bd5d34c1e069176861d46539d8abceabb2e9060d54191080cd64eb4bf907b879

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
Size

843KB
MD5

67e66ebd63a38dbe2599eaf8e8e36154
SHA1

2939b45589d48189538618a599c81ecc49e4d8dc
SHA256

bd5d34c1e069176861d46539d8abceabb2e9060d54191080cd64eb4bf907b879
SHA512

3257daaa155ad3c2f05e68d0a907177f20b317b95b69c32d75ae977d6e7945809ada572e4333b003d469aadd4b38493f48b476b271a7e3e78323d1e8dad0aab0
SSDEEP

24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvo:oEs1hC

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

Processes:

67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

4332 HelpMe.exe

pid	process
4332	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\M:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\Z:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\K:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\S:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\B:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\N:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\O:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\Q:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\A:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\V:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\Y:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\E:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\I:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\R:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\T:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\U:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\L:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\W:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\G:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\H:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\J:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\P:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\X:	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened (read-only)	\??\T:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe

description	pid	process	target process
PID 836 wrote to memory of 4332	836	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe	HelpMe.exe
PID 836 wrote to memory of 4332	836	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe	HelpMe.exe
PID 836 wrote to memory of 4332	836	67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67e66ebd63a38dbe2599eaf8e8e36154_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe
Filesize
844KB

MD5
b4850b329db43be95abf1caf1d35c685

SHA1
1fd86dffb0c4e806280d72d8dea91f5aaded94e5

SHA256
84c34c490c29bb5261b7e8f51d5f50739230d4a0a9e295ee3fb77d8ba1c07c6f

SHA512
c355f1859426dcb88e8efda44535bae0add912bfc3f0176158459cc87696ed14f2b068c1c6263f23aaa16f779b4a1c9fb2f42745270b26da981fc4e444978c39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
501069773123d20976ed19be21ee44e2

SHA1
f5cda3db61fe849c9f2a5a24f81d2e97240f09eb

SHA256
8448bbd7770fba25f2a6dce3d765eb95adfa45113652a4cee8face122fd84cc0

SHA512
bf5161bb2e55cfb3db14252dffecd037a2a084901fe8dfd75913e18db4db5657f472558fc93e2ddc0ad2fe13f93067f7d371f1c42a1b0728afb3bd4f9f26eb59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d88ffc0934a208cb23de41409e3495cf

SHA1
dddbd053ae6c68053838723acf556ab52d181c1e

SHA256
4849c32500e0a6443f8d69c678d505b88e28799d4d7aa1a447d578c66557638e

SHA512
824d28ad53f9e001a419d93028e3e29928b6912d606503b1d1437246622fbceb771fd2d9796ff943d76e8026e3b736796758f1a81eab061cd2a396b005dd91a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
3398e6adfa8cf348f81a790f3c2f6c03

SHA1
5d6e9607255667e400fd91f63b274bd09e5b94e8

SHA256
faeef32f8ee19e952988945db4a78d7db7bcda094d894a09c9ff9a7eb97c461d

SHA512
2b461f999ca4e2ebed13d67ab51489b1c11b74993ccf283307271135a0dd41907906a0b54f26f048c76dc82d6b8fb68ae325b93e4bc4c51abd270f43a50d4c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0adfdea01d8125e4f952a1eb834de9ea

SHA1
029f50d13904667311b99fde3bd205217fc693c4

SHA256
02a8bbb3a669a02d8bf4dfa5e6d111c184912b8f52011ac79eef1c3289c52972

SHA512
310972347fc58e530daaf73bc95bbc78057e61dab1191eed5bd60f110344f04016fe90f4e56288bfacc339734c25509d5b035f6e275d056d15b445e8aa75759f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c0a753c40bccc970ede2a6312cdf5ab0

SHA1
8a07653edfa8b167c39638bd1270c9d25d544728

SHA256
76bc4084db493f9fc1fbfe0be78f214d476b24d7d327489d636df76ed060a972

SHA512
304aefe88e2eec03bc2aefd0a9b8a2ae1e6d8ba08a0927411aa6ea9027a45a997fed37e166208030e6d7eb30a3d8db28fe69e9501471a5c3ab74c5b22db55fe6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
2d613fac4954c0c3eade89def50d28cb

