61bbe5df1047959861d3dce7439f237b9394b1ab121f0269fd30e1f9703bd477

Analysis

max time kernel
145s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 05:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
Size

3.9MB
MD5

14d0e55c3e29f47530a0490570e2a8b3
SHA1

86b4ee849fbbc9de32013a3816996ebc7d3271a8
SHA256

61bbe5df1047959861d3dce7439f237b9394b1ab121f0269fd30e1f9703bd477
SHA512

2eaadd0188551344f332c80d7aa98c102e7f35a16c168966804f2f86d6e232397222675b64bb46c2ee1f7d7862c0a710eced702a0bd485e4afa1bb257f275d7d
SSDEEP

98304:PE2Ji0HiIMzKpXOMJkMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMM:Pn80CI2l

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3660	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\Z:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\H:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\L:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\M:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\U:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\X:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\P:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\Y:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\T:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\V:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\A:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\I:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\J:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\Q:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\O:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\W:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\G:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\K:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\R:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\S:	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened for modification	C:\AUTORUN.INF	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3660	HelpMe.exe
3660	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3660	1888	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe	90
PID 1888 wrote to memory of 3660	1888	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe	90
PID 1888 wrote to memory of 3660	1888	14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14d0e55c3e29f47530a0490570e2a8b3_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4484 /prefetch:8
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3665033694-1447845302-680750983-1000\desktop.ini.exe

Filesize
3.9MB

MD5
18635935353a6cfe2b7a962bb8c826b9

SHA1
9ae40dd222477c13743cf8bcf27a0e0245c75837

SHA256
b438791bdd62daac1451e196f71c9d9e7067db43ab9c522c1f2394faebfe7a8a

SHA512
6b56a49b93fcfae2f4aeb0033eec4931c29e558b900fcd66fce4d8b75a5939029474fc3f4d59eef0ad0b7d19192ecee5d8071a3d5432a66b94ae8797ad6a3502

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
4.7MB

MD5
c74989286bdc3414e5bf0eb6c855aa31

SHA1
1e44fec022a13e0cc76e7b43fb64306f5841c750

SHA256
95f3043bfd7c9506a04b67c836e7d639a592dd5c1f3de3ffecfbe1a034007886

SHA512
065f6c63b93fb112d230cd74d744e386455d657a597adc39a7811b40cab8a3df006b74d4c6db65e9c3a42d7e1a2aacdb972a4c32b6571f24b5f5601d45ca8b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f9b3a16e4023d3c18a2fef9e994c20c5

SHA1
48eefab072eb95b93433c7f296ed27c38e00d77f

SHA256
90fc4b04e73917f79fa1834ace142c088e603edd8dfbc2a6e28038da7ece866a

SHA512
25c3ae9a6a45a78c24c68bb90788bf2da6be6317d7399c8904ceb8b1eb8d57ae51c7fecb2efb246f52a29c19b8f0b6a6ae00502c0e92a416adf0e769fce07f65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
028aa586fa6d96c5222310a6b1b93af8

SHA1
bb5129bc998e6b71b6157ab479694505107b8678

SHA256
5c56e3b43bd80c9bf9b245d4d67f015a24e4a31fb13ead06579ff884094ae370

SHA512
8d7ab2d144822ff79393ec4a85a85b20752bc459f59145412a6cca0a28ae99b38ff08fd9165b265d172cfff7b9922f9e66f7d657c11ac2d29956f451b4919dba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
21de98e587ed626adf893ae93535a93e

SHA1
5499a6565c330af54cf27d038050e50dd8102785

SHA256
144c6f49c047c1914650b4b1dd92b840a0b5404ff0985ec16afa139de4b09315

SHA512
d61b0029e05e80e095cd0842df3db5919dac5dc1ea3fc433079a54ac19b7ea98d9b20640ea385b43c9b14328b03ca8c17801695bb72d9d2dd136c6b7a83c3cb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
242c0e4874a3668d7f7247bdb665d307

SHA1
3abc6251c8306be2311057e4700d21ac8b158b79

SHA256
2e87d9a9d039fc8f2fb739729569c4c0624c2101f6c358f687646db818b9ebe3

SHA512
e89d71160184abd58b357f92df1050ade00b006471dd48987c0db00987c170916b5f3eac1bed8d7a560c50b3d1d81f7b5843df1473ab97b1a019df226122d9db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c79046a92d77f3a273309628758886d0

