f50222f85e3622c4417e8d2c487e6515d1ec20dfd5ba5a5a659ae506641ad806

Analysis

max time kernel
145s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
Size

1.1MB
MD5

3c129117296a56976bcd73a8dd0f7674
SHA1

ce14bae42e0063c032e33c4ffd56c8d7b71d23ba
SHA256

f50222f85e3622c4417e8d2c487e6515d1ec20dfd5ba5a5a659ae506641ad806
SHA512

07fb0fde8718fc19985a45b0c53e696c0464e2be3a540d55348d864c0db121c1723d6ef6b71b4b7b8e08cfb55ab01a1875f9f21e0f331e47a7fa3e23be7ae364
SSDEEP

24576:KEtl9mRda1lSMMMpXS0hN0V0HoSTSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAj:BEs14Fwi0L0qlGX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
320	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\B:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\E:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\H:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\K:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\M:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\N:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\V:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\Y:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\P:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\T:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\J:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\L:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\R:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\A:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\O:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\W:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\X:	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
320	HelpMe.exe
320	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 320	1664	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe	82
PID 1664 wrote to memory of 320	1664	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe	82
PID 1664 wrote to memory of 320	1664	3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c129117296a56976bcd73a8dd0f7674_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe

Filesize
1.1MB

MD5
34cb7694c7727e5357e06ab48d2345ed

SHA1
f021ed6b32f92f3637c00f2489be022bc2d56c3e

SHA256
1330407023bc754da40855b39184a7dcfeef1bfe1538ab6fce49d40dfba521db

SHA512
e64948866aa73af30a425a02926d2b0f49ebff06614808a4ecdac6427860e60511e3dd3684daabb7ab50b2a19f0fd4cac5a660d10be7e3d21d12b4c25355c52a

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
1.9MB

MD5
f39d9b9a74268380c59a7cf8272d972f

SHA1
512db1619d6e02f30f50f69277ccdae9f6e05bed

SHA256
90bc43463892190a528f08045e5f77ecac02f337444b9db296c1878836ea9686

SHA512
0071e8467b47f72ff49ef91dac191a05cc78e56c5a3bc75b3848f8bd85885a57bef38fd7e2093014c0532039dcecb1607aa920e9289830ba84e3156890d87ad0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
dda74054b511292451a67b8ecc6cb2a1

SHA1
bedf11ccf44eac53360c5e1f3d641ae1e79256af

SHA256
35aa8e3c0f4c373051b411bf7d1e12fdfba794e12fc8d12971eb8faf4b70a358

SHA512
e623437cd573304f1f4ef9a2193c1284b83f986bdafe8a8472e0b0eeb1540a39398208397b9bb0819b435a172b5688ca3fc75b89b7b00c61f8bbcc597866cfc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
dcdb7924ab809e39af0dcbd236539311

SHA1
cc0a5d9e7511f5c570916eaef9d2f8bd0888c030

SHA256
576ac4cdf196f9507e0911a314c28a9ca988c1c9b16f9d6fa291d1fc0f19dd30

SHA512
7d27df0a3b38529a1d58e1b4a746dd2e8832409348797840776d6665f28df4d7ecfb53c9aa962908cb9d54b5b4c2de2c3bd7f16418bff1ac2f066b9ba6cd7fb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
eabac09a548faad57d777736ccf34664

SHA1
b16682fed8682fb1fc1ec7d77622aa0c568e792d

SHA256
a15ab335a5b9c5e0235a383a7fe6e28d4353a2743463eb832633ffd35f0e4611

SHA512
f3ee4e03158beb1accb4b420b64cce423bacde8e80bcebf9374225a19ebb895cf91c16ccff1efb4f71855935b317ec3d950685f69e5ada315a9241ad358faef6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5c4e50a576a00fff5be2493c848f4b94

SHA1
5cded2d871091fa128e76d565ec44827317c92f5

SHA256
4caa960752506e38397af528a42028778c5bfd4bda25a3cc286e1e405072cd96

SHA512
64e9dc25af58f6447d7c8f68a72b28b72336a7b89e719514fb3ad7be49a03688d54c8716b157f2d00c0672235502bf5128dab3f62666ad406d79c2d34de0d3f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e64add739834eada51a043407da09eb3