SHA1
b89128390eda5b1cce33ec6960c12064e82a235a

SHA256
406c2d8bd284043546162719af85e10e2189c2bb9d3713516813c124e2dcfa06

SHA512
7a913aecb7e9b7d83fbd0d72f8d7e21ecdb4b3005a8ad5ef0da1aea6981b852316dad22452c65e2de553c3bf98f6557ef831cd4bcec388ae2fbcf226ef5e2ffb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
12bc1ede1bf334539cf2992b040b6614

SHA1
621b99118a7018f8d7b98e5d472a4730a6d636a7

SHA256
88d2da244094e5bbceb1ef6cd780ff169d5515cc524268c88e52416360e6bf66

SHA512
e5b025a637ffb07e784d13511bb52aa54d2fcbd294a96723a4352792a432760d97650bf5d70ae2953f45d532ba683dbee19c66d1b45401f95096d9afa2665f64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6a30a82ccec67f8daa4f924642ed2c43

SHA1
4b8b846977fdc7a91ea12e8ed8ac1140550cc293

SHA256
4fd4d5d36b6425ba0df4ffa08f29bd2b184d4cdb30b6316cea6f0fd77202457b

SHA512
cfc80dbf3ccdb823e8cb6ac79bbcdce3fbc7541d51cc9a372607e7e4afcc25f969971d9e6de1bc7365ee3429948fef97ccf7b1a8bc310f44fefd2b6a443297e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
96ebcf3c55af820d16eedd75615ab23d

SHA1
1b553583581e2d30e8e05d44212ab351ca8de134

SHA256
5ed22f42ee41487a5c42492f8375b9e0cab2b5b4d794e68c0faeb6b958b9585f

SHA512
8082f1195561b8242f6f9323d89b19d4957648a9f2ab811ba22829574dba69d0818b4efd8664e2629922fc92fb91aebaf51dd83d37085d6fea09a5d33494f2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0ae47aaebade621a5c4ec3c9baf2ce4c

SHA1
0aea8a63188b3c15f28c8212b1e3162e4146c637

SHA256
1e14c2929ca152cfcfcff04bd3f703c73ba650b6947290eb8d6b5c41a9181d68

SHA512
908f99d9b4287fbe2cb0ca15b85e2566c6d766c8b35b662e53402954cc40fa36562f3bf869bb2145ed84c7daabecaa9ade7b487a5554007e78e73cdcc790ed37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
17fa9951e44c7c765b8df3765b188380

SHA1
1a8bd51f73f9cbcaa6a3590c036d4aa19e055f92

SHA256
0975abb1a233f9d2073632dad0a236d13e2eb4a0dfa669eabad6f0538107f0c8

SHA512
c606e64813de8c3e6976d52c9965fc24685e462da84b84dd788822d7b67cdda0870cf7040c165b27d95047d8c7276f5ffe69a72e64c320f2c82cd4f1180394b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1090dd2ae842d98131c46bd2ca1d3290

SHA1
dcfaa7314d6144c7d91ea7aad567c49f2d47a7b4

SHA256
1f84134a4a5ff6f54b178bbca98d89eeba57bbb243ce452db759b72c19e10a71

SHA512
44a66420969b5baab3302f96772ffe668d9461fdec1798c69f6b5e6f4950b983155712ce15355a211f5a3385b5309bc8fe7f883d01760816a3e5be79d8371848

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
894cd13e4c6cc78413525e2254d36fbd

SHA1
0f8bd6eb0c0b6f3000c617f472c407dcdac9bf81

SHA256
c769da68be616ff2e9ff93953eb804a295d2629e29fd3ef1b676146e7910be9e

SHA512
adb6b768dfd0f5f551c15898595ff795c81753f720bec6ebb2ce367b3fdb8c45766dec0dcca003d211c075fa9d9e1d3237992472a69fdcc6ae1e1d97fcb02e54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
dffe55716db77a95679d4d4e7d6f3fe5

