a9f7b3cf04958647bec0d847f

SHA1
f19acb2df747556b55f432f03d5b5fab517e5342

SHA256
b17baa1658ee5db73baebd6871d5e229e2e341e7281e34dbcd1f9ff1322a052f

SHA512
9f2af16f955bd2dc23c117d911731558202d441f2f1c0dbd60c059d742dfcfddb5337f044c7f5a8b4dc62003abfac6afb8380239c31728ab58c039ea075cced5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8cac020c907dc0e1b5871c1c7ac718f5

SHA1
97b225d564d03ef9f2c8d8cef1051b08b108be39

SHA256
b16398f1e17e384b11246cd2a2a3eabcdfb1c2e771d7f4a901949b957449c569

SHA512
2cb76126fa36c8ca3cec04eee40fd7b72f0312359a634295691edc99237cc72aaadd421aeb9a88391dd77bca4820ea1bf6ff2b9dc1af1efe137c70b59035b77d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ec02dda8c351ef0a0e1964c5594511fd

SHA1
281eac40caad667fc200e0782f8aa53ffbb39b67

SHA256
6ff4ab311b2d489685ffb97d74017c72620bcfff32c873feeec744827a0da8a6

SHA512
ad9404b90b9c5e1e34383f5c03b9ed5cdd4d022613d1e515fc83dbaa8e088af74239fae4db6b6ecfecfeec1e99385d5f0321d407575ab781888c111c41fef799

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
22542ea881d9328e21f951d911984196

SHA1
76d472e7ce2cc0a3f2ecb9fc5c0ffb81306f6e3a

SHA256
8691da28d93f4da4f8a9803a639cfe8c81d202313a8fe5ff6329531937d7ef2f

SHA512
26b4f3540733a61d5e2c95f67d79ff9bec68d311d2d7bdeac6421842691b988ff82f32a46d6709997d721fc45a5bcabf05d962e7e177df0c166c76286f49f13f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
630ace6bf6fa51a9098d02d4179f683e

SHA1
3713f88c85ab8f24ddf634f9b8aee7589da6ba33

SHA256
1585efbf555682256eb57cf872c0d50d5e920c9fe48260510c0013a0aa06ede4

SHA512
3d12dfde35e23a2f48085ae0a86906996e0f1f678d5d7745085c1aaad786ebfa840a1151a8946170b0c93cd8f5c7d7503f3694d77976736b462c5ad8026be086

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
134c852f0cd3e14ebdd077faf48ef857

SHA1
d771b476538d8138d9ffee04b2da7d267901b507

SHA256
508b904664ecb5c3485a2595317355e49ea1a2203449decbfe19e350a92718e3

SHA512
f38a9543fce8446770603fdfd34f4ff55212f8470f1d92a38b4f1ffb381ff5dc4ef81fa08877ca3cac620a766b7e7528502e6f597d12b3ece67fe926cfef0213

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
da8715fcadc0d9b043cc6c91393083ac

SHA1
cac53c71ef24d974901a1bd7909cc9c05da0a8f8

SHA256
7bfc178686cb9c669786130af62339c97cac133d170c874d67d50998566cb869

SHA512
1162df83f9729645a6decdd4429f217f5cee14a51e52b2e785072205d8fb6b51f9b7ae5320cac7f8706f5f5a1eadf01b8b1f0c4aada3cea9dca2f5169e2cf1c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6c5030cde7882ce4f2f82eae0faca93b

SHA1
3b981d4af92e988fcea50828146c6ddd836ff8b8

SHA256
4547e532a8ee8cba78e07896bd8ac181c45a7d4c1a4c76ee0c182ef29fdee2d9

SHA512
d474c8edf3a5c6c4e6c767beb77154e12addf95c643ca89eadd39e80d89448e254ddb544a9cd9a8d6727a81b8a03368a27b278c088eb133209ee3e33f8d6b5b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e6b984832c584c6fdea6a04f4f9161f7

SHA1
75abb1e8310861c9f85ee2bf60bf4bef743e2012

SHA256
25e5b47439b1d44007ea93828b7999b74e7ed2035d159df3ffc7bd95facbb00a

SHA512
64fbe147a0075ac08e5780541e313c41d0518dbca3fef1880e493c580c24d78cea5be79cadce5d019fa6150490220327124d10ce840febe6d7e08937e77a1b97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
eca17ac0e4408cc19719df99b9704ea2

SHA1
84ee1cccea64428cfe2c1d5d714c81772c4b6e33

SHA256
cba573f3ef94a31d744fd93395bfd7c721154a5e47789fbcc0fd25c86108d797

SHA512
c4c399211c68cb5ac705d669ea682ff1ed11d7a85216f134368c40f04f3e7852b5d14ea29a1839d2bd302bf93b1e6f373ce93c648e9913c159fcb59131af9cf0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2173f04b319fdc2718a9283147cf1783

