7296cc207ff20f5a007347123e5cb25613357d1f6ad9dbcad6afc4eeaaf0180f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
Size

1.1MB
MD5

0080f4f876df137ae6a99b4010f8263c
SHA1

f6e1ec9bd526ab29aee0c6eeaad0c81e17c57dc4
SHA256

7296cc207ff20f5a007347123e5cb25613357d1f6ad9dbcad6afc4eeaaf0180f
SHA512

77b85827d1d5cdc0d4e6cec4384a7c3402ba8d332d668b12e3dc2be3ac0a3286893e33355b98f96e765810d3e79db04a7b0910579d2971887177cd1688a10eb5
SSDEEP

24576:FEtl9mRda1bwSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJO:+Es1RMRd

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

Processes:

0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

3664 HelpMe.exe

pid	process
3664	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exe0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\K:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\R:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\S:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\U:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\V:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\Z:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\A:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\I:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\T:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\W:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\B:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\P:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\J:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\M:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\Q:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\E:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\H:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\L:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\G:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\O:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\Y:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\N:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\X:	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

Processes:

HelpMe.exe0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 1 IoCs

Processes:

HelpMe.exe

description ioc process

File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe HelpMe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HelpMe.exe

pid process

3664 HelpMe.exe
3664 HelpMe.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe

pid	process
3664	HelpMe.exe
3664	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe

description	pid	process	target process
PID 3908 wrote to memory of 3664	3908	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe	HelpMe.exe
PID 3908 wrote to memory of 3664	3908	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe	HelpMe.exe
PID 3908 wrote to memory of 3664	3908	0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0080f4f876df137ae6a99b4010f8263c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1132431369-515282257-1998160155-1000\desktop.ini.exe

Filesize
1.1MB

MD5
ef9049ff78cc8c9894e3a3d734791e4e

SHA1
6060e2a528b280c33bcbd56e818778f901047d71

SHA256
b7adae2511c73c73e00eba740e8f7cb34585a33025935f3fcf2b44ae6a4bf2c9

SHA512
f30ea4c534ac618c660a10636fec2a5d87a7d59dfb11195296912b8680a1ceb528a2ed42f8ffcebf674b1c8ff5490e39e17183c70c16ebe0445847783424abd9

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
1.7MB

MD5
f3cbde346c30b6d63855635c06e69947

SHA1
22ef3b1a864dbed710a927fff3f97d1fa2384ca8

SHA256
5976706f816259420545a265cf2b2a88d9f2913bf089143b8d9a510702ea84e3

SHA512
014a95dea91ceb6e2e9178dae762837704e6ce615abc9453418af3592fdb39de166230cbd54b5a599a10832d2d031d41a22e9e164df83c1dc482460ce99e4217

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e04201e250f321b8077c3a261194238b

SHA1
a0eb131e11493d20b7d757a3695d33eba2a2c636

SHA256
2d23633328293f73ef4356c7947563343473bbc3af061bcc20632894abacb66c

SHA512
534644766311019a034d3cdd18115bf6255765ee05b77ba005bcd04f2030f662dc1e678c192fc55557114187debabd27bd1c795fe4ec5be02783a32f14c5c515

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6104a7c42d20c6ae8b069c7f6d801268

SHA1
855007c8ed87021316cceb6479969cba8775581c

SHA256
cba6fc41d230c4f961713c35b4bf8901615ea191611d91f9e7080ef161e402c0

SHA512
4224d698a025a25234747ba39a8d1d92555c6029bf4c58b2889d6abed39a33cf6d8787f25beba61dae34ae4ebe296cdffe458d86f2b424fac972407b8a188402

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5f65b52b8ef4fd7c34223f861b48231e

SHA1
18a567067313138fd971300729db563d02995801

SHA256
e8122ba4e229a229edccf5d0a02b006160d8805963adbb7a6c5ae717bc251d43

SHA512
2d306598365ead9d6c14d16d39c9488c8aa3194394c5b5c8750cc10e47b87b20b0377696ffa13c466f0b265a9b4eb8a201cd6ad4fe74d0c6ea9baecdf9a8c25b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3988e36bf37f0ee4c1eec2cd8ab3a71c