SHA1
565073a387c63fba9e532ecf4f3131d9a7cf93ea

SHA256
c554ebf443a6b7d0d1a916829a133b29b8d94d6776b400c855a5b97297750fbd

SHA512
1013d9ba151cf1f402342791f44be755c886fd9a447e5b6af8c7ac01f9250e53752bc91e23192ce8e8d3a7e69b1fc6c6bfc47c47bdc193cb3a1c2c8a005c06e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
20d82916600bb341160be14e833f4f71

SHA1
fdfb9b7f377610842d45eaa71e07f98103191dad

SHA256
897a2210c10e07ba2fa972bd017a43784feb0b3817ddffa981bf50f50df082d7

SHA512
afba91003435c7ff6d9b883c539877dc7ec88757d8126f08d69f140df1ab94d6ec4a2db3f58d6dadb98763b6e13462b507081c54e9d0aab20a432962fbc07693

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5fcad157d40b178627e17a3cd0cf57b1

SHA1
a62b1a214493a5d1418a33313f6d6eadc046320e

SHA256
a7429d1249b715f3b5ac85b2f9995fc58a9eb4969215f64f5fb7f88bd1b51cfb

SHA512
5afe8bf0a798a1f02fff163345f7cdb6c14bdae17a6f45a3a54b2da0c3b7bb27be181a28fcde56f8f05b0c4d5631d063d249c2ac0a7a716430ef02ac3d87dd48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
ea3ce7041cc4ce25b5913e8ed6cc4141

SHA1
57c54bf2a5068e3781696627bbf0f2f9ea347dfd

SHA256
e79406769430c15907e5948cc4fafb55cbfe49ece14d03efbbf373fc5ac8b7b6

SHA512
4b3eebaa7509101d0b9bffd1b4b13376c4b19183191c0065fa3af197e938f36de0c76dbbd73affc8f720c91615e53c53fe605d63ff3e19cdc56fa6ed8b12951c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
031ee3b360701a4a96d0fec9f7bac387

SHA1
d0b02157be573166a1e7f4c93baedfbdc132da9a

SHA256
ec986aadd199702f9fe8c8a58ab3f1231cd2c85863ac8894617153af1fb65d6d

SHA512
4d8ea61ff97b1a8110dc85fa6638c21868586a2b7baca46073b631c7e513969515c9879a9d4f90755212dc8947e494d63f280bbd738c6c95ddadabfc2ec7a3f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
031a2d1670a85a74aee9442385990594

SHA1
41c8f48f1a65d6c3ecf69a1ecae83598cff779c2

SHA256
fb0259229c0e7ee3ee4b6b7c0042a10f74adb576f305d2227705e8d52cef4d65

SHA512
ea5aa8dbb2fa84367e669f273a82bc5439c142d9fbb25ee1976f3fa3d63546041eb90495a85b448afa9018f1b681a31fbb20803d8178e2bf3892f1c02e545c41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
065617b504cd0c48fc75e28a4d96199f

SHA1
2e1835f8b4cb5af1af73060d61b8c57aa754958a

SHA256
413b6c0a75b42097f6aafe05f3af24b9fbe9a9a3757da4854197363681aceb44

SHA512
4ab5ac8cd601ede7604d7653b0d33e725d486a2624d793903193aa4042e4d5c53bd0f92909e96776bb2f0526f0e23a148115d72ed3f839bca84e92ec3349b12c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
34bcc144f730245f6044423079428218

SHA1
035c6dd0e32fbcd6fa77632c863b0744a2143702

SHA256
6558b80a95cde63788f55144cf49fc0113a08479d650def48fa3fbd6c32b38f3

SHA512
ac2f277491a9241abe84cc39b976845e8cd804ebbd12eda017eef97b7315974aa566e2179df4f83fa35c9dd6f5f78806fa255874404830a577bad3e3fd3c8e11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
bc148b06295275d3a8c066fc6f5c1500