SHA1
7c8a5cc494787183788676a2a28758cfe0faab0e

SHA256
636229d43751238c10ed8ee48abb767eb6a235ab491f58c32a1e70dc8dd1aea1

SHA512
6f760bbbf2fa0c61fe61fc9e8c770043de14392090f430aaa8cf44c385ed6ab8219d72c68672a87d557595db6e1245fada38c85d267b40535272c3e7ace1aea6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f6d3b6c78abceba5795b1ddca6c760c9

SHA1
82831df2e9aacfa7b286966d5d0c6d961e3ef0f6

SHA256
b51e0208ca3b90e452cd970d79164a89bc38d8909ff8bf358c6aac8a1ed39557

SHA512
8056274c7bc13dea9c8dd2250c1abf229d66efaf432d11f40dda36e4b8a0114e607ad0a410fd92ef094c96f8ec1cb37a3c6cd319a0f152b1ea82a559efdba8b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
71e2bd39375c41aee4f0009d328380d0

SHA1
13596ec6b73d119161ecd57becb797a055afe1e1

SHA256
a8c4cdbb0739833a0ad20baf23727a0c18a96e4903f8e553491e5964976c6ab3

SHA512
25a721de3a29d023805d041aebca70b8cf95b4dcf832f6bbcb6a625743258e50dd295f201162f10aadc9d54c5605364d82e33c9fc5457aba4159da51cf49f619

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1f53f2587f577ab5195ab63fbb9b5231

SHA1
868500e64ac09589f77d85df41040a2810b5fd97

SHA256
f83b3f95803b5cc5143ed2659fda8ecd4c1f49e3f3f0e4ddc6d73317eea85998

SHA512
37eb799ed26a66eb49434af1db947c0b9da8a080ed7043a4fadb84c2673b958dde7030c351b0c08b653dfb7f5e3da07ba8fa661dd1c67133d5d26d2ed1eaa472

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2a3b7cabd7fe56c39340eacc71aa331f

SHA1
653981bf1ce81eb3537ea09bb4e1aeeb25f104c9

SHA256
3f4444923d52e650f0bacf697e692f61c159bd299689c26cd884a9212266c850

SHA512
7c07fcf78a4f69eea2a75a74cd9c1843be112a7ceba7d69604d210c881183eeb8b3de66076634e4c5d83b94570e4eb4a4558afa487ddc5906e889495cbdb9cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
16f3aa0e214139e5f5f6396e93f5e69c

SHA1
10da78acb0cbd03f2bee5ae36d879e2affe26898

SHA256
31cdc823b4cb713f8061f8a97a4c372a974f83463cc63e6796f5ab881c5b699c

SHA512
2664a69e2086d931cc1201a318a89495e1ced477403b78645ca924b2959c880fd34fa28e13fbc7b72a6ed3a16cc857a4e6eb729f374c4775b33cb32fad7b3548

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
513284af85dffd1233d1574c5a5aeeb2

SHA1
17fd67097ecd31e42a9ad21b4fb87da2cbf1816d

SHA256
978b4aefbd9fc657a332a20f573a278ec7506f49d37cd20b8c2c1941bd241907

SHA512
bc1a4f648d503f585465dd88c22547b382c10903d881ab8eb5cbf7ea43e1df19b4b996ac32c2bbe09d0ab8dca345e7523e21ae3dc6b34ce20ba77b10b242b775

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a0ffb742784e5131ed74c566dc6996df

SHA1
2aa1ab0109a0d4460dc7dc0381fc581c643e27f5

SHA256
0a5f504b03fffc043d2358448fae6ba0f9f9c7f33d59d663d0b3e1e4297c57ed

SHA512
dd01ebb873af9356d77066f4bdf5b247a6a2f8c1e86802786d7ffee78a0e2fa1a682b7987ad9c53091d407ce3a4f7b739de389aa11d310223d872b2a8a313ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b3824fce88be848cea219d6cbbf9cc5e

SHA1
985fd06f855fd908d129d9d9d0ade531bfef6422

SHA256
506d0b9607cc96aab288e70f469400e3bd849a1dc5ee97716a9270147ea81079

SHA512
d2b0c3c0f42b2d9c31d1d5b72020a1a0a5bc12fdd1ecdcd05b00358c294fb81631fbc9cbc8fb790023cce72f749f0ad3b0db746e6d644ff860f5d1ec5a2b894e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
166e8bbf7b4068430e5d7a46d51def79

