3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448

Analysis

max time kernel
187s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
Size

1.1MB
MD5

700d5f491c4a2a65fdfdf9ff0cffd711
SHA1

7cbd8ec5351127aad93b1e7dd3ff553c640fed02
SHA256

3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448
SHA512

db6eb14569740b70148400eaa6b36036b62e7c30e073b48bbdd0c61ca993073f3341058624ffee12f417f9764d3a7bced02c487d0e6ade4224bb702192d6bb3e

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HelpMe.exe3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

4996 HelpMe.exe

pid	process
4996	HelpMe.exe

Drops startup file 3 IoCs

Processes:

3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\K:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\Y:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\A:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\G:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\T:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\U:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\V:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\X:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\F:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\R:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\M:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\S:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\B:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\I:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\J:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\O:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\H:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\N:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\P:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\Q:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\W:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\E:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\L:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\Z:	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\ta.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\readme.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\AssertRegister.temp.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.exe	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe

description	pid	process	target process
PID 1696 wrote to memory of 4996	1696	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe	HelpMe.exe
PID 1696 wrote to memory of 4996	1696	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe	HelpMe.exe
PID 1696 wrote to memory of 4996	1696	3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe
"C:\Users\Admin\AppData\Local\Temp\3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:4996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe
Filesize
1.1MB

MD5
fba203dab43e60587e8eee523d46f928

SHA1
31a38e863630fecd58c6fb3f4419087d9375d24c

SHA256
80226cf75a06362b06da63d4fc4e8947aaab6e03fa3acd7671b9379f6b7325c2

SHA512
866167fb29e805e12d70095d1e26d83ee124152437706401c3c2eea79cd0ecd3619dc978833bc8a3d9dbbe8f3ddd667aa5cc7b704fabe8cf4c8f912c231ddf56

Download Submit
C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe
Filesize
1.1MB

MD5
fba203dab43e60587e8eee523d46f928

SHA1
31a38e863630fecd58c6fb3f4419087d9375d24c

SHA256
80226cf75a06362b06da63d4fc4e8947aaab6e03fa3acd7671b9379f6b7325c2

SHA512
866167fb29e805e12d70095d1e26d83ee124152437706401c3c2eea79cd0ecd3619dc978833bc8a3d9dbbe8f3ddd667aa5cc7b704fabe8cf4c8f912c231ddf56

Download Submit
C:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe
Filesize
1.1MB

MD5
700d5f491c4a2a65fdfdf9ff0cffd711

SHA1
7cbd8ec5351127aad93b1e7dd3ff553c640fed02

SHA256
3c08d34d1872f701d5e497b62acb6a54feb5d67028c788e9315f0d47b898c448

SHA512
db6eb14569740b70148400eaa6b36036b62e7c30e073b48bbdd0c61ca993073f3341058624ffee12f417f9764d3a7bced02c487d0e6ade4224bb702192d6bb3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
a5b88287550ec99f9f81ed9d3c1098da

SHA1
2d166bb49c70a3dff1102242fe30865b63659c0b

SHA256
ef210bbcdc14e917887ea8a490d9044aefabc5a40188ea6638f1ba8294f8d777

SHA512
05917d8dc217969221d982cbadacf856514e64519ba5497c771428b6a9ce628b508e38179e3fe1b598bc6ed7ac916fe0fbe5c0027be2f58c9452e7c50ed67d34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f9e22d63acaa7392eabeed5ab35b4e74

SHA1
f776187873d465d2dfc3d93661179794d4a36a42

SHA256
371bb391b3f976dbf8334574717ccad2b587c79e1067905516bdfa6b25f040ab

SHA512
7ca13f00a9a871a587a19685a373fb290d7629087d7c95659d881d548398c047e19a48ad7cf6d292cf7a1181b0acccfea71bf4481b775156305174fb3e4c47b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
3fc304305d4e019e4a64fe09991946c9