SHA1
7251f80074cbc6ffa75c63a44bfde7afd4604a75

SHA256
9abfacf0b31501b962bcb2d65e938eb1ae052de287ada4076451afa9a4faa1ef

SHA512
e618d0bf6c77c267639afcc1743e6c5964b5f56eba85910f7cfa9c7a27dfbc0a6a63591e3ae2bf9fd88022244ca2b3678af0caa0c2853655b4071fdb7c05330e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
22542df1d8e3d021d4ba13e8b314bd79

SHA1
02b627105c8f3d17d52733b538d7e4ba64fee8fe

SHA256
a6917e941d9367ffc21e8f0603189a2e0c9b6765bb554bc48ea87b86ba45f216

SHA512
071eba36e9ef7658c7295c3b87fef2df86fa45475a56a34a2a577addd3c417340651a4b5f6daaff9412f3199de7a697dd979e1ec2b522f74b9b0a80c5a4106ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3ab727e7d89ce79fff6f32af0db6a3ae

SHA1
b1ddfc7e738dc0b73b75a5c0fb1f65a59ce61d3d

SHA256
a2c44892f64191bebc384209e60b642410291466ee624e3a0a1c5b37fc96518a

SHA512
d07c1715e998c361c01d8495b65714bf25a3d152257eff6942f302101fd16af1361f14dcc2e5c6e7244e55f0f514a8f7bc6eeaafdcf438e47c7a54143fc53f7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8a703720a40f00a2243e694016238344

SHA1
a4d9550d876b105b331f6078850b6805f80309ce

SHA256
40996c405513a00041005eda9ff0acb5101c97a4e758e6634761906d9a3cfd91

SHA512
fe11c8601380b098cb503dc727c87c0618b6ee572c30121dfec290bd10baf4badc7983f67f8625a6ebc223198041315ae31110955eec6f96356a2e68401216d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d238d4296fb754b94c305a2321ae7a5b

SHA1
5215421c514a362c18a33598a8a2845f2b7c46c2

SHA256
ed8ddcd573c39a10460174557f322adfb284db77cf7147570fff5a1ed959941e

SHA512
19bf7a0e135aa9584d83403922364c24ab2c4785cecfb1a68792d1ee5cfc5f1935839220fcf2a2e0fea3bfbc1139283d3123cb9f83210ae706dd624cb71fa74a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
45302580b7b0e1a26daadb45a57da55d

SHA1
ff913904fd9d2f3d09923d6e4bf577f903468198

SHA256
f50e359041c9eb6f8f5b558c71bf8c7810c95006f24e30c75512d10fcc04371c

SHA512
04f3d80452d7909a39cc7aabba75df9b568df04f5f0b829bf17ce105e8be2beff34e04b96d37ac65fb45238abff55f22cf76378ad4b2031f3721213cdc1bdfa2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
54ebc7d27984ab43d7bdccaadda6b407

SHA1
e04f6fb1307574182a34a23f5a1e018e159b317b

SHA256
e48c935eab4ec47ddec8fbc6ac21f8e128a00f6c0a40c8a977ee576d9f8352f7

SHA512
516573f8ae9266a99b2a35d4fa27ee9c2b4c10d56c0837cc5751a4763339cadbc646755f0c1b6df0a7c9d9f2d9694ecbd7d80192d168481df70911d9e9e33753

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
add601da5c8a0513064ba219b25f9a96

SHA1
0ea5ac7ff15f44732da29d1150d5a36b39595f1c

SHA256
758df51b1380b759af62e6018e3ebcd142a84798e3f3c5a5fc1cb3a842d81e2e

SHA512
57374cc21e8284582094dde7258fa98b2981f87b086f022752d98d87219e000e6deb4ef16296837473766a8d976ab76a5219ca04b24870cb75c49f2b02e74b97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bf794906f324cc2d396eab0858baaae7