SHA1
62566c7d3ba0ad39454d7535f9587428412e9c00

SHA256
47f90f954a8221d2c035901f52e68d0cd64f7f853f5e9830726c1682f7ba5516

SHA512
ed001bbc99e6496fe344a581736720254b56713b1f55f1808ab5da720825fc2731b055066888f9d1aafec1901a92804da1c353710e673e0130f03754bef1ee66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
9eeb42b1eb1dd08e61e626fb6a4eab3f

SHA1
b02e37ea8385d2de38b65afbfbc322331dea62df

SHA256
31f47355fa821306185f14e26c4c5aaa27891cc6ec70eaf0b998049565356e6d

SHA512
bea8c98150063f50ff5f4bb5c29a4cf5f9cd2ca5a98cbc6e91f5e1cb5e9468c28e1b088867c17d81bbdc0d9f9c79f8d7147fa96c7ff6dec61ebd70cb2d4060c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fc134dfebe93b27805c56ca226345fcd

SHA1
94fe2894942a617c51542caf6dd0623f7e5f1aee

SHA256
eefb013859ecb9e4c24c990dd6a5e24768f032abbf67491633698c830430ff54

SHA512
8a49df594b003acd3117a12255888bc73b2ab6f9e0a924865fbb02dcfb9f7a581e200156e319b49054337054d588bd33e08c4004bfcd64ddbb5891c403e54b1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
4d9142d43612f6295a628f479ab7f8d0

SHA1
63e0d8959bf187c0326e01dd2fd66aa198fc5b13

SHA256
28251db37211447ae47fd96e03016d612ede244bb5fbcb63c57f427ba561cdfd

SHA512
8f57e6838316d174486eda9f20ac620f7ef20d27569caa46fef64b725bc592a32cda6269c7db96ee25765a9e2122bdab2406b7196f48915ce5ce7ec84f674aa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4ca9c629048f5f1ca732b8061b9b3245

SHA1
b14262c072304827f5d039db982f01ccba2aa2f8

SHA256
ad7826049d75f277b56a90962c73107e1311f03366d09dfb54c14c2c9590c1c8

SHA512
f9d793872e656230491dcc6b8f28e8d8dafab8c9537ce7bb0d7c713b15e57ded4ab9b1562c68f1f8c32e85d6ca50de78d644a3e9ac53a0f7559ef33a1b4c1f3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3f83fec7f87d3990732ebe316e192973

SHA1
5b96d9bf6ee12ff2375f3212cd7677be7e1aa911

SHA256
6c826a8a534e8fc390fc6bd9b7c4ff9e1b2c541db70677121be0f7356e72e2d1

SHA512
f069fb3112ffa2ddc0249928351357ebd6e172915d776ea8339a9328cf51fce9c266dd4ae2953ce5963efe2620fd7c48220b091a3610b8bf42c3133d56ace0a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f5f7cf54d7dd863385e7702bea0f7b06

SHA1
2a431c6586eede44ec308e356de400accfe9cd7e

SHA256
09e3968a5256f0dd40b98e2affbd80351d88af07c876f8ebf14baa0abc048c35

SHA512
2263d204a72380c028c3b3447619ffda54719cf75c02a990bb7294afa17d83f46436f204179ff8a0a28fe68f03d17c63e695626847c0d58604d3aea748f0d56d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
078e5e0b7f04b3d50d15cd21936916f3

SHA1
eacd49c812f50d3e98af0766bf0c8d0cef54da37

SHA256
66c4733e6a5e89f0abdb3004b1051269d61af5978327a0a8a7ef8f1b9fe41422

SHA512
09d30213a4db470dcccea170081cc5849d6931690682bbc546d2dfd4d25adaa256a6385d8f2147ae97b372ac9180b27b49cd6be60b3b95b3e06219c5730f04ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
60d48d766e42704f84205f09bf4005c5

SHA1
5d1d94238d9911636261be7ea7b745f944938e1e

SHA256
e142814b418f4f97ae1dfb19106d7a7231867c4434402906a3aea4dda9f42b52

SHA512
3e4ef443d7b6857df412efb9e1ed26b217cddc7071fe564307d61814e08f3431df3e761927ebf34f9fb8107de13d25b8ccfe779e9f550b13c55287233187eaf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
7f41e5aedc8f146d08639f511dd26ff7