SHA1
f01e4a5283ae6f5564793a2a3d27d6d400ec4971

SHA256
cd0061877006f674ebdff42ddc122d5601bda20589239dfcdbb3ee1254678642

SHA512
d950912ddd8b23a551b89ad3e621bba87599485b8ef11e9df15f0577ec3ba1b98fd46e54a87b2cddcd7c5bfa59ee53923751c5bd290c639ff4bd0f28825903e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c0f06b072010e66b92bb08e4beaa8e3e

SHA1
8a67f60ad1b7e738499b4754104c6a1edf7ab399

SHA256
8f43e8fca644535cc75612ce67de49b119557084354d9ed5781f54802b55e418

SHA512
e124241d4dc9267a060af0d0ef3c07cc5bcc11ca51f7bb95c045faf1140ad00e65d5d97ce16c975f7baa4bbea127825663ba66a797e2113609ea778d17ff92cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
23ac5a5cc1ed5b5d01f7404a67cfc508

SHA1
a2af71dbfe89ced6e294e18c1c2d03c7c1977137

SHA256
5d201bdf34187da11ec3308149bdeae7e8e95a5d8bfabfdf472328e450532b90

SHA512
a7e9949a94685248ae1e01418b9efe21793bece49250db8bf81cd30b06948252f73dd5ac45847659ca57ee51b8248fe82faf9d91edba909a9bde3718d6c6c00e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
cbf685ee6fb97d326098c20705605ad6

SHA1
55495f30835782f038accdabfd71beba0529f1a3

SHA256
f22d66585a69f0e2a4b0842fcfc8b0ba45aa92cd3f906f69b3cd558fc45262bd

SHA512
ed2edf40305e78ff2a51fc642c6d85ff2c41b1270701b82feb288ae8309c0a74c0f4a4d3ef693554dfd7a8a63cb3fce3b9429bbee74ed872b1568c98cf0d5979

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
06b233bbdb769fa7e1abc3fffcd3a166

SHA1
2f7c9481a418f8dd4048401fd1d502e195cc95fa

SHA256
41e6ede7a63676b7bb2725155c64257fbc482335bd3aa8e446a78204a92a4d3f

SHA512
b50d01e68ac73dddaa38d508fffb4ec6469748b70b67788f73170c98d9a878720d5e30ace95ef4ce143e354db4f7fbaf1028c6657f3263c4ae6f5069d9d5e1a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
a07cbd76721fa33d14d695c7a3adbaaf

SHA1
5d1bcf33d1d5f83588d447ce47862373dd46af88

SHA256
702f7db9519205c5e42feb66fd84ab7dc4e5e10ba1f5a21107eb5b66f3b4b581

SHA512
209ed879bcbcf40023aa5cb87ea632c5229170ed7739fd5f988ccd52010694d5b238c6801179452c7f0d8809b4fd5f6bf6e7d560b985250d9096699434533534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d4e61f38fcba57da747321185715f984

SHA1
fa29d204cb37f458ac1f15a6aada95f52886d5b4

SHA256
aa3ca549fc3991a910c990e6740462b61bef3594401ea3d2ec17b5370ae57aa8

SHA512
d20b095c1ff5012b8d82a26392944363e172638590e8f112f464581d60791de9f8b974b15c56cb913e7e3001e471bbbcd659b516c392dfb154c06899cfb75cd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
010beb73f1fd7a19ac1b28a930b39da6

SHA1
6950bc096478c7982c2c478e40aa4b043005a625

SHA256
89949862456a845281923bb9a4db7e23dc08d7922e6101be865e0c3f7fd3c8b7

SHA512
3082545ef3ff3de26727636ee427a9a335d28b4d622c9aa5132a3177d669474eb21c11f334cbb737df1906bcf27e40caaf4c2f288f5744e622eb7714e76ac333

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
105abea4200f8cbadf1bd0d704a7ef0b

