cc15b6e991275ac051ac86e07a59debe4230183a2a53bfd2e682310bbff329a6

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe
Size

846KB
MD5

003f1fa80e9c1b9b2dd2a12c0dfcf225
SHA1

669ccfc57121f26b7a328f4c8ff0a4baa0992541
SHA256

cc15b6e991275ac051ac86e07a59debe4230183a2a53bfd2e682310bbff329a6
SHA512

101945f3bc90a923e447778ec5c4b401ee7640dd0abda3848d9cc5a5de611543ca526ce560e74fed98df2c6a5589fc0b3cbad2b42c4ec966383232ab941f9c87
SSDEEP

24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvk:oEs1hu

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

HelpMe.exeÿþV

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	ÿþV

Drops startup file 3 IoCs

Processes:

HelpMe.exeÿþV

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	ÿþV
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 2 IoCs

Processes:

HelpMe.exeÿþV

pid process

2412 HelpMe.exe
1332 ÿþV

pid	process
2412	HelpMe.exe
1332	ÿþV

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ÿþVHelpMe.exe

description	ioc	process
File opened (read-only)	\??\J:	ÿþV
File opened (read-only)	\??\K:	ÿþV
File opened (read-only)	\??\L:	ÿþV
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\A:	ÿþV
File opened (read-only)	\??\S:	ÿþV
File opened (read-only)	\??\U:	ÿþV
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Q:	ÿþV
File opened (read-only)	\??\R:	ÿþV
File opened (read-only)	\??\O:	ÿþV
File opened (read-only)	\??\P:	ÿþV
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\B:	ÿþV
File opened (read-only)	\??\I:	ÿþV
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\H:	ÿþV
File opened (read-only)	\??\N:	ÿþV
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Y:	ÿþV
File opened (read-only)	\??\Z:	ÿþV
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\M:	ÿþV
File opened (read-only)	\??\T:	ÿþV
File opened (read-only)	\??\V:	ÿþV
File opened (read-only)	\??\W:	ÿþV
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\E:	ÿþV
File opened (read-only)	\??\G:	ÿþV
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\X:	ÿþV

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

HelpMe.exeÿþV

description	ioc	process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	ÿþV

Drops file in System32 directory 7 IoCs

Processes:

HelpMe.exeÿþV003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	ÿþV
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe.exe	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 2 IoCs

Processes:

HelpMe.exe003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

HelpMe.exe003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe

pid process

2412 HelpMe.exe
2412 HelpMe.exe
184 003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe
184 003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe

pid	process
2412	HelpMe.exe
2412	HelpMe.exe
184	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe
184	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe

description	pid	process	target process
PID 184 wrote to memory of 2412	184	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe	HelpMe.exe
PID 184 wrote to memory of 2412	184	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe	HelpMe.exe
PID 184 wrote to memory of 2412	184	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe	HelpMe.exe
PID 184 wrote to memory of 1332	184	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe	ÿþV
PID 184 wrote to memory of 1332	184	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe	ÿþV
PID 184 wrote to memory of 1332	184	003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe	ÿþV

C:\Users\Admin\AppData\Local\Temp\003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\003f1fa80e9c1b9b2dd2a12c0dfcf225_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:184

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Users\Admin\AppData\Local\Temp\ÿþV
C:\Users\Admin\AppData\Local\Temp\\ÿþV
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-259785868-298165991-4178590326-1000\desktop.ini.exe
Filesize
846KB

MD5
b5dfbacef11bd48f0d84da2fb9052dab

SHA1
5d0c50bc8647e71c068a29530d917d2d34cb72fd

SHA256
e0de2e62d4d302846620171d78996dae4982bed1a9babc822fc5fce6cdf12e74

SHA512
aac9f01892726abe794855eeaa05ddedd77eb58645301cf8331cb5eb6000fe05776fc7dac61754b22f70d79aae743f8f6382a26dc54d49476a3572ace9b2fa3b