SHA1
29f2ea6fc88c4285f8483377357d8a4f73fe798b

SHA256
00b138dad87a59b9ae1eda930d8d2b1d8e99fc7e016fd2e6cf47c09f3b58bd29

SHA512
b5cd7d9c861d74fab08e88f0303e186d4d2bf76abac34af1685448e76b12e9256b853cb39177332f70c768d5a01f77b43dc584dbc2d52296ed7510df1829d77e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
eab77858f1af86ec4559955f4f79841e

SHA1
9792ab442dbd89f9b48f22eba2ae9319f4cd5636

SHA256
2eb2c1a14b23048ecd21699d6d1ab9aadd929762145c127fe9f6c8a60254f0ae

SHA512
4d669f82f18842d90481b35a4297d480164031f213b3488ff8ca8d869529560a863ac3ea5cef05978ad71dc9083f554e354cf93c7cde284932026b0e5bbe9114

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b2b32433d0d7c75f958a3ed08621c0d8

SHA1
c9a136393b52e23c07cb4428541d6ca584cd652e

SHA256
a7cb57e40085b8841ebf4fe097348111a25b9be3151eacc1165bbd661e1c6aab

SHA512
52aac6bdc4107a5301e5a71b66d72cc2a8ff0b1bb4d5b0ce1df42d59de1c15dab78c1c6440e2c21df67ae500238758739dac676b5186939daae8200c081cfde4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
598ed9f6ddb0f19ee0643d32e98eb10c

SHA1
3e0436d5c6a46a942a2c021d42c5bbfa75b434d1

SHA256
ff7171e89a6ac37e7fa5f6f63f588f28b87749a260ac9d48d2feaedb1ccbec18

SHA512
4b1476f9e868727bb5638b0e8067c125df2f4388bb7f09ed4ebf5b37679e9c00b954796a52eb6a8d6a17fc8672eba1f675430e1adc64fed1d093de0c2e03818d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
59f28c0f95bfc696e786da43e3ef04d0

SHA1
9faf28f32d2e276e04f0a950e3797cc86c0fc701

SHA256
2a2efef2ae57704194d46b871fc4a2bd717f749067a4f868ef4cd5517b983482

SHA512
7f104c2b6283750bfe07856b1101a8e6bb8a924c17bb2aa60f129e822ca49f828bac85933bed728ea7f8d4f8d917222bd5c688a58d404a0e500e1775c2892793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3a1699766291cc9b1a0ea028962a5fb3

SHA1
f76bd1d2d26b45200f7fe9b0e7e5531442db548a

SHA256
33224ba5bd8ec2cfd6b9d1e13551e2611e5ea8c10365638cb7462651d5bb4bac

SHA512
fb83a068fdf6b0aacc3ff80f9958a360cf1311281f83837e4a2f638a4b09f7c668d4e5359637537b34fc5307e163286286a4d3dfc37556dd1bde711de98e52e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e9b2a8dc45643eda0dc93dca1ca06ac2

SHA1
8d39c30df126b1ea4405d6774e18bc484e5e2720

SHA256
b336bd608812e38cf53e93b704fc3ded69ae3837ae6539b27d925af539bd1ddd

SHA512
9e87b71f3b51acc54e51d43ea0a17c46f8ac2e678ce38fa6f92f5c0714f5a6777c4cdb53f10bca2b2e22a0f5869974921f63c1ad70328bb58ab61713101f842d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
09abb2d8a031df93d2595696ec45f42a

SHA1
8baa97ff528040ff9e0aabc193f31550148d50d3

SHA256
f9b984e00116886bd308bb4ca7fd1c823d43b3ff69c9e12685b26d63976ea93e

SHA512
891dcf742f0606b605fd138750242a4a3317cf16b0304da977aceb0dc23afed5d7c86a88360c809507252f346ecb010b9705b0f7e163d311eb811847ec10944e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a47277998f531ab2de2a37f73773b509

SHA1
b8726cc49ee171d29b030bcd41a86919e405a85e

SHA256
c2aece730ba98e784ec0e4afe80bd37d04494f13ac15b9fcaab83c8fb0a48a35

SHA512
350aaac8fdf32b88b2589eb07f14e35fef22dbb5a5f05b8c9d8ed4895279678012cfc011f82a3ca946dbd3bd6af14b2947343c9c8d07094d18345c84ad0c9e24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
199b9f0173f5cfddc753dff83e9cc910