SHA1
777e1e1dc9a3be9b5933f91569e9c8b0577b189a

SHA256
2847dcb8403eb6e242d0cef11df66495192ac0fde52d784eb0ec2133662d298d

SHA512
40691d04f8314ec27c7f71dc742b7c442cb4d69e204a9b40908bef00095f016ff3ecdca918b4e72774bc6eff9e0e1f90f73a3c0ffde91a8bab3d72e924c566af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
9df10c6bb07a2ce7a907831cdf3b1dee

SHA1
9e179c8c7ee0534d39b0895e754a029d248dca89

SHA256
7a4e5f2e699e1aaaa2bd9090dd098bf963e45565524be92ba3856e5ce41a622a

SHA512
aa38210c625a2389f9c66cd346ad80317259c9f4fae789ac448f3137da57224952e15733f78db1cbed8a590ed3e362bb058e1ceb67131a76e791e4724259a9ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ffa2ac300e332f4bac47d03c034855c4

SHA1
31f91843c3345f0120b5e504a7677ad2ce720f87

SHA256
c0c502bbe0d6a1230c2bb5db62e9e6b1729210335333cb3b9100c027a746ac79

SHA512
9beee0fb270431483ecccbc2c6770e4dc35a2719a53b5ed9967e38b264cb2eb1b41dbec5182cdafb67bfd1107fde7fe4ab3a8e675045fa0e8124ee6756484eb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
4c32a447f2558ff39796bac9f0e111ce

SHA1
cfe767fa99f6cfa2a52975abe040efa071761779

SHA256
800f59f886b9e3d6c2768445de0c135719ee0e690891067f9a3841ceada415b4

SHA512
bbdf9338d7eb539b83c9889f1c1b5ebb137d5ff44f8439984ef53790ae292008270ff9e1deb064cd97958fc01639f680dba99f991a55bd53ee6014694bdd9574

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
48861305e25842bf8d12a0c6b2ce85e5

SHA1
dec33a79d66c83c235083332b265ad93f6f54a36

SHA256
c6dbff349369be3b49fb926d55e522c1b09a5ee6f370ebd7697391ed8dcd651a

SHA512
c55b05dbd0fd76b169dde2d0b3a9dc50d44466ffe6628e5e540de4a6666b011f820cc1910df2d9b18c8965bd12c788d5c1d7b5714709b33eb624c72c69fefb0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
7bd4dc6ce40d91ed3544f19f14b2267a

SHA1
d18d7a1b14d6284e0187c614aed67e389f7b9873

SHA256
bd7a93602e1f93a054c62aa16a672fbe37214f915c47028e409f45061cb37ef8

SHA512
38bff75eab692a22434703006144e6a664d5d66e2a03ceeebe3e47bdc0f9d9c139bdcd1d1f583f81550e8986ef3eaa6316c0d553061aff1fcae99d3abee84596

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f49e0af2c67e410be34a8597d0be0c64

SHA1
cdcff7b3fd222dc59d7db22f89b8a8965cb72a31

SHA256
1145071cc68c62fd521ce1f6b9f228c63d2f1987bd7133226b7963dc0d9d612d

SHA512
ca8469f422dfa2f166df292de34e61c9242c46a749ab5bc3c302de9c0b292e72884fdd02857c71a9d64861d72ff97382163e3ed09a34f33b42565ea14c582b7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
20c8fd2a297a42cc2dc3c9143c8a31ca

SHA1
aa93af7a7401d7332ef74296424e384ace822f29

SHA256
3aa5ffc5e55f9e0e482bfcf1876bfaad8e613680c3247d70f0bbf9b151f3a0c1

SHA512
311e054f1e4a4b5a09b980efeacb05131cf4fa5fc1e0b91f1e792ab6e84a5f88f96b60c35baa3d9859606669aacdceec59074316b4d20fc2ccbb6352739acbe1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
badd8caf1146cc3dcfcbe790a4b74146

SHA1
f3562bbef0a96d797a6be98730ad9f10a031d23d

SHA256
3938d1ff0aa5725eef8b290e49078cb0b7a7c830a408e6ea9567959258e12949

SHA512
623caebab0907c36132c83b3e8a7ef12e376cca9b6660acf37271b06f54684f29f79f41a7582002baf260492a86e69ba361c75286aae586bea3bd16dfffac555