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
Filesize
1.6MB

MD5
0866abb82eb03c859677dc4c0a5c8141

SHA1
52bdff01306030714673fde40b02a586b7dff7e9

SHA256
be137b037d87a10d1d06c6a8358b8da626f80a322fef97391c879d39cb678ae2

SHA512
9e44dbe1bc27a43cc923ca4e0d37653af44b931da64999cad8ffcfff20ba60fc10ee9c6e22c4a1f35499dd8e7c519eff286955ba135adeb4af0e97b9702e6e72

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
Filesize
1.6MB

MD5
448d6b628ab57d8353587e4455a455ba

SHA1
b3c743396de6157456a4e36931e1721afb36cf53

SHA256
2394f458072f97b898ba4dc47c95d0c186bf7743a75695d06aa6731533158903

SHA512
4ed2646b850ca521af8e5048be5a5c20d129b5a1869b356f50d3157eec956ba3f416aa12e405cd30089e3fe879196c25ab23a5f3beaf26be971f9b63136683aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÿþV
Filesize
846KB

MD5
003f1fa80e9c1b9b2dd2a12c0dfcf225

SHA1
669ccfc57121f26b7a328f4c8ff0a4baa0992541

SHA256
cc15b6e991275ac051ac86e07a59debe4230183a2a53bfd2e682310bbff329a6

SHA512
101945f3bc90a923e447778ec5c4b401ee7640dd0abda3848d9cc5a5de611543ca526ce560e74fed98df2c6a5589fc0b3cbad2b42c4ec966383232ab941f9c87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
11613b58912f6fc48964eb5b6128e2a8

SHA1
72f03bbd0183c7af70e5e0ebc8bb90064e06dc13

SHA256
f81757161dc7f3eba76234e8d2e553cd97edd601821c7687929bb4fddbb992f0

SHA512
6b8aecacfee96eab8f21c80feeae339bd84fd710df70865ccfc7eb4d0ed50348f7518f6ffe6f05a52ed30003abee604d34b34bee9f7c857d1c00c1842e196135

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
2148bf9f90130002216cf4b69bc9e9ac

SHA1
4685a0e8f3ff88713d8eceb27cd00625540f4fbc

SHA256
4cc226eebfc92055668cfe3ec3eea1a724e43806ee679b47d540ca9239519dbf

SHA512
4fd21f1369df0747b8b063a44ee2ce049c19493ef773b92688d74b40a806ed9dde6bc634cac7ec45dc41e34878bf6d0f241bae23dd505ed2846c27f84094edd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
a5cae6b4459a6a06abe6f4856db91855

SHA1
cf222a6168d3991695026888c6c30e965a93c9d6

SHA256
52924e294693a5041e7d290d354cb04306438c2219a2e0c6430fe2f25be4da40

SHA512
2e0aaee1f2cf87dfa45df18eced4739eee7dc846c1e08a7931bf515e7524c169cb3d646a3cb389deb2c23c9959b153d8e5a7242780fe0bb84524c9d1b3ac2113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f8bd6a3bb57f6b0dcd52f4f4392a0ca1

SHA1
3c6d14370bb6b6474a9762f3d375defa9deb61c7

SHA256
80c5bae1fdd51870137dff31fcd89af8afe775881ebdedf774b47a179fd52fa9

SHA512
b58c0f53ded338f414a07d07f0b68b7dd1aec86b52d085d8df1c1008fd9a9d668366b1003efb463476b167f66dcd20ad503a37f49cb6e0c50693c613485291c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
44060ac1efe8e31d0e01136dab227229

SHA1
cfbf81a46aba6e9a19766d75cdfe8bae79d46cff

SHA256
e0ea91803a2a7cacd957fc9309fbba3eb0bdd109a3ddaf4c2498fdb36e1daa51

SHA512
7d3a001b33151687f15c5574281946214baebab85b9d2697608a90f59353d3db5f0aca515bbc2694793a7b5d36d8731c3832cd303050bae496b55d5019757a51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
70dd50217719d3c44e36fdac4e00295a

SHA1
08d43cbd38148a8fd3d66f04dc7f99186eaec52e

SHA256
42601277c4315539b59970278b65ac8fb5236ebfdca8c9ab050e53ca59b4ef64

SHA512
eea212b9b33149ffea2069a41d68e9fcd263dee3973daac09ca173a50d330847475ea4b3810e9af45ab625cb99809a3ab09fb656fcef7ad9971851b894fa2466

