b2a48b3d6cdb2c103494d5d8815f1fd4a28a92426837b5abb2866f0c7758504b

Analysis

max time kernel
145s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
Size

783KB
MD5

73e272abeb5c6a076dd5931f7c7504cc
SHA1

7de6e15bb4ad00887423c4feb0b72eee291d0f53
SHA256

b2a48b3d6cdb2c103494d5d8815f1fd4a28a92426837b5abb2866f0c7758504b
SHA512

66b6de74f97a32aa45691350ee70ebe66436b39525d8fd1038041b318381509f82eb6cbf76597956deba1b37fb0aaac3988c6a7e11e16aa79ee06e851ed2ae68
SSDEEP

24576:TEtl9mRda1cSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0NuJvH:oEs1hh

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

2164 HelpMe.exe

pid	process
2164	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\W:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\X:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\I:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\O:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\Z:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\H:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\K:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\L:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\Q:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\R:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\G:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\J:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\T:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\U:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\E:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\S:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\V:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\Y:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\M:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\N:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\P:	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe

description	pid	process	target process
PID 2216 wrote to memory of 2164	2216	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe	HelpMe.exe
PID 2216 wrote to memory of 2164	2216	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe	HelpMe.exe
PID 2216 wrote to memory of 2164	2216	73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73e272abeb5c6a076dd5931f7c7504cc_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.exe
Filesize
784KB

MD5
8f04eac2d0f1121ca1d044a5dacbb078

SHA1
6639a7b96301b769b8c6375e338017ba57c5a7b3

SHA256
84d97427cfac9e6b2fed1257cc8cb64ae40b35917b334ae7ad33844c1b5a0941

SHA512
7030366c76de8e387c4d1fae73f52746c7a9a441b5ac8f998ead0522215672b6da66b35ff5e746118f1dda09ca208a26b69fa582ff71f749615c310f61ca6f90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
75a1cc4008bedf989c6c2a9dfb546648

SHA1
d2db05f335f7e95c5dda0c63aedb62d85ca0a5d4

SHA256
f546572aaefe2592a33c5ce7de932c23eaebf4e0e5c70e6282087acbc11b7947

SHA512
10b1e46383ec7c430f2e215633ce7812e5d073a7dd2499bf261d01bc220c95989388f2289bb3559e8dbd3a764c66237f68124ef9c93b4101445d216a0e44836a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d1241c407473f8b5f69b4d73aa66f50c

SHA1
a7b03b0481c52709d9fb20c79a3a10a62a5b8809

SHA256
53f6d80f1f2aace575efde8c800aeb46a70cd26e4e3cc52f8fcf44344800855e

SHA512
ed77e7d2a4e46a35d16b1cb053878eb2bfd4d788e0a2792ef7abdffcbb2e757666961ae08641885b34eeb8adde562c25bada897099bb4e4cee501c27432b5d1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d2b8b5f26c7b48080998451f3743eac8

SHA1
d01962761bb6e040cd68581a8762efb32b4127ef

SHA256
5b34cd77ae369d97b7b79555fc38ce46e0b81247580752b69448b7e7fef8370e

SHA512
0f22ecd0a650647f1c40f69ca85ddc5baf328be7be859c0543ef39d0e417f86b3f9d8803afe9bb91315c1c80401e1f5559f6e2fb6da3d099e0356c80aefddf09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9bdc4ae9729858afaa9044ae65263174

SHA1
bdff289ce31dc86222128f8e944b1126083a2bc9

SHA256
c7789068a3098d7ab2d50a0abda34c71a920529c027decd13a926786b16c362c

SHA512
15d703866d3eb34365681bb0ae8bdda31ab79cd5a4c3699e241f1d15dee7629f79978e0a6c2c8bdb5ec8f0df6aefb048a89248341a62cfc67a2c52b30ab7111b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c2c3b8c8904b27e46d4f9395be5ec88f

SHA1
843064fb13169ee3ab1970944ccf4a364d4f5e37

SHA256
d522fb36900b1b104f37dd0ada4884f9e8ca26aa210b13da1c8f7dbffa8d72cc

SHA512
d8c16b85ae189acaf5a90f987746a09422da09001e5dec644f7a7d416b1865d5ce444e44e852519eb880e584f0a8615a5654e78573c80909fc2da0b978ee0838

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e41baf5a0a7f770a369e28620e51bad8