SHA1
d16c14f977e0e16e1b3f2576515d9eeecb8ab563

SHA256
29857144de619f9a3dcb8f06a3911c7336814583ddc1ca0c7b4be33484fa6aeb

SHA512
cd951614a18b09b9c4866886474e00a268e824a690e8a2a823818ace1bdd7a67621a9e02b88fafccaccf13305cb13ee4f2980e84fff96f92be04a57c8cb2d760

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0b339693def1ca158dd3f505a2be5271

SHA1
358e21fb15df03f2a391a4ab50b29018646a93d3

SHA256
42429b33e2e9fb591d06525df6bb68dff28e53846a29e58a254dec5f0f57edac

SHA512
35da5e204d1b549acda589fe36e7b90c7da3bb133d3b0ec7b9a25db189b94d1639b3b1808f0ebf1f73a9019cf04b70f38d8b23aacd51415b25583340f8264d06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3551795a7e1b64bd8b601efc43be0730

SHA1
c6a84468e46eda4d665a34088fb24b6c300c2b51

SHA256
9ded09f0ccb34326c3dd61267dfd8150f12a58548c212bf7e3d2a44b6667e7cb

SHA512
a1c119a14a13febc132e761c5be3c0fd676fecb137b2909ddefc0a7059e3afc30c1cbe1d9f63a1bc765a33c8dd5b2b0f653368aabb8ef18e474340a3ec0f2b6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9d21ee307846db45a09de2ca2b84f31a

SHA1
25470ebbfa2cb1561b4a773e1cc3d30a40300403

SHA256
2f7604a2080def7e91370eef7147ed84a3c727d697a6ed8b67c7e73c70bb7b82

SHA512
c040684915c580763bd65808348e88a4a6ff7f1ce750035da6cdafdcd2544094bf17a38d527f77ea24411e2742f9a5d010ea53a3cbc7836a4282d844c5305943

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5a5a9dbad74bda38ad4c98d2a13f702d

SHA1
bc5081c40a7958a9cb0f754c9f7a871269b91cd3

SHA256
4fc75d386dc295b6eeb4477c6a8c8f5fa6c58eb02b904627e2be5d1b939cc0b4

SHA512
ead0035cfd532521d5e7494a450a41334e0af203aeffa4197a23044b58286592fe9c541da5adf056c660d24542e3b96f573c6eb6deb63cb0b6d61561667963aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1110094e05ec96f6fefca4c8e790441b

SHA1
a0f7d2fc3487fac074aca471380e1b906b723e46

SHA256
57e43b45f568141ecd3e31429d1bd7935f6e5bfe0c093f65a4280da22d0a41d9

SHA512
6024753ecb2c1ede7453925478a735e7449f9d333eb629060bfca3efad2ad3190dcaa51588b20c51a24c9562f4bf95777ceaf6c09f277ddd52b938bb9d4cf143

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bb86d62e3d9aaf3c40ff639b614543d7

SHA1
cf8a1ddf1d81b6b84d69af492b0cdfa981af958e

SHA256
fb23c7bbae509fda8cac7e24e08ae73d565137edfe4448c7c2c281ce895324b7

SHA512
6445eade240ea67c826fbdfb9b500269881b23335cbf3e4aa32f81acd92bfe5e8489a091141129eb2b0e88b00bf2ce70664efc5ce83abda1aca7359948bffb54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8084d81c47d564f97b2914b83fadfa99

SHA1
17c07e7800e2585b499c00b6ef61b361cdbda5e0

SHA256
bd8cb12ae5da6b182fad3ce1a9294bc6f6f813fad00e85fdc1606e3309066080

SHA512
dc0197f642488582251f4928f451bb640babd38d70756298e995dc4b9977555c02de1b8495ee58e7740918448c34794b702df4d468bd757e8f34e7164274b445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
da28ab4eaab319d96756029ba754e431