SHA1
424f89a6ddfae1977de422a790bd1d9b14f3db18

SHA256
2a5cf71d85a61a8d9ecab9bd88740ba757d0b771e407c30e1c9919ff299155fe

SHA512
c16189046bf4cab4f022891b7f3660e1fdb8ffcf683990b01dc0cafd142b6a93bcbe94653471e3804664e0b17706f207386a67192d313b79005bbd605ce86569

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d9f2c953517e16ec74ee70b0550a6359

SHA1
e67b2b39a7cbb6e965e8ee04981def8ff1c4fcce

SHA256
db5228c54d6a40d01bf10a206aba48503683ce82816ba9c15141a62905830863

SHA512
d581897b101dbb586408aa2edcf1a2afe2311e2183bf2554790699f7ef97faba717b0434f66f648d28abc517a6038adbd7e647ba964dda1f0a20f77a45dc6172

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
80facc09222123dc5a68213a21fe63a6

SHA1
180c9395a58707572ca67b9e54a5ab26c5c03840

SHA256
7306d0a0f6ac00bc2b9b22604041e1ead03ff6e92c9b287dd34ae651d3f20a8d

SHA512
635140e52f2b195fa92dd71a6ef58eff6ee7029a2b4d53ea89c0b54a1c336b11141be86ad50dc64252344172e0b6f5b3ce3c3bf1f36e7dc881412da9e73dc4ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
41b7047bad38e903a8f7f1588cd5efb3

SHA1
e7e5a90a301828d876f08c6111934a288ca05446

SHA256
12c9a3aaf2c163cf16a1c88812d5830d765579e374906829c88d14a16272c92a

SHA512
3c7f6537c6bcce1ec60a29bc2933fd0876891d245b8aa7e4a1a7bb22b782a1ec0997a9b95e3a873628c8c3c10f8b9d7a0b60cb0d838146835e5448c130d04e22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
27f454d97d873d447b9474e563401abb

SHA1
d3aa6424c03b15af56797e54311b4c77e647863b

SHA256
d4708c6bf2f453b130ebd5f0654cc6b2858aab150f0307ff723dc91518216f98

SHA512
35664e332c692ca895da0290e500cd50fbb9fc2e935bf47e61dfcf28eb38f1b433187781ebfc384469f08a96fbaa7c6acbc4b5c7c3675d5bcc53423918d06dac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
50c744f9bf098fb645c1722204dfb1e1

SHA1
dc4ad0649ae7d50949aa4bcda359a5f29727ffce

SHA256
9f8256f8233997f468039c1cf9be87ff2beda0248c4fd6c83211513d9ae95104

SHA512
08f9d3e27283283487d76202b92384945cee3c2e1dff0b1b24cf68bb086cb2098eb9dc3a46012c43748f450379280d964536eb0dd8a0b0f323cd3c4b37b9ff11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9be2288634cb84a16b9ad39ced368aa1

SHA1
e36b7b020aa984e9aa39f3e740d9f2d23ccb337b

SHA256
df5e7b743514c8f544c937947ffec4defa2d3eed60536bd1b71c6e060b50c5a2

SHA512
e66910f72042117b38257e5f3983b613589c69436caae2ff045423095b33816868d9050b4d06153452e5a4e1c53a01c208fad05954661666dd0006beba89c29a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
568989c7e473ed0975a1403c73cc6d2c

SHA1
3c6041987f732561a608b33423eb4a9e7fddb738

SHA256
b0533d964488fc7d0b6f49da762c9d3ba5df01b14a6584024b5895ff69a44536

SHA512
b1a3abc12ac09c495cc8837ce9e9831d80aef468fc5bbd53c854c1520854df54a6646d5aa02d0b41eb8032d5e5de12bf5d06bed8b33c5957448f46a08ee94ab2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
14dc57c8ab0b97a7d13841dceb7954bd

SHA1
e05dced5116f14d89c17a4f104e054431818c4dd

SHA256
a33eee3c6f794cd7f4f3570bc7d365e01cf7363545db9f22e5db8b26fbfd4a62

SHA512
66cff4da0e215ba31e3684e54e8a7adbe8f0a52fc163df8daed91b9a4830d6bf1626562a5427c7c63617b020aaab58febfa18b2e752c109dd409577821f85d8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
690e6e9957f8ac690002f9f7c8e89bbd