SHA1
f51863f8b9fd767a814e5c8330544b950005fbc6

SHA256
8ac178ac4f4e10093df2ac5c5e5a01497aa4338ac8751a381cba20465c07ff16

SHA512
e8d227e7d4c3a79660967a6b607142aeccb98975e3b9530f3e86eb3e70ea9406b6b130aba2d3bda7d19aecb0ac0a03f9ea50dda24760ad1a362e6ca87d7d6112

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
daf017616f9ea63125f5aba1f55f51f9

SHA1
2fafbe5296e787da09f82dc2a39c050ffc849e4d

SHA256
0b96438afb0e311eb8a77ac1adcab0b0dfaea713108d38f965edd953b332bd57

SHA512
fc8ef3977bd601a32791de42ea8a9478be0dfdbf5b893766e438873ffae6268bf37ed6051ad00e91b17bcc30fa32df36be9607148140d736e53b5a43b449b7ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e0f7ca66ca9e950796e2eac3f6da24cc

SHA1
9a62c0730d08dfcaa57196103cce44813c55e31a

SHA256
ecd1072d469552e2b14c120c27c0606336ff4138a47a1a4a3503e0fd9d0b31af

SHA512
42e7596269c798c46f49bd6649937cb53e1f600ecf492843f1b64643ec8778946aedcf11b21110c435ac0605e174f2a80e62f9868f7f39e169cf71cbb88d51b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4ac61bfa3efbdbaeb1e7962b8e315707

SHA1
bf5e7151afd187b39b51e387a9d483b4a8d82524

SHA256
cabed980ac66983ff13a41ac1349caab3e08ae9aed65c464c281a1549a0997ae

SHA512
f76bd2b0ea6b65e0e3d9ac4ebd510df5dd4cd7aa4167944533de254ffd9a3845c0d218ba049fee737a403e310b188f85262dac2935c260a86162f4d7859f6c1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b2e84308ca2e1e0bfce77b73460be1d1

SHA1
3a4bd00e6314b29f074ef946781e9c9c9e7c2ecb

SHA256
cd67159ba04782b1c426a7800f0578bfb395421142d24f06774a8ebcce65edd6

SHA512
d71cfd75c0ca2af28f2ee9e27a76071b93d01a58f7f37d4b0ae7691723375e58beec216dcd9bed2bb83306951862402f47a671af81270ac7bf4e69c7295b89fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a5ea557a6cb7d92d8e7662dce69abd41

SHA1
2d9a859dcc447c80df2a2d60db94c5599e2e7b4c

SHA256
cf8e179c1fd2a5185e93c06ced64e3fd0e05e6710a295fe03306bd8c30dce4e6

SHA512
5d667de93acb14a8d95bbafd219e0c6b8b388babe9d557e1e5e5f3cb580c37218d0aa12a349a396bbcc554cf526e9164afc4d12d5cf88492258b6bf2c41e0286

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5e280488e20ae69c4b3f7500153b1920

SHA1
b9c09a2acdecdd216d46272ebab0ad4f19b71163

SHA256
bb79c217886b7bb0248e00ec20514a5f5edd91f4707404a1171e7fbf85e1ea19

SHA512
5086423d79e2e640c86f7bb96e5b8a72e17bd4c16be1d3d9ca46b113b851c135862f91ac49417bded72cf21dfc0fbb63f9812c4174c744f18c2e7683bb522d92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8eaff1cff327f01e87e3b17bafb72ff2

SHA1
cbe6eb02e034fd0d15d248546a44aeb1ffd059d3

SHA256
9aa190c4f8ca6d658abfb1d1ee809f4bd550bc72f121b161b693362b2f35955c

SHA512
06ffb0648bbffa502ffb7feeb72f3b36705ebfb74abc4976100b19e64e1eee178aa6360d91a1c24d60828c784cd38e6981fe222627d964ad4313bb1fb35f11d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c1d90605d3770925f1a76868d1c8ce4b

SHA1
542a800217f15477f069f1321f05bcb38dfdbff4

SHA256
f3181846bc223737b5623b195b40ce29ebfb716f395841f59442f349315fba9e

SHA512
c90746a76d319a1ace0078f080a49112792fe17a653246d4788a4bc08af446b6274c64c6be6dd146796fef2102a4848ff99b21f95455aa0ccc4d3fe55ddb48ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a5a00aa2fd6d2da380c732359da3e79c

SHA1
ed4ff32dffb2ae3e0c010ed5f60b782c45cbcc33

SHA256
19935125cb796b354b61040327e59ad481929c191880e6697dcee403d13c8f41

SHA512
412f95928b9426487cd9bde4966d354bca32c5592546449d79a78b5be48bdcaa86c22327ce1e00f17d2e85dda12ba9b07ff3c87687bf1cdd04fb6352ef617078