SHA1
98013eed47b951fb59f095fbc07bc214333db514

SHA256
1f3a4338b7f55735af9f29e98565a28a3defbe93258030480a3f5be4db789476

SHA512
9f99719ac79f586869a479ee1d793fa6ae38f37be52d51429d262ebe3938d630069381a909afbfce0a08cf4ad2f01e16b35fe86e76bbe1396efc4dcae9b9edb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ade0afbb3838bb75b307b81c9a3cd128

SHA1
ef7ff478a0dc0536f543b7b93618d9d4a71a4f9e

SHA256
a20a06b4e7a872cdd5a0d968b7dc996ce729efa573496ca19d9e784cbefa3cf5

SHA512
cc9925d289dd3b2938e0d16d241c28d38b2a6fc423c37eea93190888e716ac1630d07414a47e44230e3557655264178935fc99fe14c426a15d2e0563c14dcc78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
719b3c409ebfa349b925ec5a3e27cd78

SHA1
a45e8d2e8889fc6e2a5cee9e8d5c59fb52012471

SHA256
5dfa9fd506dff1e0c9d1715a6fe14403660acbc25ae928d4d4e82c2876647e67

SHA512
85695fe56727a0a5196b73f6fc86b1593f66eb0b44633cd8302e108ef5ebf57e2fde3091ef68bf9aa147b9903671efbebde8528453842543d3bb0150fe898d94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5308dcd97d8e5fab5a9bbfd992ee01ad

SHA1
3ae332feeeb1ce13c567e16632e58a1d8705d3de

SHA256
21e8139fd4fa0a381b80d161de5fb75bf2f17a1d7523e1a8e42651f172e96e73

SHA512
fe142e21976cb30fe2f32fe62b69ffb2a0beaaad5a3078a12520be58b741e9cbaf5c2fec98046f951a8062b9de9d5d2c9219a9c594e824e4bd959262ed0d9769

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
957b08818ce447fa6561871eff5f770d

SHA1
6d103ff8d1a7db9f73e5886a10959b258260e416

SHA256
7be1b19cabd2aa2e74029313b7ae184b55a802a70d7a7e79d7b78ed445e9e15a

SHA512
226f2619ce091d224610008f11d0b535b16247d5f2db94f2d31f5eb71d246bf1f4dd74a398767ffde40486843d996fe8fb258ac6f91ce62bae7a02eccee4561a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7ec4a249aa15a1e24061950cfa506fe5

SHA1
9c5a010f9c35ef6987ea34f571c615dd5b935490

SHA256
99cf32196eeeec850112b3d015fad7849fbf631d5f335b9fdfd3ee6f5066ab1a

SHA512
a445434af44ba925502550eea37c2851d9c00ae82d8bd853687f9017c05c79c4dd9573c5c86316907d9358f2014c213df98efe58b5aa1f0365f488c38c98a4f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2658578c8b7bb94862738e1e0cb166a5

SHA1
6a5cb9248dedfd6ced88227f3d57c70224c84610

SHA256
c404beda3889f534ca904927b146569e2e0f9b84766097731389f01b2d34dd92

SHA512
fd73cd55bca4b8a9c347cc5d5fa681d2f1005330c8e0ce1c8be7f83ef54cfc0b4412963138b1ffc90c728ab80ff18bc70f6fe16835cdc6a1a5ca783e96e07ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
611bd5c30290946224df854c133aaf62

SHA1
78031aa4dd62385ab96a27e228f570caaf518c14

SHA256
18683852e4f8be6096788270cb4540b1729a1e4e58b86b79b85ed7b358a70a1a

SHA512
71983512eea52fadcf6e6b0c4afcbae59b40c1faee64b199e41ae9f558e3d36e80afe69ce4920b38b34bdadf415152bb40cc113e8a73a15d8ef60f2e4b515850

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8977475df173e35ee2e4c21ebdd7e8b8

SHA1
48a8cbf21a6f6bed1909c2157efaf997129493ee

SHA256
dc6411f96b4ffcb151db0afc43a6beba0000d43a01354552d9dc1e5e7518d42b

SHA512
0b2c47c2f77ef4cf2d0cfd34ae5035faa6118718dd4fd825fcce4ac611d605f54b0a0286245c3004ed634958665c78043af98d6977b255671f031f9e745c23fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b254981ca64823670fbb322b7b19b25d