SHA1
2a9b4cef404e2b65048916552e90db3162ad7a4d

SHA256
822d0c1d866ba936b09896eb485c4b1c7de199307830d74df3babb13348f6bd7

SHA512
9d2fd270fbbfeffb28ffd7bce0d3e612ad898ff865979b396a251d76e0ce1995f8fb43063bb7d2eabf2834b37df175bceecb0c2dbdb41822a0328d52b8d45193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e73a2d55c8bbe882f8e5be3c82cc7438

SHA1
9c5b5f1d1b328bcc63c53715aea14d4bc8dbcd4a

SHA256
3f3402561eb7cdf2f95e6c16da62d41cf32a10da1a1752fc50eaeba2c9f931b1

SHA512
10516f9d8137850a1f4e0d9ed276dd54dbd4bf46f534aaacaf14c8fcb2c1e0bdbb1abd91a1b9b98d38865e0bb91f1a7318dd71a109b1b69fec1eb94fecbb1ca4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1a3e4f62ee3edaa2dd335b5d8abe402c

SHA1
8ce1ab50dc9056b35cea2897c7e5eb29e22edc1c

SHA256
154e13b79db2887113e12943592d23c3cc990d937c76495e8e4db3b007772932

SHA512
75c87af6e11a3acf129db6cdd5b7f2a98d76c860158bcc884e2d70140730f32b4711220dbe9c9518a207b7944ba23b45061b912acf3a86e905d1980d0bfa8658

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fb4d980dd7f38e4edf7d7718869e1e5e

SHA1
a6c1173076f637680713a4a56e5e86fd9c6bf043

SHA256
6d31f5fa5caace0d2d8bfeac3b67489354e934843fc68a2168818530c309b600

SHA512
b25a28109317e9760e504a1437c5bf2f2d5ddd7c1906bba19ba956cad9f712d983f3610f1079193e6722fd0bd395bbbfc3356a7bd44e936b77f3b30283b04175

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ca15017cadea8bcbd88c0315bed30fe3

SHA1
bac5261a4cdea8fec13648a7eca4122881ab902c

SHA256
72bfd5fdceb5e4a947fdb40752df468d89e71fe6409599fb61cbb7ccf69719c9

SHA512
aed2d01113403bcc9425d3bd8b1ba5b28436331b8ad768adbd0d80658821f80c3563174ae86533ef96a584063f018cbc13967c6812270e138d32bea1814b63dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
67270a23e91bf0cf3ac96ddf3d637cf5

SHA1
40bbd50aecc143cdc1e268cf8b0ec096a60979be

SHA256
8ea5574178fd8a26fefc36da41dd13f5a2c192dc6c3dacf8583ccdc742f51970

SHA512
a40965c48fa91827e136994bd024dfc2dc1762350812fc603a9f50fc96ece8af594238f6b2b6a546374c299fc6e66c88455e8919711ea4dddc63a7eca81ce54c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0eb538fc845579fd5989f6f94b48a06d

SHA1
f8f73c751e293f7ece4418ba45069708cf9077b4

SHA256
9596092a7dac2577d6b79b44b84997a089a802b212bedb6e89fb1c1c5d486c36

SHA512
4ea46b9ac3dac6ec880b1c636faa42378dadc55df764189aca130ba0537ce60c13c554d424475853521a55725b2dea638086fb8a8ce11d2568c6cc71a4b5b0e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b6a1e3251e45296f887fccbef16af68c

SHA1
a555974a1907e6b7726eaefc3456f42cbe9d7187

SHA256
f06c001a9438995a1afaf8b12096b884a1c3f21526176b1986747ec154c1eeb9

SHA512
54afa4e938923e53a4c0e76f9953406283b632c1902fcc57b1c83a4150eca3520331051ccd0a830832481556ed4340cb59ee3cfe4280dcabb0e9d5b922fe6f09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5679e916d341e697438f4b9a3d34c33a