SHA1
07a5a5d4ab5be827f72c527019e45b557435a9b8

SHA256
8a94361606ce4a389bf468f7d9b57395e5579616adb078f1a296e80b51cf124e

SHA512
700ef7c635fe92e75b2f4b9f71f47289e3e924ac5fcd67df3c07fd17bb3ce27938d5d809791622b730f33985105585f02f4932fbac374caa719a71dc9f8a9efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
bab0efaebf321ec424c6f27eed90bd4a

SHA1
ad97a9f428c813fb3477663c6895b0c4643c9b66

SHA256
d4e5153d122b822a6092e15787ba11bf50ed0e2fd06749a5f69219d2c6e9873a

SHA512
980d39f447703d9659b629fef26882a14f1d71e4c74547350da54c2c12bf2ad26a66503e5e9e33c821bd4040156a8d836ac6ce05dd919a9b519157799d7d58e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f6aa145933990c6e4a03486eebd91a70

SHA1
277f4205a33abaa3afc4b1330ae7540e48620cda

SHA256
81b23362f2752908417dceee3c9deff656df027baa5ea4f1cc9b3d313900b2c0

SHA512
d93a1dcc7a5d6d96be82b2a78222fdca7fc9e116427803aa7eb807bfdc1bd0ef5ab7add34995bcf26153598435c87a197ede56525eb2732aa9ac29822f54db65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
2dd5f0b215c9477cc4732c8f77d3eb5b

SHA1
4304a174bbae2a8a2cf3ae2cc9e8a8e8f4e7a83d

SHA256
799761589d54c0b1adaeb081d7cd3e3b9e69c1b4e078fec2a8453607c72d9923

SHA512
cf86e3a5a8d768a5e090880c858622c0fecc8d475086317a5e16941c5c623f64d8cfbb72e787382e1c2422b90ea4253d00306dcaebf26c3c0824601693af3868

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
843KB

MD5
94e936d354a971b1efa32c3f3402286b

SHA1
19b59e39a8b89a5e6253474a420698c5f7f1130f

SHA256
d261ebc6468002d45f08f2cd8bc4f2424a572e4ba0c63eba0d683659e8a65b78

SHA512
8bfae03cf7739ea0337f1006da53f47632cf5e34cb37d109fcc442649d7676c3f8a2612f69d852e47b1e9c35339a9ce5a7936f87551f7e24f46dbbf1aad2866d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini.exe
Filesize
844KB

MD5
2bfc1cc1d7fbec6fc5a65f920417e7b3

SHA1
ed49f210d9e7c153974b260f848c01c6ee936d56

SHA256
f39c50b0c44673e8e017371048242fa41463be79c21241a8f00f22fc8526fc82

SHA512
a1e3cdcf52e0a6e529354f09faa2989593abddcf06555d3b9b3ceacc05ff0218800e9b80c6f3d34701b8901c587475414afa79f18e3d39ebb18567b8f46aefa1

Download Submit
F:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe
Filesize
843KB

MD5
67e66ebd63a38dbe2599eaf8e8e36154

SHA1
2939b45589d48189538618a599c81ecc49e4d8dc

SHA256
bd5d34c1e069176861d46539d8abceabb2e9060d54191080cd64eb4bf907b879

SHA512
3257daaa155ad3c2f05e68d0a907177f20b317b95b69c32d75ae977d6e7945809ada572e4333b003d469aadd4b38493f48b476b271a7e3e78323d1e8dad0aab0

Download Submit
memory/836-56-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/836-50-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-1-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/836-174-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-72-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-112-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-82-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-117-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-165-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-103-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-61-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-130-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-92-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-153-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-148-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/836-139-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-62-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-7-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/4332-51-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-149-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-93-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-83-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-131-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-157-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-63-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-140-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-118-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-166-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-6-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-113-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-73-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-175-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4332-104-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download