SHA1
5570b3826e9e2935413382eb5c883fd88f3803fc

SHA256
0a808540b9fbb649cee0a9f753f65cd276666082cc2436f784346e76a4e6ae03

SHA512
d996bcd9e9f3ef2638924229a8a2c282aa61cc8f6473d3e89307c7f61646e868f36c5114744838c9cfaa54c075c84fa5fa83a0684aa1abe1e5e6e7876a64660f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1798c61a2513ca8bcc3ccb4a6e2c81c1

SHA1
426890429a15ae36b9cc763e7cd6a2c7e9fd65ad

SHA256
a821d04d6e92d332da2d2213f355a15ec04f75ce9b5c5b0a0a1c3658659bcef3

SHA512
79b041d5979d4cc4648527d14858089ed2c00cb31c86856336a8248a5aff5c3707916cbb10749822fd14d1bbebfa98072e5733a722bf5f60112c2b6bf8ddb3e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
21884249cb4476db6750c0f3e0e77870

SHA1
d55c1edaa7d99a284b98ebd7a2cbf240ef0c72f4

SHA256
16db4ffe282e5a5fe14ebf4e72fe5fcc5e068e1dcec3f6bdb249dca17e862b39

SHA512
3e078a5ad3570a053271fdbaeb8b3597c22ee74183ef695ea2398ad1dec4dbc4404c085450709c68542d8e2eed12f26234033f7739e7851a813e4df4734f8359

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
7b1702cda284718585baa2fe127f6050

SHA1
26c1b5d5f8cef144adab7022e929bb00fbd24445

SHA256
882f9b32e53d8a37a40541415f7ec9d30b1d34aa18a4322b3b2f83c9bad9efdd

SHA512
7c563cd7bc539e3ddb0a1883c398d28effe7128d3a4ac2841812825c22fc8a67eee0644f3a31ca0955128f0dca11758ac57132dcaf5b8117621334aad1ae131e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
7a53031f3fbebf0975e47d71f11e1428

SHA1
e4594e5d6ec73f1b4a38834fdf40c7083aa5cd58

SHA256
a915588617dafb3c4d9fd7c6c2b55e99444605f37cdf5c77a41d89e07bbf951f

SHA512
07dcce598a9aa16182ca28e50f6c9049a1e04545ee20c5780df445495fc0a909120ed4b01bc50dcbe2003db46cbae4dda40d8a558ad0dc6ed4c5bf1c2c95327b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
32c67e5b7631ea30851f521f926a617c

SHA1
07001cabdaaae3683edf6e9ab274a1544e66243b

SHA256
f0939de66759c12cf0ba9d2a25058f6325a90763e96e068066ca2d1eaea22424

SHA512
e5473c19cb97088e0e72f78c9ef644f8311c36b744f93cec1d3869aede11fae13e6e1c8e1c1d7dda1509a63bae53d8c76c293bd3dcd28ab790851eace78f287a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
4ba432157faf180a4b192c6479ac0bd4

SHA1
52c0d5cf68ff7c3e6c2b418302a2bd9a61a89358

SHA256
6568f92d4fa34fb86ea0cfee2069a8c8d937b490f91016ec1a5fb8883dbd4006

SHA512
49437230f57042a4c33f8504b75f1abb9fa61c99a5048f56acd0de965a755651043950b2839441bb9704cdee97514c8b98144c7c9c89b91c50d8c33553b58247

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
693cce00eddcb2efd369f7fae01b5bb8

SHA1
87f5632ec0c22901fe91a09ab447de666eb9e471

SHA256
db066d439391a7a49862284b98a6db08cd1a9e5ab90ea1481f34b05a251682c6

SHA512
4cd703f4019e8986705513712271ada1120be2552c8ddf19ca9680efc58a5ec4d3984f05a504a461bb444cf12d0e286ce49890661aca22c0f2d2b71d727711f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0a9a6206f880adcf61e935c9f6a136f0

SHA1
77013d0b61cc5700c7b1bf4e44b236ab30ef3153

SHA256
f1810ccab9e1c0e5f4f8e45ae62ee436210a2d5632121145414d29307f7343bc

SHA512
ce0f4983618184e58a6494a6276edd1785bca21924fdce01a21a74b6edb6e9599a262407e33a479d5af5c7a8ecc645416c2ed3d02ac65ad0b85d1193cd6e201b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
e17ff0ee2064ac4bc05f8e5ef71d3c3a