SHA1
e498c9f7e4b98beb125ec41b75d4dc84b9dbbbb4

SHA256
a3b2539c526893b70a64538f80565ba5b49a5fcddf2526e5c6e530c585c9be60

SHA512
830c0ce2801660220c27b808930e878582947608a82e8135ff347b201e4f46205e72e37bd0070919824852e25803dcefebe172022e53bdb3a01d9b942ccbad77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bb91d48cd8d1f7ba77e225ea2383fdc9

SHA1
1b19c93b3fdbef8a0be8783226465271dac0eb8e

SHA256
cdc6297fefc3434fd599ce2635b0b6cc877cc42efc42efd080023fcf65bdac11

SHA512
5a8d9446438e6763e7f4bebaa32c468ae5f6503347178c7c93b69d33e4cf7351267949a823acd5c8201564c3b7d3c0947d5cd61b22ae4f845b1076dc5d3b0018

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d9d5d9106b6fe6fcc430d6ead5af03be

SHA1
715a034f6b34a94c4d0bac00ee563d3087c43033

SHA256
81c734f90ed3e17f72ae1370f73342aa604f41d98faab64003f82bfd8d1db338

SHA512
f361d2a8ee1e4473b1123595669f8f89a32161fdb9551bac9f5888351ab1eceb4979f5b6065fab97aa51d1cef794bf6f89a893dd24cc19f2c672660d26abd96f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
020f550ff2f9a067d9bc83cfd5fb48fa

SHA1
1e871e460d8c2fee320b2b402f622b96c0135178

SHA256
5e1eeee8601163fe30277e747b25e3d9849d602e79c2edbcd3ecc4d60e67c570

SHA512
f50588112f57e0394aa239db67bd7f4184422f79df92fb00663751cb45791d3b10acad9c63ba6445b9c3f3cb13d6d57d4d12d613626c1d7d7e379a40fbc5f714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
45024a0634956c84a926cbb4d5d84cbc

SHA1
11cf6396ac1445b53c3e332154a42907910d7196

SHA256
1a8dec1ce9e477a6ef975dee41b1bbdaae7ad6489d5147dc3563597de3a3a7ce

SHA512
ffb548d32f591391b5390f4187c6534e18d859901d3b00c87046587cb683273e1d6fe04265f135beb43340934cf260e678912e947651a02c0c55fb0ee3013295

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e7607ce99387abf3eba9d0ea5a1e9480

SHA1
fd0b8ac90b021287d0feaaab405b2139ddcb4240

SHA256
ddc2de2073338044c7bf0aee8cb9db5ba317d5f359322291ff4f5ad946afb62e

SHA512
dbd5e496b9e65d2a2874a3a2f269d63aa4d4dec76b0aef6c4563eabcf565fb4be4f8ffd57e058125da8883d72899221248c0693755bc8f2f67a57bcede2c3ff1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
533d45e616976f3a7a8aa41f985a3bc5

SHA1
d40f36b3823eca670bf227e52d85160b12f9f590

SHA256
63929b61ed628695479fd0dec67087fb13a816f0b94025eacc468f2a742a4576

SHA512
7b12a206f394290a7c5313aefea79ab5f07413ad77d086e8ede97ba8f9593529f646f29fd85dff8a4cd0178b5aa83514377be66bed0992a01b889c9186541218

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d29d0d104f55c1a8fef34b2cca7c1107

SHA1
8c7495b2b26ca82f0a95f440f2e04ae24cb201c8

SHA256
d12def37769d1ed5743d3556d57ed694ff252ffb454d5ef0ea932b3b1e3273e2

SHA512
bec3ffad2e01beac7cac32492fcf490b3ed96fa69c9948a3d47de30024523dd73a5a7d6a4347590dff3cb6982c08aa47a5c7a5f779560ede80c155fe262a8598