SHA1
56f20b4e95f563a7ec2055c9f11c7b293b794cb9

SHA256
23175eab0b0ddc0aba4ad08912a7bdca3a6894ec4ad7b485c1e56a3297a2d46e

SHA512
cef083522d6f88f59f9f81858bd8d505dccc329d9ab4beeb7f8e2ffd5f3b88c19c7c6c1dd47003e84f4c6f2de1b7a9e9ab4205390ce5742de15d1c773ce0a957

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4db099ac2e2a055061e0fc7594f9d144

SHA1
8622e7aa7a4cacacc4f445f1253dc4aec8df02ab

SHA256
fc04c7c77b6301fea6e9eeae6af14cdb39283477bbbfbc810a6e5a9ba9f6aeca

SHA512
8f62426c2d79e07ae90be53e655918020189e7585c05d2af86038e2dffcd1e35cb4c73ccc1bb67ced539ab8e3e6ae3ec1cc02e83e5fa02f768778f05775d2932

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cf073d8d9ce54480cc3cafdf01e21d94

SHA1
cb92ae598a5417cf4958bfd7299ea2a97d26aaa9

SHA256
fb144cb85315c98c3265b32f7863f287d94ca59376f31f60abcd99ff8782a662

SHA512
b3a209fea7aecf6eb0583268531750823b4c5e75120f8bac9aef481cb22945edc718191fc39b8df33d5363fb8e39140d2e74e3152e58e6e17d26ec2c624aa508

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1a0934ddb916cded478f7a2545bd7475

SHA1
04916e7553e14d878aa59e9c82ae5594e456b09e

SHA256
eaf894afc00781f8c8aed15832836f30bf3a43ed5ced6b14b026a45eea8845b8

SHA512
2cdd2926388d687d7d48fdb9bfca5077b4e02d01b5691d2beb16059a5f0d2e7972a6f408f6c25685a9ce71239b9f097c44ecbcaf53da69292520db861a2e10ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5b4208eee71f966aab8ea28f7e139578

SHA1
edcbd7b49c7fc7673042c16b7fb50031b13cb3f5

SHA256
afe07535eddd04dd488c7949fa1643a00f2b9a9722b3e1e5db568231538cd573

SHA512
5b00a64b912f686f894f668c0eaa2deb5d383a32e3b932add87082ffb0109dba971d3002e2195e650d99ff96cf6239ea616b44db3eb5c634b09055123b1602a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b7372a86e2de116eec1b9a661d37a55b

SHA1
c7fd62ee8a54dd812545c3f8e2e01843859c797d

SHA256
60f2bd2bed0ef3264e9cc20d6c19012721e9abf9fa7901d9778bbc8de0b757d6

SHA512
75f005e307d7cdfe7ac83987449a2180a26341f9a5f29e571c2bb654a00f3ad8ba91c4ff57b09755de501a60ae2db390cb1323275d7f7169c48ccf908df70d1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
633cb0874baede6d4aabf8c0bdc072f9

SHA1
98fa9d9d6207f7582e2d1dff49ea2e5212cbb084

SHA256
766c762d89466129b12b0351a7aa860fae57cf33b1b9c56694456b846beddb3d

SHA512
566aeb24a2689f1542480ebda9234f7d8e6c69667a42948a581c6aa21e180c5d1cac61f20d39dc3b8bc79dfa4a37ba14bb4430ca1ad4fbf86e195ee81cb34e32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
44b29ab8cd7f5c4c989912dff39b040b

SHA1
26e150649f441449430129509abde071f874f562

SHA256
e940149fec4fb80219567a8db10a30a30e34e67ccd16a324eb3c41b10affedfc

SHA512
550b91c52f7e1ffb38cd85d4e968f5bda9fd972d3525a588c6eebf2c000077870aebe89c1171b3f321580602633f1a238b1e8bddb97fd856e024ec61f8719968

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fe09443f7430b18fe8f1be8305385c68

SHA1
a1cbbd2f6eed2782decfcea924636caa3db12cfa

SHA256
ecdd2ee05d6b8f513a31480fa1c638eb330868a71ce558fb199339088b1c0a63

SHA512
9e61c7e13688a901903032e2f64eed7c605fe51adcbc099507e9b00de1cc76d84f14dfd2574822b0c63e8306a7107c554b9af8f8a03ed22ceeb15655a1a6272e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0caf4c26b14f569fd74c02b9aa0e0c09