SHA1
da54accc960b9a9479b85f5cb62987427e2159f2

SHA256
9b9c2c7bacf572b1c69ea3acdcd6a4c822d0af120675d5c0ce38f75726d50772

SHA512
f2fb5cda5f5e8b0e783b6690ac99052c0b4b9fc25b38174a36cf9d0fa72a7aba58df75f3f11ea81d4648440407cfb9746090338789d4353ccb34caea6af5f653

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b68d181ccadbdad1668d5842047147cc

SHA1
aae3d4fa0f33a9b300a1c0d3377fcc47d3fa97d1

SHA256
2a8739df697208f2f6694827a6ff359e34ef756d5ce3be3d3ea41cdfd8255fa3

SHA512
b98fa06814d5ca58836cfaa68316d3f6f77b2cd4414cd07e7238a826768aca715e6a1c8b7f12c2f2491e74ac778f503f2ecebf52107a6c5824106d1c70c4d7a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2fb02217707a44b540565aa95a97f414

SHA1
5b4156f41e0ca2a5425efea94325b670a4244c07

SHA256
196baa530596c4501b701b9e3df6438a2243c6c33f0a96035758f2d467496643

SHA512
a0712698cd02bcdbb23f43dee7c101a9e6428400e84f00f7be67f084923d9b509810a85447f7e467540b54483d1dc82f586aefe0fae45d2885fe732e9d77d15a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
29170eb54c3a99a6e82dbb7b9bb40724

SHA1
da5e7d315804af60099876dad89a593d50a647a1

SHA256
de359d0e089ccd28e37ab51f2a0b109be1782fcb13002c45fff87e3745efecd8

SHA512
8a39e5fee9934d2f09110a0ec868306e9cf55d2faa97089de0992913341dde0474fe6eecddc662200516eb34966d99c0c18c63441ded48c1db84d2419786593e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
fbb73221f644020653ebc56be2242bfb

SHA1
87ebe38dab2134c66dbe7b7f375821e089cce0d7

SHA256
24856313e35f31ae93f7ded972c43244ca34fc62b1b52e510720eb7cc7466194

SHA512
7d6f4830800cf2974bc97fb45a2b68014a643b653f1932f943c77531b019bd5daf48d826e4c88af7c522ae5768610b4048ff77b3b9f0a79f4ca23c9100a391b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9f7d57dd08dd415c2f7ee26d6a384283

SHA1
feaa5967ddd51dfe9243b443e5157a44645229bd

SHA256
f29b562cdfddbfe5beb5ae2ed133ed8bd26db67607fc740899e91c9968b663de

SHA512
9a7284c63752be90543238aa33d705dcbc907f04505b7ab5837985e05df27785d249c7140df2310e257a4c2142f23a1bf91a76573ed53467d96c2211d077d439

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d1f4f17a808975644fb3948298ed6969

SHA1
37f403b46a018e864cb9fec22c3beb128fd2abe8

SHA256
8c115acd88b4c4d67be04a5755a5cd26969bb696c3126d322344de17dff5c8e8

SHA512
754fc8d0795a61861eb838b3f046e76bdd6fb9b577db8e064b400b6a02d0f4359c4379ea0ed2ba9795d8ce8c0c3c9c6e8861015c208f214a6c66c8be2ffd6f86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2a9d640eebf252abb5fb7364eb416671

SHA1
bff56d2bcdb533b795c92305ca12643d1d3fbc97

SHA256
4eee11898478c4e3e34427a588c3a0100eefe123977826610497fc73ae4b8dfa

SHA512
9540b9a01153405f8a1d5628100b4650bb3b6f660d23c87e506712e13d1788ffee9433216a400eec4dd8fb6980411d4136e7826a808bd9b755bf3a6a7925e432

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e170eaf3831005d9e382daebc43dcdbd