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
717c5cd94d4a0042509fb40a81bb7a21

SHA1
8284cf4bebe27de6c69e8a9028fdf13d9deeac5a

SHA256
6ec2a8422f4463c2d5119d2fa19fe57076e4bb5874be03a010ce4b383472a54f

SHA512
c8144a76f29c7524da197e36d0c1b09103d50a04b022551062af37c580f7d2c378f1d92b9261686dc15a44e7585ef5338d9a00a1a5fb4907f0768dd4b4822b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
58338b7c3b1a730e2b2f09d3f784d4f9

SHA1
53aa624e6fbcffedc94908b82f03d24faa4c8024

SHA256
2da5dd32c1cde51f926ecc9d59e2ec4d77be705a9abd5ca6b1b50da3112a3488

SHA512
2a768d1e20fc6940aec4e00df782045bada0fd121db588ca1cf7e5d623f2e38105e3d006c7fa0707a8d623608bad979683a00320bec6cb31c6a59c2222eecd58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
38ea68e34cf799a738b82c890f1fcdff

SHA1
a09f537eb320ede73827cf6262dca2667bca45ac

SHA256
47bc15ad21afa7a5fd2304e2f6d6fb81551a562c6e5e0195e11f770600162517

SHA512
630ba15bf5756df37971e3b40013bfe22cb457c2d1f339533c3a0ac6d2f21fc0c55890a7392530678529c6bc574831a56233ca1a2b093ba077e63e010e2a6bc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
90a293e9c2cbd5aaa04327a17dfd8982

SHA1
2f41b8327968a53059485d4d4e50ee7b1ca6b7e8

SHA256
5e3454b0701eed31ed7ef7a3147769c51aec4ceaa127c9d1bad97a1f9431e826

SHA512
059da08ba85305b67c5569caa8ab0e3b5ef89b6ef57f354c0a9f67365fd129325a3b96996a6659d40872c5bd57477540e136a4eeb13b4809deedfa53a4c9cef9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
51a81ebb79e0cbd8dfec94e06427f393

SHA1
b52082fbd46aac28004fce934d1ea939e6b5f307

SHA256
cdca2f5ea18ee90f360485386af1e2fcb7410b533e8f3bcdeb7784f8766a5683

SHA512
60c62dd63a954f6a31293a9e88d4dfaba187c6f5365f68cfe8b7bd309eb19edaec4e0b982fdf8f61cb504bf121fe3a026c59eab7a5fa8c829aeb4536087ff1d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f41d47ef35995f1af009f4575e9733eb

SHA1
7cb0588992d3473b48ec580920f87f914a412ea2

SHA256
4c6d98c298480fc7dcfa87d454c6fda4884703c86a4de513dac27589ada3775f

SHA512
d4e496c16da7d19d022cc18a2dc88cbb093a6f661e0917ab34f123d29460c386101d60484ad16115de246fa68818711332bc24b5a1a9b8b4346856b1238c39d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
074af5623d47a3b8a012fb94fbe6f23a

SHA1
b986b5a6dcd8ed3f7d376b5a94ef46dca9fd9e59

SHA256
c9fbe42519865790f46344db6d7ee94d531c37e143a5cfca68b9c1134f117f62

SHA512
a5f0879bfdc0e4eb4acceec6211055e1167b431712e555d5acfaef96cbdc262d01b8d80f6605949fcd7f2f5e04850e3cbb7537951a07be1974ee361a3e27a225

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5332b637d2335e6ce05befc7ef3b55a9

SHA1
1d46a4da321ece6518a12611ffaf3bb5a45b02a9

SHA256
dcf4cc36c62b2daeb0c86c34fd466341274c4b603096db292f8e61e6cff67054

SHA512
3254ee92a14918429edc43ca8d777dee8c76bf74c145a85aa9b5323d3fe3f19774bae4163fdb53743db87a848f68a8119ec48a4331f87f71f0ac0044177ab6ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
58d797630181b62f518e122f4c4cbbd3