SHA1
f172b8d88f1ccdd0691cef8b26893d8acdd793a9

SHA256
3382c4d2655457dc91a351045d3e1e1ef50fa8f0c959ab0bba84b8151eda0c4d

SHA512
3c3441380d9592cbd5c1d5497f3d55101ea384935f0fa566212e4320eaa51195134188e5a77d2c685fcfa3383027f316eebcd78281eec5c2705ffb3f0f1e34d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bc55951a260300534e53ae6a1ed31315

SHA1
5532f6b761610416f6e1b96e07a1a0840f1263b2

SHA256
d87b43ac54903fd0fde6e65c9c5851501e54f472a7f87ac40bbbca0db79cd3e9

SHA512
f5f5f0b1e9abec58d786942927c9ca434536ad39014b6440bf7ea5ac0b8aab8544192f12e5fa05ac84036f1d924b1cdfde371aed28a23c15fd97d81a85d8a664

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e5cf0dbc4374031ade9561be14dbe61f

SHA1
9c7721dc1655a667d7c693b5a27ab9d6023c76dc

SHA256
a2794461de8206aeab876cb0260a371cba18fa4a8fea36f2e3091e5f59c31e5c

SHA512
4663ae65fc6deb1086b63a7a2a6901942e4ef16f56de7ebbfea02d400b26ceb60cf1fd72f8ba077ccf8cc7e6c5444d9a6bc4b9a4b2d37decbe592810644b7c05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ca217239457d698f448c42dae619b02

SHA1
c7f5525a63fe99140fcb58523b5887216dc30c1f

SHA256
cde63f2b4b45bdefeb6656cfbac00153f0891312c06b66a059723ab1ab0ec1b7

SHA512
c23a75edc6e76de263d2c874e1c5b74d4e51df54715715f2a2deef9c5a33184d4a6f17a86173867a4c4937a032e808439b030f3c0c3972d2078b00eba1dc1364

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c16fc7c6a9d965f81e80502656dd6c03

SHA1
caf9cd38e16d28000aafc87c39c521035fe86a21

SHA256
48b33061a47deb1c66d641a285c48c7bef4ac6557f040b78f3a700271bbeffed

SHA512
c5cec10cb429f657fcd1011fa5034d4cbe8cb874f6d8f69ced7ecba3aac6d5afa8de155fa84a1e6f2c942105db45f9a9386d0a1d99880fe0931ffbbfa1531753

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b1af4cd42cba25209e37e8c9c1740b45

SHA1
07078eb3f464d5c8d69f0b4f6d7cadae8c257ab3

SHA256
a824324e96353455e160c99296ca7b4f027f1f10a6ed7389301174a27b31440c

SHA512
f80ff2c470ba8a0595e7e30e68265a86c0bd2a6ea921c41626b022e2a5ef3e5f618fc07894a3e8fb82ed4bfc315d0ec9e9bcb9e927ca3fb1a57522672e92c985

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3a1562f678ca3c4b7e6b2bbc1cb13672

SHA1
0ad587dc97666bf18edea2b8bff8219a446688f2

SHA256
5ebf1c88a86dfbf67974b1ea256d1ae7956905b8f633d805ef2f90079a2d2d04

SHA512
b57c5f19106f24c5e33c85ad7a8b368ea34ec6b2ee094b088269cf03e316d0eeda1e77ab23f58adfa183f460060e54a274b3ae533528ea354adad4ef9d216380

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6d91ad617fd23f5fa580162191846b38

SHA1
c42002784e39854f2f629af58de36278de24f4f7

SHA256
0a10e29d78722d9d6b71558bc730d8f3fdecd4e5fefcced90171c27615f20d92

SHA512
9cad86dd45a56f590392a23646f55cbcd6c95e601a3abe233cadf13ab21cd0db10a617cd8fdf01455834a039bfdcc9ba92ae61449970f4f00b9792912a29c38d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
cfdac3680241a6636fb621160b0cac49

SHA1
6c15f605a9988a0b3da8953574e75d3e988d84d2

SHA256
a997dadd5726a2f434cf95dafacd3e68f992571923f2a17b3d09b4970da57a5f

SHA512
6f251fab426a00c144d944b79801e07f06c968f58a6aea5cafe908f4383e73a0df7fc88a28464e75c8874dffb8d4e72909c3ccdcce7df50574f557facbbdecb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1aaee779d4f21bc450b34275b5491a5f