SHA1
8270be42579c5697857af1be581164911b750139

SHA256
bd1b8379eb452fcf61c98f70ed06c62a266619532c20fc57c9e6bc4ef7e3aef9

SHA512
492afbf90a735a233bbee75d86dc8f9eed7b9de0959183236d239dbaa21ae42082d9cdf708b0193154aa1f6915eb4d55b5ad0cadc655c789a33cb2812a7c7a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e3d0e92580849b2e15e49f83098aa5cb

SHA1
0151e024ce4bd9356602467e8a73dfecead02ae3

SHA256
a1ee62a124d7cf6a75b17dde7716ec61030e82aa7ecb82ffa2ec8203c4d785e7

SHA512
eb22100611ca17e0ccc0a7dc866f5b31ba347a08f25c699de247d21a4e6903f620d7932445365cdd508e02e55d48ce4def244231c5c973aabc093888583b7e16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c37c16972edaff18717d69a410a3d9c7

SHA1
d5ce84a071700be913c91cdfbfe14223e5003136

SHA256
46f006e58e0c75a3ef53077fdbdb80efee39d5819e8898e7fe9df012a1730505

SHA512
dbe4db8f413aa53f146cbadc8093798c8e16eb78f497fa8571e23c17452aff788bc18ec58d20ba38fdff58f5073a845276434b5156d5680f1520ce148c2f7863

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
927f26f433831e0cfcafb1180e76e0ff

SHA1
4c5b23dbd07580760f74275e2f817e5b378452d7

SHA256
c5254e6e7b7eb8e79690dbb1595140ede0cfbf6566095722cd5a179da5e1b226

SHA512
acc41aca4037629b8b932829e89af8457ec947b0778059775eb3e9830b6bf5174dd60b5caf8c248b9251156627846f1755045c62b229443de5775bba30446c26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8e6dc78f3cee0998f20825447d46f840

SHA1
b267843a3e3070e0b295fc63e9b86122e5c0eb2e

SHA256
b9882fce543bc586bf914b40876402d66d34ceb3d9c597c27250bff7b4d17602

SHA512
fb063aebf43770dda43d025e8284533e47173b6250fe6d1ce1083f12a4a92539c0be44c17898d9c8a01d0d423cf574d919cad7304cd5fe13c0bf36c2b5aacabe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
238df7e566c80b652bc2354383945a9d

SHA1
971c7da79577dfb829ab2df01a128f49945bad2f

SHA256
01b186817866136911105fbf9c98424a65d391e2110b58c8f6b16bc10fa1636f

SHA512
d1e63c1147643602d3e62d5628391b7b8a5739503dcd9436daf78367d89301dbbb7e52737cca548cb1afbe69a7eee15d500b3adf2dc6b4f755982234ede29b0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
289e040a57751f6a00b71553b58c0904

SHA1
61e5ec03126d19e5ec4273a871ef3fc976b61b6a

SHA256
b82d4af0951688e92d4716e5f7c2b200af0742e621d9f020429aed74f267b002

SHA512
4d6a57e8178280b5e0bdb44d5dca84739fae056ce90ff6adce2faedc04cceb70b75627546736da664cbae661e3939d367aa356a0c90e485d644ddbf5374c25f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ffed1d54f58cd40e9f254cab0fcc7e53

SHA1
5463f95c42a74c4fd4fbfebbaeb3b3955e36900f

SHA256
336556d6db2c3eaf2d8c09b141bd3e8fdea0fe38c2ad80741bc8c8b281fb7c17

SHA512
0bad00d30b6d433bd63750b79b812b5e1f6fe2131dc9e6d6861503d41b08eebc2cd3cbaeffb75fcd8d7f0b679d7ac64c3d34dba89bd7d912302cad7cd8e83d51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
92763115b9027df37a0e12baee9ae79d

SHA1
de69585ab983d6218a81cb3cdd788fa632646746

SHA256
f6be6d47ef8ee38ebf092f7d4789bf91c0f9a667d31b77ac39c50e6c67a6ab93

SHA512
6c06fd2c997cf238df599bee3705b4c8059ee716d3c7ca9e2f89bad7fc294189b54888e55100d0ec1beef67f542bbb00c30499f0b0925b5a13a2eb5756c4b103

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a7153c1657fc4e94a39634e89f07a6b7

SHA1
22e497b062a9e30fda8e7ade54b15f11e53dc6d9

SHA256
89045a45e12a0bfd9f39e2a2aab1e7e23f6f3da0fd83b784be0f44ee6ad50a6e

SHA512
4b027f444d08bc478fad9837622ba5bdeb54e0d1cc36bc77d9ad9ff21babd33b1cabf132db6c4242b937b39607880031f8f50842d291cfe67449c8932ed28540