SHA1
95ff125059cc45e9c41c863beeda7acf2e33cc3e

SHA256
1e857044550222e79de131b69fcd977321afb9578e34f4c6877bdacbb829aa4a

SHA512
b6fd3a004727a4f6450b05a72482c2175dee2a1e3458bbbf715803274c86c3fbad0421220df9d9478c05c140c4eba05063add83201f19bb01d3c4c5b4c0bf660

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d0c88ac99c9cd260eb9de6e47cfb4cc9

SHA1
b88b9648518c35788a364c2efc14f6add68729ef

SHA256
864b662fc37f1255e63c20697b92b7b9670c9c17efed141e3ec074f7f1e36305

SHA512
e40d50ef07c0ef1d866eecb259822c9498283c180fe44a3b77c78a2266246c08c0829d5a321b6f0a2edd7cda2519325f2e31a5d82c7fd25a11b751d8f62d0b44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
32d51cddcc6a0f7507b0659b29f383b4

SHA1
79b424a802785c5c0145e0c00fe4e119abc73adc

SHA256
a654e3d36f353b7bc62532daff76b613c411bc6525dfa75aa1c7d397070a916e

SHA512
c225142a673661d9b0450a3ee182e192fd1e0cb89d64ce16cbe65e009f085dd9de5114c1985fc9d7e219b1994762aed6c82845732567ab63155574d49612ecd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69b1b37b6b8284036e4f30255bb5086d

SHA1
2eb22296d782cd4f9947bf021148a953e6afff81

SHA256
99134eb64052fbc74dffd95ee244e34a54a0ca6ebfa2723a006ff952e5c43c8b

SHA512
4ae045ddcd427cecee1191b4b26e809e2726226495f30a3c89c529b60d82fa25065c1681bd27261077f2e67a8d540e10f538609eeec35d582108149a5f897785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c84099972507e3666fa8e237cd6aa998

SHA1
05bacfb2542467b5456982c93a4d5abed4a15a1d

SHA256
6e74dbb1cf477980f917884f9ec76f443b6fc64e95171e7304b3456f3ed04627

SHA512
fe0c0b7e1fa8a477fa5557817f2e4352a07d82ff235857f17db69358655517e5ca89cbb7de7988997b3b30045e127f6a5d98159a28171ad9fa18731355733863

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
eb58df39441b267b89e8e2bd60ed88ea

SHA1
7bee6a0fd751c0b7ea76accfb448fd18e12bb591

SHA256
3d5f257d16933e48138989d07fb86e3cdfc6b60f1e478fc17da453bc6398a95d

SHA512
00ddf0744a1d482a1578b86ca7ec1f1747a140ab91edb1cf2d7df63473e1494a52aa86f0a18b1ab7b0a190a0ba40e618e5e9e4875f673b9667a834f8d72c0aea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7c9f71ab68cd66bd583cc6e5d7a8dced

SHA1
4f3b533be65da48ee4330ef89c1db5a3f17e3160

SHA256
25843a811e90c76b4d0aaf36f3fd72bc7759d463132638857d563ce82eda4340

SHA512
e56efebc9442418887bad0d08146ed6e917d26ed9503d2672e710abdb32c685dbdaa7f55e3d53d0415dd7dcfc0c85977cef7979bc26eeb8f42660c99091d5264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
51b59d0e432c37321a44517210d491e1

SHA1
11a26122d895d389ace24864d410184f97fb9401

SHA256
a5b0b5fb4ce8e4dd4a179252e36f73992012382a4f822abe76a4fb7572bc83f7

SHA512
2428c4ab4cdab037d5f45a5d994877ac31821c981210a52f7c5f85c913242f700348080a217214beae6cdf1cdfcb02f9445057492176ee3c10618b5e5e0c32e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
18397ee03a0738b2539fa64d18847cd1