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
c9a2a3ff9e026495af0f32f24fe89e2e

SHA1
a9d93b8d359bed4e749959858ac8e6a61739f55a

SHA256
3aed1e226f79fc19fc76f2de6af02827c9dc2ea8ea02997554996af7cbdf7eb4

SHA512
2c34f688e1f4ec16cce5177bda4fa9ccec07df0f87bcad476571512de501b0bcab85319aa5bf8ca8b09d4bc5fa831626fd39764f31a60e135f63ab6ccb9b7daf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
df25fc0caf3cf237a4ec6375254d9e3a

SHA1
cbe6f97ae4885972e1bfb3ef7a7ab67567732c8a

SHA256
38b63077534d63b8c102f1de4b2c99bbd4d2f44ea5309c7f04149b877cf57d91

SHA512
2e3a43e252f9664fbe2453384e1d10801a364a749c72a5c38b022d3f275c7c92b36804e0bfc74ace8eefc2d0686222a553604af7c8c4ce87b2779ce8b454e7b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
d45a01903452c78646e555abe45f4a03

SHA1
0b12585267fdafd7785f25bec886d450ef437e90

SHA256
a77c0884d2923ad46394d4f81e56b996e1191e980a59b1c02e011fb9e8143f05

SHA512
6ed95af4c0575e6c4ad9f575f145089b9386f22414693248cb53b52188117590490db97f7965bc57b4ee05de273271f4dd8b785d74f970c29978758d527f8dd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
cf02a18d20f36cdc9d036bed273aac0f

SHA1
1017ee6c707c4fa0fddac89016ee3a691ad5c2e5

SHA256
9b895816d0dc88d5cbdbfa5b472428cc204ae27e0fd0c89ecbaf027ec47631eb

SHA512
e410a8e8e35b1691b52cabb050eed8bb5ca7393872df6225f7cab9cf7f6d18d91fcb777c925bb3b25c72c6e2c881d62bc02d5090fba30c7826df509c16dc7bdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
f867f76331681297fb26614ccc9e5bb1

SHA1
8e1b9d6ad3b2fd0b6538c3964db4788175dd1fe5

SHA256
2944fa0eeab18935ecff3ede21ea87ffb13857f306c9ddab163c32cd440ec523

SHA512
0542b4c3e475cdb7e553378e4c151d18354056089c5c7896793eab63b6572f47d7bfe8dc8d7970cd6d4946c9d24d48be7936a76fdac2a8f7439a2c7ebf33beac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
0318c3eb02b519d6d484b2f43135c34f

SHA1
520ce730349a244a61bb7bfd772d02b5b8a18fcc

SHA256
351ca711a9d804ddb6b0533b8830d8b703a40b0b707375c76ba986b1bdfa847b

SHA512
9e68beac397a7751021f7f241d343ec0c1b4792e0b789b119414dcf26e6ce8cd9d22d727a5166a697ae07f97e4e01e83aba158da1b01addb2f260591968308bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
4a9c9e0cddc74294fe44d3033b89f09c

SHA1
d10bd863d99b99389cf3ac76dfa773e149a1eaec

SHA256
b13092ee5d5cb73917df9b927b23f9debe9ba86b28eed29c8733194c2be7deb0

SHA512
e01282fb6d73ea0a938949740a2cfbb1a8ea2adf40ae6f958a4f5d6e7f501a4ce1f260351b0a9a83388f61d916bb0f5cbb83be3a4c6b6e6cd9841223d908712d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ffe9e1460fbd8061ab18d8a28758f047

SHA1
101704d5b02b3e54406576393d67a8e04e1f2f4f

SHA256
248b7194146a880cb9dea8296c41db3132aacfa2a17f4256dbbb4ce46839606c

SHA512
d706d5c882f2c50caed27358d748f63d332e899fc2541f8e8983e5af89c2223bb6ecf6340005f42dbf9629fb9563f332a059d5409668f2e51e3c8bd28399bfa8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
b1cf282fa7dfc288430051e2385e5ac5