SHA1
9c9bfb7685d697cc5f1a2aca1fad92813a534a0c

SHA256
48c8236402abaf7f92892a66f72d02963d3319f0bd11f67a17148b4242934c5a

SHA512
6964a051233389571003dbf689bff688f0f4f1ad86b518eb7721d9927e25ed3fa0edde54be4a230b336e5e5624d01cb2287513bcc8194bbaf7b6a8578a84a6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
620d13a05124d5d167efb1662ae2b81c

SHA1
f9a5e60b09e049a595cb79c942d0c1b3480e9f2a

SHA256
9f8ef111583f38c60222b22ccda3c598953c6ae1e64ea7b0cdf738cf9848a107

SHA512
3321121cc043592f1f3605f485aebf999b8c5313d04988e12fcc404b4e3cda3117b22497bf63f0f91dea77cc805fa5e86c85683e89c31c20937caeaf9d650b85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6a6c821c7c97bd06ba66d98911fe67cb

SHA1
72241e989fb6328276d0387cee0c78a5f96bb382

SHA256
99d1d55f1df2f81afa29e462e69df11d62ad4162ff2edca5e55852b056592070

SHA512
9ff737150e4be7071a8c3ee0ed36bc9f8696d0a3bdd9f41b063d3d52ae83c6f10eb091aa5568554061464c2a2fb81f1a599b842587d4b6d5ab4d64fbac13ec1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fd090457493d6ff3922740b673ba0f66

SHA1
2855b233a065941894e4a36f73a317fb3715e8a5

SHA256
a3aed2ae5268874df6edb126e23a225917979d931b667ffb0206fe6786074ed7

SHA512
0b4b8e57398093cd09739a0c960c4d132d3ab8d672319bf3511948cad6a18f1fe5b874207b8981e97620acd70e7bec42401398347cee9e46fb2aedc3473afcfc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2bb7a432a044d325cb1d223f6300af5a

SHA1
3d7e2ad7707eb63773e6cbcf4dac1f0c894bfab3

SHA256
1f3659685fb1a468c25377bd1b06395ee123160bac34e3cdd69085b2b41a346a

SHA512
2a57b68b121e35184810775c5a8c7f344c62a7269cf63cba18db3dc1f3846f00ac3be30f2893a62476b226cfd1068d1f2ea023db4fc5325c635227bb6e676929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
877a905fd50ef3e035e0273fd848fa0e

SHA1
990eef3670635e3109aa04954b6b1df4eb0b79d5

SHA256
cd04c9f1db384d12301725a61934da31c4b3d9ec75a683fb3f5c184c34a29ddf

SHA512
b17fdb75fb175df4378ad5eed1490acdfc363dcc1bf171c60cb564ced38088c38cef390eed25aef6d4eb923303f91c420893dfb24b2f878aa9435dcb3e746dac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b751c19c37fd2596631f7511ce4067c3

SHA1
a8957760fe3cd86b3f69b70189ae77b84014f640

SHA256
3032b4ebbbfda310bf287fb3b7864e652557dc7251c77974a0c1eb1bda6c37e7

SHA512
ae85fa8067bc19eaf007498c5409b998a8931169e26de64a339a453a4a84499b53e3ede0e0cbdb95dea24190d64b4687332b54f2aafcf9cb70e27be6cb8194c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bda0c34f02a553303c79413505e11a16

SHA1
3d9fffed46bb8149ce44ffc522c64dcb35a5ef3d

SHA256
c91da9e956d1a5dfd65028e85f7c010b9ee1b32b134f4641f3263e35d4d97f15

SHA512
6a332d4b14be81c396e1d87079a8561a4bd5fe323f5af9de37b0ce5b0bf5e9dab56ec218498146d680240a1443c19aaca543fa269aded1fe99c46b9e71787cf0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8fdc471ca77ce78d2fddef80cc525af3