SHA1
93ee9be17b202093bff86fdf8ef3ad23ccc28919

SHA256
1211d2dba3ffad967c309b8d35d0381f2840e30531f6e377e00eb93a73017da9

SHA512
a47b1fddc5181d2bbfeb3e35bdde1fec5a466ce9f45a3f31210bbee66fe323f78f752edb8174420eaf381bfddbd278c79dc511dbe9c3c2025423774f30d18110

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fd542e60f18e1bb8ebd840de98eb4974

SHA1
6f1d8a9b395dd844e050457c17cd8a2ad392bbb3

SHA256
163da845ef7b7a0355f86d7e1cf5831200177e0467d4c424024d67e0a4be608e

SHA512
09ad0c41cc9addaacb81aa273ce365c4383474a1ad1813009726ac25d523c1ee73570130549cca3cdfe98942b46ea64eb5f99647e4ceaecb1ebe486a432b0d15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0f63d171f0e0ba15793a0b091a2e9c0b

SHA1
f529be964a34afa60d5b6499d6479f70aa15485d

SHA256
593cc3896572e0b898ca9c1574665b40ceb04f3fbad35ba8b3bc9aa7dde5de39

SHA512
30c0c105523eccec9a5e11548422b7e9787e2208633c4fc55dcbac1710530e4f08f3b9bae03b6f839381e98cb94419bf03afb9364db3820da3ae933665e2ebe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0d6d7f969e0c11508626fd0835565ebe

SHA1
3702719eba612182f8dda2b395677f0c48289202

SHA256
731e138eff46e2f28b01e373b05ca15f9bffba4be96c77cd4eb42762921ea3aa

SHA512
9822b57b8137afa369e126abe1a4bbfd30a4eb76e445fb6c0cb3df625af9ce265932d1bca0f0b0c044388e80ad2608d7dcd0af66866a73edf368a5ccc2d03148

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
adb3b3fbae56804ea159449743091424

SHA1
ff3dfbeebcd7e818ec40ed974e9f11d7c3427552

SHA256
6f0b2d9926204566c8af58ce3111aada6a34c97ae48e711d48511c9c1b36465f

SHA512
865ce177540c8ed99acd4d89ffe74dd0d0cff5be3a1fc3c8932f9c7e9eb913e0e304d7b5949ee52a97078fd92fa91c9e20da8458827d9ce9410f02aa80f2a86e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
675c49ef3cfc60c252edb899a4b4c8d3

SHA1
3cb8e61f3f75097d2f3cc54cd19f612ce097fc09

SHA256
1d01a6a88db3e2a7900eae7e5199c5852267ba4aad0f0c390f0a6fd9d1c31ed7

SHA512
6a637d06e1e5b6101657e979d218009a1306bd053e475b934d67abf83c22cf7dc86a34da92072b13191d785fb69ebcd756578dc4a96fc9f2721be175331e843f

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
890KB

MD5
35cb4a40f6a3c75f466029394197b95d

SHA1
d61072794af434389db055e82118a97f9b9a2c10

SHA256
fce4719478a81df82bcefe1b18423bce81729b44bfe90d5075f291a00ccc1904

SHA512
7eedafdc4b72da92e943beefc3123e66d55a577c879a6521df254313a8a50ee238ae82e5f9d233c948438dffee3655ec9aa6ace21a7311226d18ccbf21785dfd

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
1.1MB

MD5
0080f4f876df137ae6a99b4010f8263c

SHA1
f6e1ec9bd526ab29aee0c6eeaad0c81e17c57dc4

SHA256
7296cc207ff20f5a007347123e5cb25613357d1f6ad9dbcad6afc4eeaaf0180f

SHA512
77b85827d1d5cdc0d4e6cec4384a7c3402ba8d332d668b12e3dc2be3ac0a3286893e33355b98f96e765810d3e79db04a7b0910579d2971887177cd1688a10eb5

Download Submit
memory/3664-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3664-9-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/3664-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3908-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3908-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3908-2-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download