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d18fe139ef8b6ed80de4f009bfd2844a

SHA1
f29fb67d47042b3f635da28488abd4963daa1883

SHA256
2a7bd6552fe50a7fed3e44d4fc782c5f737aadcadf7e178a1d954d3a1e8d8463

SHA512
710f676f7809df76b5b550eb45bc6b74157777acd10fbc03e80ca97888abfbbdcd47abb7ba2c78d79186dcf44ba2fb25d1624ac4467182dc89c43ff9eaff7f04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c2ebc07d262c8c18d89fbfbf7d5d6b9

SHA1
f7878bbad5cf04e010c6c008c0f48e8c2f15149b

SHA256
8c0d06b48749a6bd764ee76201766bddf784396e42e7ab2795c11bd3e5d0983e

SHA512
004929b548fcbdd1510b969acad4dbcd52692425c865744160cee9ac0b2e256daaa4aa1a76efe70664343d15dbe24ead8f50254b08add559129b19c4b9f2f29c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0be8d4ceb3c2edf1da0a95b25dd19321

SHA1
5898972c2bba76a86f51f66d60bb4b1b6c8109af

SHA256
2c04de318daeaa6a1fbaebb5b3536161875a8a8071891300d2b80482f6e9deaa

SHA512
4fa5aeb1d461786ee7f09a364e463cf60f5ab47f156e166adee7e4a1e686f12c7deeca3988a074980b18a82246470000cd437a268a3884ec2c5e841708e967ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ee5b7bd2c51659805f3207e61d4ae8b3

SHA1
94e97d7462060420668bd5cf7329a2a124309d12

SHA256
949a7b7c255d943594dcedccfb172c7b2ca0dd114778143dba02d7b1a1b869ad

SHA512
456f1f0ac1085b17fc22b98611df45b106c3840eab0137859d4a8343b6c0dd4e813e975b4f781acb2539e683ff7ac3cc70cbd1c4f61e15639c0498ae05b40023

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2f90f7e71cf73686b07ccaead05bab77

SHA1
34d237fdde90a64019160223d5002f1c6186437e

SHA256
6cc80e76fb1645d7bd3a4407487747c7176f14053ddc08b75c0fafc9f32e6ca9

SHA512
19eb6b3a288017623e5ac10d9e5952b81f95f373936db41b09546bcd9bd1e13457ff3bb80f2a5142dd923312f165da356da6dc0988d91be71c5d67ee7104c407

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2d48da3056b329b890207c2413991296

SHA1
566e81d04cd41aaa01c60298cc2852fa73f34639

SHA256
c2c9e5775c3fc7fd2003e4a3c317dd4585bfac24559bfe3bf1d360187272003a

SHA512
c4068a24bbe6c4835014b9e31cffc08126fc5688e33536b4b422fada4c637c501602e82587091a56a9601b4424f07e1faa2eab92c7ca7d23f79755aaf316af9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
bf753d2aece6f52765f28aa6a74713a7

SHA1
386edbe3c28bb2f5e0232b5b8642fca446e63c14

SHA256
753e3fdb35dca7b402f1fa101854f8d525d81b0d5493fd8e43679dc38446de19

SHA512
3b7ad4edb8642bf3e33773ec470a0dbbc283ff07b972e30365a3f70887fa4a6a21a7478de17bc2d68f27c92846b73e0b503368f7cc12eb8d0c3f4dea775009eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
419149cd582eb571b0029e3531d173d7

SHA1
abc57690e920c8be8501da2d9414848afd56583b

SHA256
41a35be181387b676606f62eec47aef7ddefd04421534f29df3497e8d392151d

SHA512
0f84eda953f287d8d6a6fcf46b59b8b754d7aba4e6ad837a15075bb5f8e9137204b86ca8ed4249ed7e7efbb238d3d8e90277ef73f25e47a6422c7b8e9a6e933e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0234b9080e2713688ea4691068078d70

SHA1
4c16d61564bb9aa33bd94c459a96be0376addea6

SHA256
1f9101ceba5279f9101b6ecd60755135637202e03831656ebb279bd1994372eb

SHA512
b9a03bc29b62d03f062fcb865946f06c56b9d13850c0151740975df9896ec7f00bde743aa17dbbad20e0066f1e302c151f9af0dfbb5a3b33b4d9f1ea3f547a73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2fb52e0de22223aaca9db52fab254562