SHA1
5f53bbd06f8b4c3343c9eb1b32b8389c25224806

SHA256
8ddecbcaf0fea9a3f2268805c21b4b8fb8653bab8db512d85d998e32c15f0718

SHA512
e44b1dae89093388f82b3a24b6e35a8c1246f73bf2af29953542c592b87e80394e5bbf869e149a8d26c411686b64cff25df4082e63e796fbdff1cc74bed4f93a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
2eb563cb0da6180fa6f7a7393063c072

SHA1
602c5d56cf59df5150c8e9a1ce1abc607716a868

SHA256
b28a8cd9076b11548b92e103e11cf9e048968cb760d40b736265930e6648f071

SHA512
a50ffd83f86bb00b94ab680d0e8f39c9759525ebcf0aff8ac6187216d1b2521ed874fc7ad767cadd5df1b963c5ea2fbee4a95643c6add4cf8eec4804021487be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
c2439a9cbc25d5d7f9b0bc88fb5adfeb

SHA1
f436971890695e2b66f365706f4cba042ac84808

SHA256
b464ba4faa10a0b844368eb38712019884c664ce1bd7636b8bf9ab6a88e857c1

SHA512
5e4d3393b696541f927238274c03a72423a476c31ce24f6bd1ea56046dc51f3076d1236ce220e747663a9731d0fd82a103660fed1eec97f43355aaa046f49d77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6bd460eb13c0b0d178450bff05b22f57

SHA1
35e23b56547496639fe742236b63da4e68355a16

SHA256
3231dd008811761695b420962074f6865b36638e93f79f199206781e73dcfb6f

SHA512
7b95c568b5b4f8f0cf7c4774cb421f90760ef5fc1f09e3c25fe013c997f4436d34b9ff54d3345d30f8e440b8ab3b0f10b84c0ade041460b402292e7280caf5af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
f6edd1e841843006b00f86a7ab3d2df6

SHA1
e7d108d03fc1c40b63f7b6dd63e36abe01b4617e

SHA256
b86e59c4bb832b5044b09c6a9db23c57cc12c5747cdc43ce0aa32dc96f9776b9

SHA512
b2ac1f9d99b085fe071d5db3f04b92f6379dbe076751ea7a7addb092ceb762466c532923da65bdbe92ffd800417d3a051695352898cc7791c8503742194dd2f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
922b55d3338608963fb599dacd805300

SHA1
d064d911312fb2a2043521b8adebc9de21adccc0

SHA256
f8fd1bddcca7923e0be59003317c2242603fa46336bfaa1577ed994882188de1

SHA512
0f72c2a4473db41ddcc20b51007cf5e780eada0cf460b006461fff494b519a19fba3efaada339dfae9c0c202a4c808aacde10e1e119b04b9e0fc45a6f58f7745

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
f82f28b5e1bd45d47b4e8c5dbe922921

SHA1
0be540d61e3548034882691acff5cbe00c5e6990

SHA256
03bc556c29f981e4c31b7a68d008f60def1948c3c725a9dd19fc4367cd55b198

SHA512
c6f5d3945516ff03f957881dccf89fb522fb3baae0a0cff7a243f67d5ac55171cee154380f7c017ae924f32a59164d7335628704cb644af2fc0a3ed29c0e94a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
70db7f4b008ac40bca7d18021b1c92c0

SHA1
ad57de162816802c3bb41816bd78606fa6b2a170

SHA256
4e5093f12f42463ca3ed58c5e747f88a8b8f045a7cdc41715639d4f9e99cca4a

SHA512
2ea22c9ae2d2f2bcfe89f16636f8007e14caaace07777f44f7a0de4495f8596b61fc2d0d26138da7ceee4a3b2ae3a3dbfcad1601706d4754b05a582a2670c0fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
3854496aa63062ee1408d4d684c1826c