SHA1
a327d84b7cd7cf1699bfb7d04b1e04e6ebcc0f7c

SHA256
ec392d4187800039d7169d418b7e7d0accecd08441bac3415eca219b552e7649

SHA512
bd596267e85e78caef25f93fbe5229bc9bb12a7dfa111f596ddc9ff9413237ab151db0df4b59692cb4966515e70dc700d715b98ce038b6137715ac018442b1d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
da12d381ace610db8b46ad8049c1374c

SHA1
66acd86424cc3efdf926465962a9db4e45be92ef

SHA256
3f11da644cdf4ac729dd5d11cbc2d2410a773be00af0592728049bf487a5002a

SHA512
ecbcb38909d471a901a3f0d5874fa6bc77065e1816987855c8a5c6268a8c2222b02fec4b0ff413300471f8ee4904676fed9d2551cb6ee90acbcb9f9809763b82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
34bc261d7a5fe71d1a14201528b955bf

SHA1
63d431fa22536564b8781a24d2334a83df89c899

SHA256
7feeab048753602eab7bca03a383e230d7d791fc9abf79ea8ebcd0c75e65234d

SHA512
29d64ed9927004f6dcae7980f32c1988cb9e3407e942418111543f8461755aade2b0b0cf4fbf33161d293e83d6ef3fcc729ceffea1298fa3b652ad23a6b01c91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6e0c8d2b4a664781f8c6b721dcfa6db0

SHA1
51121c32a10693bcc55b1259fb071ddd75e6a6fb

SHA256
6ed524898c4112081960fab52c362f8f856a962210e4636e5d287a4450f5a81b

SHA512
56109a2a4db5356fe0f1c6fd6e08348e3d54a133575bbbbf3aa3a6edca2d3ef18d609c48ab644f2e62b24b2416eea9f288853384c2c190ae775352f898021d52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0476ca6a68443985acfc801ed482fb78

SHA1
0ac19f892cf407958121f7f17f23106a8af75281

SHA256
45a48febb3fd9c9c19d823041d7acd01600dad043921250d6f71a29a957f2a21

SHA512
bbb3326c1ed4d5bcf872f7798d9bdd5a2843d445c2f861e499a5ae23fa22379f15909aaba7d8c4b9e1d052a78d55426da9e28eba536d4678328257571087b230

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
3873636e74ab5dc66d39818d21714a2c

SHA1
cee25c03deecb55d141b897dbfe853d94bafda91

SHA256
a413c43db85d31726f537f6aee23b064ff22b177d6e4e068b5bda83b81bfea78

SHA512
7af75ea98a736089b361f7d66bb064c8669fbbe50d93d7e759042dc8b52786d1b23a2380ad4797f98df4a9a521537885f466865d0cb62c49bf9ac6c20e654ef7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
514f7acdc7cff48756370a9c4b8dc4c0

SHA1
c3e1da52120d6f94877780ac98cea53a5316e2e0

SHA256
8e9d5306d628a39485e96e9b58d72e1322fa7de66bcecbfd415c4ab7c3ba8225

SHA512
db543e3131bec9b1c396ec5a24c9259a8033e40cc46802b6b6fdd6478c1f3703f19eb6f42720ee6021cf0e0fac74aaa2d8c5fa68f21ee22b4bca11d4c18c23c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
99a659efe0aac014edada1c5115bc1f3

SHA1
f095f47d1302f7f2ed7b23ec77f2bb81d72025ab

SHA256
7527b2acdf4ba03475cadb94609b032dfb875dc0ff8ad4a5cce49fe577013447

SHA512
f12289708dcbc93e70be1f46d62836b7c66e929eca915e5bf01e427e046407a4c2e0a2a872153ecd30a4a5c6fec2aef249edb0a28e95e308af96dff407add59f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
68cf5409f3a244162d347b9dbf2ab388

SHA1
e7e07b72f8a1b428fef03fef5457dc0c9d3bba46

SHA256
a5ae62e8161b3d060d3abc9edbe23f64454a42f15a74a76429087b469a5e19c6

SHA512
5e62e8e23051d6ccafe16d0c47d81eebd54580dcd5baab75662765bf06b9b2263270214341580009447e0eefea6fe2a50cc15cd9949f43504218ab1e57a2244e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
550a89da810a1b780aac2bff024d07f4