SHA1
05b77aad0105217dffbc9037c1e6e5266accaece

SHA256
4b127dc5b589f15d7067122d5c18d53593adc4fd04165e9eff4d6ad11bbca58c

SHA512
315a407a2d43a6aebd3425ec67011a8cb43752ff787ffe74611c8a7309b747b74a9e4d26b5a257d49fdbed132c69d7daa14936c9cd349be902250f8e14402655

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f4bacfa73a102cb8dd73f9a4a75ceb20

SHA1
14f456462aa3dc5c33deed8840b1323fe9c87f13

SHA256
da2bd8f9bd6132ef07b3b81bf124e5996c4baa898e76c291f960c6d57d1e21b1

SHA512
67033f1f39f4efb9e469d8c1f5d00e3041c6e73c49491d1b239e313a3aadb58c6ddb17c85ff511ca36d2ee6ab0d10f19b81262b5a9fd693be624c4d871be07e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
89f1733d923e41df94149af9c0d2255a

SHA1
e539093c6907d86956cc5e73eae9e334ff407964

SHA256
3807341e77005fabf2918b24e054923902493052d8dfad5c83bbde7b73e94076

SHA512
cd53cb94dab820bdb742ce81f78badcdb3b5d1b01e001890c25845053b22a8495c9d4dd69c2d2224969303c9eaacc0ee6585577eb98b11fb669b1ee6d045be85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f8cc5c16d427114e14490da8601e5547

SHA1
dafc40d2374b1f0741e749c5168d2855c1d468e7

SHA256
5cdf20f54d6e3320ad77f3525ac137f510bcf3be81a7f0aa13a4c90f514bdc82

SHA512
eee6c2e33ad3674c91b231cf64e3fae9446b9ac72d18f46290de108148a6fdebec4f85ddaad2446adb59ec988caaa26c1894615d2e5407c1ca8b9469e1d0ee6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8e4a75729e8c443e7722b776fd55a0c6

SHA1
1e54bacb6d36b686377094b0a350223819355661

SHA256
20de89a41f5f77bffb33b21239860d96bee0c13caeac5813e7cf550ca3ccc7f9

SHA512
ef6dc114e5cec0e35cdd8a48067e1455e13dc92c33fe16027013c6e9a8b4182ef682322ea374cdc6fa475c617bc0e765610976784ec51640fe4f8437df8926ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e40c577615dfca8b51afa89bb5795e80

SHA1
ecd7592bbc2f90fd003acf9217f708d7e9e0456b

SHA256
035779fde0a529c2281ab9ad4808bcc41057d6cd70d92ca90d4819df10181493

SHA512
e84cbbc00054e225815a9f54dddd2b6c0d57d17ad2ef030055c263d380c087bb2609b876b1f2d18edaacd8d06067f1adc2c4d6cb58e65bc2906b1bff38e0f405

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
9a37951d63de35b4b4aaf9d06e624fec

SHA1
d0d28baf2950fcedf887b6324bc580d373d061d4

SHA256
75bc69564924f12bf82e5da50c637aebb916f8aae6e87cabecf0ce2991078e60

SHA512
da2ffae29018aec76881eb18140c7387536e2e38aa41354ce9d4ec31ed131beded98a056a0de8d4efd48ae9f2f9560b491ece5ca087344ac85b59f8a5be403dd

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.9MB

MD5
fd1f7023ec55fa6c99eef7bbe5f5af72

SHA1
81bef1871194f6c4373cb64f57f88bf01e3d6208

SHA256
9a8c2badbbfee42788e4c99185684c58df5f4eeeb856e3976a26faf3a0fa33bc

SHA512
c0acdcc1e5b133358de7a2dccf471cf34599e374a9b9a059be4ab80e1615f7fee7df422e30899105da81ed3c9f58ce348ed5365b227fa0fe521f6d97180187b0

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
3.9MB

MD5
14d0e55c3e29f47530a0490570e2a8b3

SHA1
86b4ee849fbbc9de32013a3816996ebc7d3271a8

SHA256
61bbe5df1047959861d3dce7439f237b9394b1ab121f0269fd30e1f9703bd477

SHA512
2eaadd0188551344f332c80d7aa98c102e7f35a16c168966804f2f86d6e232397222675b64bb46c2ee1f7d7862c0a710eced702a0bd485e4afa1bb257f275d7d

Download Submit
memory/1888-0-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1888-61-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3660-62-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3660-5-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download