SHA1
2aa2ba50ceac102064cbca0b3dfd807d5fc7def2

SHA256
e005ebc757567dd480175d3f71936876b70fa345f508b9cab855f20e27409bf4

SHA512
41982476745f4cd6cdffe77851b9d688c6b1327bf108664153f5ddf798210c8f54a913a45f2bb3f03600eaeb8c1959ed644e64f6a100da00a3a20d72914903f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
8c591ed04dc2021ba782cdb1efbc0df7

SHA1
5e96adad18634ca7f1e7aa473e2cb2c9cbed13ef

SHA256
9b9f1261d89f282ddfe092aa5a79a8effaf64c7ea95bcc7116d93c8c24ab5753

SHA512
97ae0948705e21ff369e7eb0c06e9e8aa1a28eb3c71a55762e047ff9934d1fad97a0d2844f091864fb825d21785f3e2f535c9e2a0141da90cb555a89713b45a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
494975ec401fd78988fb3e6ec578f543

SHA1
987a729fc67af1089b3c4e5fe00cd677e45fff07

SHA256
92d4ef1f341b78462a405945de1cee43ebcee8a53003bb601dd24c12e6fef405

SHA512
77cb6f82a93539040b0f6d89c04f9f41b0c8a9efaf2922e1e9957d7b3fb1ed2b8e8cc6dfe1c7a2a8d05fc5b99660bd56dc8a3f9e4eeaef1a84f66942405e41a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
afde575994d7974bb1ae0ba43fae5a75

SHA1
a6214faf4c924a71f79d68ad183ae30fc36ce5f2

SHA256
b08e847474e8a554b4d3cb20c15d13e591b3305a23d150fd5ad92af6f76d0e4f

SHA512
b27ad47f5a1375a515fa2c5f456b37a4201b46c4c8a4594fb0d3d1f5f39cfcd264923dc89b78d7ea5ed2e6609e7a8fff3cffb3f19c22819aa10f68773e7686d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
4b92d6408fd8ffd9c3d29f0b8302d2be

SHA1
b61a2d78ed85105291c05a4a9ffe6866dd752c0b

SHA256
ee8ce8e3dde7b0677852ed59a0b58e23a38837cf14f09d98522f1c5ffaf489e5

SHA512
12a68d9c2fc0d6a9792ef7428d700ac3da01af3d0f8e6acd9a62ccfd454128976663947b4f4d218a1727e198b47347d22bbe16c36ef9d0aef765e8ffb56715ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
19853e75d89c6e68f1715c4e1d658e0a

SHA1
349be0203705ec9af725fd819a62e32defa12472

SHA256
2ee0e0e695ca092b6892049ecbeed11e0b9f8e966fca4bdfb2c874eb99be8190

SHA512
4f7fcab10824e786aa1baea20f8f3e0e921a2aec64a835f226b4565f8f452117cb8f083b6bc4aa1aac3832b13c74ec69bc4a1f9ed86296d8c2717c7a141e40ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
c67cca8df3e1d9e5b6d5221ab85a7428

SHA1
2db0a716960a4f7d8a2a01e26a4aff1703a6ecf6

SHA256
13bc66452ed5539e390c86df1de8c148f503dcd3e1c4458d4b0520b1c48023e8

SHA512
2f0327df71c1313a20f7bd38feb631c9b5e362a5acca833d87ecfda1dd24b049a6ce1a2ff4c45f4c9814c7398238054b26252632f195588a5c359763984063d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6b6eea40cb8d133b29801f0044dffba7

SHA1
54e152d43393d46e1b0408063d59ea0317caea64

SHA256
be0e41fa1f1c0488392cc5b09f54807a3f208962724e1cc4649d4c2cdd4b5e87

SHA512
50728bb16ea2895843a7411953153fcdd20123aa8747767a7ad59fe1d8cbfbc9ec5cabacd896daeb7cc0d3d743cad7e586d063a6f2da8274815aff73355359e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
c205b1c179db4d97ef67125d98e879b6