SHA1
08ec3e3d9b2855fda39edc19d1eef549b65be20d

SHA256
c84fe61671d5b250e67f20660dd198847f9c6b8f3ac856796908995f5d71866f

SHA512
4bdbe7f880273a20cd1dfa586d8156fc25dc671246ca94b4b763c87a5ddf74bc0e21391e4acf6a80d78eac98aab2cd4e6cfc8f97d6f225ec9f2741d02e27ba1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
7047dfcc7c1bd14d363853e720ae2bd1

SHA1
a9e11b9555473b70f6dc2d95fed68e086f3ff88d

SHA256
0e2e9b6417ca9a69a4e20633e300e69eae9e005e44e16555efff9e4d934fce7c

SHA512
6df01313a39983008c2c96b6bd496e2afff0831dcfde3fe7fb2fd585442da6afc6d70d4f1444217ab1f7b8efe5d7b23831e7471187c612011e68699867c05ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
645ac59175197b0b4c90fe9671a7d10e

SHA1
0c5fff70fb3dc07f3b2a9a55d9d95aca307674e4

SHA256
5b9c5c88f089050c5e4ff5be44c82e06cfa22744350be0423f9dd13e31949158

SHA512
248119053668b3c1a8dc45533beac857fbe63c18b6d749b14e3e4c61e6454203e822e74841e25574ce9702bca8abd7c516c9ec5cc3a5f059eab753d93557d89f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
23fc51f4cf3419f6bf94a6ab7bcef9cc

SHA1
c7dd24c1f9b90e51f79b28fbe70786788b0e78cd

SHA256
acc424aeef0cb575516757f532e112f364aab83152644adf57ae92e644ef208c

SHA512
6a61a069f7d4e7d7fdca298f5b469fac879cda9f29dc7b219a80a52e9f66b66506a6a6ca32cffe56591441fd6819ab0231dbd1c223a1e1db2f1adb176bcbb321

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
dad1ef3e56bb252f291d5424ef81239d

SHA1
e2116eb65a19800cbf221de3bb3ab505e0fb0e59

SHA256
48e20e2f643e6479ab02776c36cc5710b4cc1416e10382a801b98d1034bf7e1d

SHA512
e3878157d05400d1aa9e9cff8146231bde44eb2c0912c3239e563ccb1b588614d2fac90ca3ca45d475761bf74489a03f76e5f158b858474c71cc65285a1b78e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1ed5ff5dbfa447b6c23612a431855e95

SHA1
66e69bc9b043c8057dfe7af0b0f16287ac06860e

SHA256
0f7989ced17e2d2e67d31c095211fdf5ebc5543844d7cffcf8d7ee0606f9c35f

SHA512
fb0e62ff1e96e1ef1a62b2d619751129adad9372ce41411d61770237b960d77bab7d18e30f7aa810ceaa5576cb2e92d63d4ac95fdb3547cbbee26f2e70daf6e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
75c65bab627c87ab75ddf9f0fd77b6d8

SHA1
90ecea696b399ac30ad47fc22f04a437d23e3f9b

SHA256
2305ed62c9f30089f57f31e0a6aba82ff7593350d60a9ff73850ac7992bc19a4

SHA512
e2657ced10ca28f8cf749f2f05f217b4900a9573462a6cf872fb75a71fcd6acc5e288ddb49691ca798794a6f44583e4bc68aacf13f11a08373eefca5242e9c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
595adebf8a58b01b4f4094dcefc40de2

SHA1
0477249d429fde6e0b5573975c1c7d4beef41b48

SHA256
2462a9183715642d2373432af39017927cea31f085fd2a55142e0e36de7c1424

SHA512
35816aea95a7988949f6c1c25447772eb8fe74575e7d02750c2d3ef4886f17bf8baf69ce19efd484c59d6c1d3e8338b6abeaecb87b69ec533b92fa1a8486993a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
6220b32e4bec274c19dd4425cb65fbdb

SHA1
9187484d14fe4705c5a5263fb519a071fbbeb640

SHA256
935d17219897054a59a30cafdbf8b487d8ed1a898ed1a4633e921b350fa5c33e

SHA512
7f351d4d43b05af14dc343e9adc6b54c1d91ebe727cbfcc1d7520738964e9cb4120d51c648dde47200157a41c720da747704b1af69c6c8d4e3788b83e11e8b6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
6c302eaba0189c4579944cd7c198c312