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
1f9679232ff86a76367797af7f2d06ea

SHA1
38b1286369643c07213818caa500b8bef0b6de36

SHA256
01d76c626cdd96452533b70db7238bfe7c5dc612e444ff52e7a66a4028a2a50c

SHA512
d718521f165ed730a6b937e99efb3b801c0333aac7e500ad288987887d8fea7bfb422bd00c0762f11a5664de1f0b9cc5ea7df5d3bc959d76e0a7c06c5d838277

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
db61ec1dee2d69a49f8aca07c3837288

SHA1
4159072e20828e3ae2f66c06cfbe77b1da8b9909

SHA256
e74613a778098cdfbfef64de4d1d72a8e60fb61ab2349fd2529eca7561ae475f

SHA512
4b89bc2f79673d696d8cdeed41b8131576940bb1e59777f2fb55d0379d387fb87b0fd261e51b9fe26a6fbf6d7989fc547089f082b4f8588660ae29945f762da0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
c9a0a3825cc8293cbc37d3db07d422db

SHA1
d8c18e4b32bfeb5105f73eff128a1ffb30b56aab

SHA256
9588e2bb06363f05d13aac7e25b717ff467a9d7daa0cb00b9d1d5f30d065aed4

SHA512
e61b3387c397a7d66fd8795fcd2dcc6cb9828bf38a63382301d01c655b77700fbb10a5cbfb8584a75fdc09df3930db359798e983a40ec4849ad1143a3fae10ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
52a75c7ec53a3b813bd5d58b2ab511ac

SHA1
bb6348a8589209136234cef75636285c6236b8a2

SHA256
62466bb7ceb27b8b9bfde7bf8da8f3d7bf9108885c0957083b2f802d8d803850

SHA512
8e09d717d8397c561a5cf79880cb59062e5acae6228199f41516884db02e0710101c56fe8852e6d58775201f3c780da037264b361a2ab58803b5190d946b5f8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
08aeb3f9af61b47d97dbc51c125b0d2e

SHA1
ea891b2cf0e8e7fb4b448e7c75cebe6bb749fefd

SHA256
75e3ce71eacc58a63b50b12962f4c68af23867db9637f2535f687ef2ae0bf56c

SHA512
b8d10ba02138b4355b3c58ddb0416efe206a19c01a06c60403d34c588211cde3f193c67d3f1ec05cbf1dcd7a13cedb6059e450f939f8157a5e7f5598061ccd7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
97ee43e8da3f13268b2869528dddd48e

SHA1
d213661b008dedf8777072ac983faacab061f319

SHA256
c18ea290ff41df3d4d8b70431492e7ca04342346f01f12e0f0bac267a1720505

SHA512
0c1a7a6321f26785bbf38d62394bef4993146e13d2508e4a687e5a21ebb408ac2cddf5224b1ff55482c51c9a0a6758588ad46bf7c60e96cec0f378fcaa8a3ded

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
1.1MB

MD5
c594d668331ec776be7848a22859a1a1

SHA1
d5b2774a269fbf92c5de643c02a6442ddd7d10c4

SHA256
89b8191f6c775a49e30c7af087b90ff436aace05a1cc413f7cce7dc1ef7d1447

SHA512
fbe758a115d35ca92b38f5f44a00cb88705f201e0bf9226593d95e4dec4396a304ef615b529e0ff0c0cc15d432eb92224a153b4ec0fe5adc65db852401bfd66e

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
1.1MB

MD5
3c129117296a56976bcd73a8dd0f7674

SHA1
ce14bae42e0063c032e33c4ffd56c8d7b71d23ba

SHA256
f50222f85e3622c4417e8d2c487e6515d1ec20dfd5ba5a5a659ae506641ad806

SHA512
07fb0fde8718fc19985a45b0c53e696c0464e2be3a540d55348d864c0db121c1723d6ef6b71b4b7b8e08cfb55ab01a1875f9f21e0f331e47a7fa3e23be7ae364

Download Submit
memory/320-9-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/320-63-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/320-5-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1664-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1664-58-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1664-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1664-1-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download