SHA1
2e4ad6f644fa3723493af0c0f26633c27dd538a3

SHA256
d1de24bae62412e680af97fd354ab71b1d14acda64642a321bdb2b2e2682850b

SHA512
976fc8ec29bb56eabba7488808871c69719c5bd84b1dd994c7226fc1163c5ec8fce2c96baecffe389f1bd09e7b155cbc708ccf162a597b81615163f380c961a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ac637ba5caee023be8f08e21aa149300

SHA1
572a6ea42894b34630516f7e0ace8e84240dd790

SHA256
c1bb52140785bf05339d9f37a930989d2aad0551bc1e8bcc3154fcdd7c918183

SHA512
f7db7ff8d083597d90fdaedc012f69d12804d185dd0dc22130348641932b8fdf695c9472a6946078bd54e538e4033f77656b18edebf81da4350157f601fe3923

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
300025c2d69d1e2ce1f27e4b5f059e31

SHA1
394db6f9c2e066438383acfd884f61a979d69a3c

SHA256
86c52a3da006efa9ac2077830b04f2204a5a474ee2e8a31c3451c95a80711465

SHA512
9cf00a40e458ce2f7d0d097b211d91bd682fdbc57b82c39be2182d60eb9dd47e2b9daf0de148d49bd2c511b23417dc230ef516ea12986becdf83e20862b015ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
db46834362c8d6ff3bdf0e41cd0836d1

SHA1
c2b88d964e407117e26339bd438ac73ea6468b2e

SHA256
2d71def16aeddd1c94d9fdb000697dd13b74e3c1399320b903d63db1935998e7

SHA512
b0903363a95459cccf5f8ad22dcd9f993a25fb22ba633761ec6dd0deae9e1037955dd76b1814849757a1a9402562f8396f9d68aea701a4951c7aba60a73c75cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e060add9bebb54764ed14e9dfa8ad367

SHA1
fb078437ae146fdaef3fd1b527baeaccf8b66e83

SHA256
8d6fb3f690b26d4e3906f8db6bf44e3c8b9775cf2aa0d19671d4ff2be76a5f36

SHA512
7adc6c43e4befbe51438cf3e8de3ba3ed49bdef77d826b53174c5d6537a2504d8db23cc37ebb12ade5fd004e01b07c386654928403b5886ab2b37309ee8ee1a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
150482172c0df197acdc5acf1f76b6ef

SHA1
fafc9c34b51a8166978939a5da4106c594549900

SHA256
bec369c1370f0033f120211710f1cb2f38708cfed95bced6c19554b90b5279e6

SHA512
53f577fbd892942a2e0da94f42941c75664258e0df0b385c9419a135f1ac10dadf0fe5d6086cb8a8452e7deff4dcd7700871316e69b394b42a122eeb8449fbad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ad5a7dc9b72160a5a1effb40a6fde1ec

SHA1
27872412a0647f9a27872683aa75a2210cd9aa2a

SHA256
d0388c3dee93a1ba4c419052625ffbe391f432ba3d11370fc9dd675c000940f7

SHA512
4340d65b1547e7f6a0eb1e00fa29facfaa5881c91f5d888487fb9502bb2329ac86886cc97aed6bb6abb8512e8d7de2d07399c0d7e3eb9c94a7ad8d9671a55838

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
790KB

MD5
3880dbdc14fcfbd6c988ccea31577d9e

SHA1
05dbfbad5367090253e72d61c1694d4175e06e2d

SHA256
5ac84cd59d51d6c80500ad7a81460de04c92961cf92cf41163af7e43e91a3cdb

SHA512
32eb2d86f0458e2dc11a97e89cc96c4c7ff8375a3f50bff3ec3689580117f8cecadc4519bda381f37c80679d8198ba0409c3eb54b4d98abe872f03427c1b1fd3

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2818691465-3043947619-2475182763-1000\desktop.ini.exe

Filesize
792KB

MD5
dec886414d1680139af4bd8221ff00d3

SHA1
118f661d146263420ed84328eb7cb48a8f463b3d

SHA256
2e5025d590c329bee77821d247e44c7aee66f1ccc6a288f0cd5065cbd5e8c035

SHA512
ce90a3ec2e20b65a1ef38f58018d43b54ba5d3dea46d033da244c79e26f0b1f7064067c6d621fd713263fe831d8c44b60fa7f69efd58289c764ca6e15ba5b5a1

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
791KB

MD5
01db687f901bf71ab085868bcd4e8153

SHA1
96a7892ae24f6b8548d2dfcd503cfb4748eadf21

SHA256
588fc95593657472cd6f82ea5514e30f268f70cb11fdcefe26453a49e3228ba3

SHA512
d97ed9b671589a450dae84f61bcb86862784eb90229c442463d96f23f89bbe5b7e6b0964f8f034e71f55908019b48b3d7cae9ab49c98679dffe6fdd483e2c633

Download Submit
memory/4180-57-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4180-5-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4876-56-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/4876-0-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download