SHA1
d03608f837adc75b143bb63bcaf0fcc970012c97

SHA256
9dbaeeed3abbed372c9d4ba2a82bf8595949ebfdc20d616d7615b2678542e597

SHA512
67a2bb3694884739a40767e75b824d7d4cc8bac732f5384c3fd7146c1350428437f1b85997cccfe704102dffa4e23d3462ca2e02a20ed971cb8dfa4e5252b3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
4791507e089b9345a1d41eaaddb580a8

SHA1
a7e72e97a732c2f712606e2d5fdef2f082676fd5

SHA256
c03c533e9a73e030f901329a0d6b5ee1cce2376c7672908f331968ad5441b7b0

SHA512
0fbe8d736a5aaaa1341a5f877c8d74cf0e8d223c2c36cd2c224acc247f5a302926dd69b48ba3105c103c0af8f6f6eecaacf02d9ff58219a145090531fb1c63e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d03f569850f96087b14a49c6505cadaf

SHA1
e15938865c911c0c94d55c500b85f02f5fffe1f6

SHA256
d1fd88a1b4d6133812e33dbc51361dcc79e7cf9d390608350acdab3b360fc89e

SHA512
a29badd7180e20321a8d3d70bdd14a0995955971571853a803bab7aca5ef19964fb60ff1b647e565bd8e3e0d291052b8ade75023c51e2ebde103565e931b5f7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
3040bb39b4f8aaea02bb6f4c8fabe75b

SHA1
25c5b89d85dad01cb1f5213dc03666478c876600

SHA256
d19450ebde447622cd2ce476829be4b951c6597e112ecfd168b5e28cbc384ac3

SHA512
49f249acb788f2d0a0bb44e08e131200b80de4363096faa1d95109c489bd669838f3a6b41cf6024f056a5c705419639c6e3975f63fbaadecc2ea6ae9a781d118

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b329e453450600809a9ad4bbae5874f2

SHA1
b1eeecef6898736f28e936ab6a7d2a753a0b7667

SHA256
f7d5cb55e9a63ff8b5797e163b664ffa104f443b2164afa6a2ba6182f32b18c3

SHA512
402c079ad0413781515f1556f8e7a62dabdf38676cf2b990d3c98f9a8166f55d8b0536e4bc8e0aa04a4040a6e8bc198bdea9266a2b381b7d2d5c30b9f316780c

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
722KB

MD5
9be3f0d7d4b6fa167c296af6f570ef4a

SHA1
014419a11092ca107c33f94e417e010ef24eeeb0

SHA256
bff3138b60ed4aa129f02990d36452b6091ebd12111954f1018046f16a7dac2f

SHA512
8749b9eef6868363063f05173565ce1bef861c356b777436d49cdcd05a04d4dd8cc2440c7d853f9e37840ccde7db7c6e857564f3d15bd0518856d036cb08cc89

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\desktop.ini.exe
Filesize
784KB

MD5
470aa4dc0ae073c817c9e550a0b7e007

SHA1
f4f3af523703e2a4aa0ff5c8e378e497905084e9

SHA256
7e3adf6b16d12833f8ccdc12da555139439b4e70a279359ecda78ec33312cc50

SHA512
e678f0bad100e6715a8d400ea65dd1a134ac15f87384c2687a6dd2cdcfe9dd545905b46716954ebbd948435e87114a4b121757ca7a698d9681f69b89856dad9a

Download Submit
F:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe
Filesize
783KB

MD5
73e272abeb5c6a076dd5931f7c7504cc

SHA1
7de6e15bb4ad00887423c4feb0b72eee291d0f53

SHA256
b2a48b3d6cdb2c103494d5d8815f1fd4a28a92426837b5abb2866f0c7758504b

SHA512
66b6de74f97a32aa45691350ee70ebe66436b39525d8fd1038041b318381509f82eb6cbf76597956deba1b37fb0aaac3988c6a7e11e16aa79ee06e851ed2ae68

Download Submit
memory/2164-104-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-114-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-180-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-6-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-7-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/2164-124-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-51-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-92-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-170-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-161-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-134-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-78-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-63-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-62-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-143-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-73-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2164-152-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-151-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-91-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-142-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-77-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-160-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-133-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-61-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-56-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2216-169-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-72-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-103-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-50-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-119-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-179-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-113-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2216-1-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download