SHA1
f58bb5a87dc219a523df80c530ccc6b3d3a2412b

SHA256
c76b866c723f899f091e2e519ccbadecda91acf1c2ce24aa71b85d10fd97adfb

SHA512
927f9a7c876b95440e050b17a67829b7f8d01decbc766345d5800016097d192dc281ad4813a752aebd16ff477e520b8b35d0bffd530b28977c5fe5b32ab0a71c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c61cc53a016f152754bef79e67ee42fc

SHA1
6f83df52f573929890b5d8a45ad44f1394a3293c

SHA256
c53c772491abc6cef4eadd505e4d109200cf722cfad0dc2570e28432abfae1d7

SHA512
c3a433a412f79944ae38a93bd340370e973289bb7058b1985f98b7b55359ff7b7a5e9ff76ade996504cf542e720c1911ee8a2ee53a66190fd5778de4046ea3be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
e9bdec6e9dc000cb19298e5122461c19

SHA1
18da77daea3d47a3d8558d87455b8a7669647cb7

SHA256
4924a695cfcbdc13f1f6d0925f5da3acd68432ceaa2f8861d832129028d6980b

SHA512
8e63b7760b7b08513cd44b1e2307606868abfe5f1d6a5d3271ce1b7bf9f135fd096daf314ddfca130cf7a2c37e40743155bccd6ec697696a160684d71472df16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
eb802450a284fe1f6e043cf3c183541a

SHA1
6914c672532432553bb6ea0f5b3a974ce1743019

SHA256
0adc0dd2b0d1e4f57042dafa07e4ecc23a5954cf967dd727a00c835f07a99b1c

SHA512
60bb4aa4818228e21845354a6c0bb8112c938666780be1a96a0640ca72d0eca7c1b7bbf94c3175d10ef213ed2f6fc220652ad3faf433c0a52d23438ffeba3ccd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
da93149bd5f1f62cd83b4bddbe269410

SHA1
75ce671bc2dc01e3dddcec310d1d9baa68ec7aee

SHA256
cef698c5a7adc580fbedbf4cede5eedaedd21d695758702cd445cfb3f4525341

SHA512
c4bcbea42bdc69e97719dd6910a7c1059a033ebdc7b5227b30e600788963748531d2c741cebb91c0a61f7a75b0585fe95cf3633e4e3766fed26359cc02dda94e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c1688c1ac4851eacdfa2ecb30ff2bcf1

SHA1
43ecc45c28a12b3b8fbfaa0597bff48e843fdec9

SHA256
6dddde38358b9e5caf6e69864c8f07469c035fd89259944181975b8a8f02f622

SHA512
9e53c0aa9f2c52325990af4a846d99e162ad6efddd2909e8d443d77ec0608be10f930c998e6030bdae3925ea3cf131b1b9959a4e02d8e6f3dcecbc963899da4e

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
846KB

MD5
f04036e85017a672237193565c3ffbe1

SHA1
170a1ffefc3c6d2f63cef17589783c056786b1b7

SHA256
b9c35965425f591e37613ece53e0b253517c006ab9a200ab0e87334e5be21cf5

SHA512
f7bb461627fbae53e941c339a32d5b73fa7fa087b0a386aedeb33b419f617a9d6065ad35b2eeeddae65a4aff465beba7c7b2bd7440de6e59986cf6b02603ae51

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe
Filesize
1009KB

MD5
02f796e8a44bf6ed2a5c075a5ed359ff

SHA1
a4346c6474db9cd781cba8756436154555dc8b23

SHA256
ddacd3d4ad5eb1dc745892d334f7c498916bc48545b99f440363d8d198173cab

SHA512
bd1d0403277425a2d4d2251ebd3b03c67200fda91aeb98682813781cab4e40bd2e61e8e5167a70044aa5e467da5f415ed8ce43076085ca846f021a00bfb4baeb

Download Submit
F:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/184-24-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/184-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/184-1-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1332-121-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-77-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-212-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-142-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-16-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-17-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1332-150-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-202-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-109-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-132-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-162-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-192-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-100-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-83-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-172-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-182-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1332-90-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1332-89-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-181-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-99-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-88-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-187-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-171-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-108-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-82-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2412-161-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-76-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-201-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-120-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-147-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-131-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-7-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2412-211-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-141-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2412-6-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download