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
38c1d6f4681a4abf2e836f78bf1c95bc

SHA1
176cf909aa236350bcf8208fbd838a5232531449

SHA256
868da410438aa0cbb67f4e8e69c2a97048f0149b3b02b9072002c15943455583

SHA512
e16318009a3d17ae6d1caf5d762d402826910c0951f4442f3088301d8939e1aafc3add7aa957494f636f9b6c882446ea2ac84bc3a3937b2cd362a7518316521a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
4448ce69903050e4aaee85efe7ce6200

SHA1
9b420ffee99a572935b4fa1db68c154a87034542

SHA256
85820bb56b072a0d4ef2065794508e4bd2eb665e3a7462ae29f69dfccc5ce3a7

SHA512
a2d4e6caabb5a009c63dd67ee9f01d13fa0234835b82f70da49ad335d8fe7d8a49a29463dfa3419ffb55334814241ba3b52442875e1465cd7f2a79defc1e818a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
8b4f270a1118c7e5f9f24fd0255e9d99

SHA1
fc4e23566847344aeaa6e4452ae3938d70985fc4

SHA256
ad561e16212843e576dca4a2c6b8b6d45690a2e5ef5b8710151051a3aab65b07

SHA512
670bba0d5300e2063eb85dd4ed4b56d587f4405ffc477903bdc1e84d0f343f0421b0c1cea40bf61434bc34efaaf54cc993fd4f60bcbe5b9c2c9181d0fcef73a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c227aecacca2d0f0c9766bebd6598813

SHA1
70d2a03da45854a5de25add05327fc52825bb5ba

SHA256
e8588e1707038814a2abf6de5dfd5825e3f648fd5c473ff1de0453603a0a1862

SHA512
3d2c164a1b89b0d20260455813a0d3190ec62520905ecdea6719faf6672e069177344c5e94a7538aaae6bc653d87537b503f212616afd92c490b128a9ac76fb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f236ab66b2f61a84a894ddc55d3fdffc

SHA1
9ee7da6f6820965eea3c9f7bebbd71bed40a2e61

SHA256
1b62f5bf1838f346416e0778956dbb6eb83679721d6fd3c4a5a200a4c619c399

SHA512
60cac9665885b8ae7446cd71fe6770363f0bb1e44963544f9029f5361c8e8e6d773baef1136336baf47964cbe078d851d79f4541dcfdbf87069a5079a51b1565

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f7a18d492bd636b1083b3bfc31bf71ce

SHA1
5d5217793490eb91b363b8564f33b24a7545394a

SHA256
a05b1d59b26ef0a3f26f57b9de0d084b4287bb6f5d178d90ea8d4f8f9ac1a8aa

SHA512
ee60240ae66f17ff55c8a2f95fe3b82f435a570d77ed08671f2d22f43f2def465da31262d3c05fa300217d5f1a8fb2b806d0368861b28f88055fd1930abb493c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
48ea58c26e95313de109ff615986539e

SHA1
c8597e0bcf50324f023489e9242d6f87781ee340

SHA256
705afb9c9991caebcda89429d22630051b6c34b1c025dd6401700d0c5fd9ddb2

SHA512
aa8857494b39310bceec23cd1ba35c41535b7afa0b71be311fe779d713f4b9770a8dadabfd94d17b5049bcd71ae078196d31192a414e5eafa55850d99cc1199e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
48ea58c26e95313de109ff615986539e

SHA1
c8597e0bcf50324f023489e9242d6f87781ee340

SHA256
705afb9c9991caebcda89429d22630051b6c34b1c025dd6401700d0c5fd9ddb2

SHA512
aa8857494b39310bceec23cd1ba35c41535b7afa0b71be311fe779d713f4b9770a8dadabfd94d17b5049bcd71ae078196d31192a414e5eafa55850d99cc1199e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
caa1e55821eeda9867c97eaf06f024d0

SHA1
6c2edb34f8a7d20d47f6c5b15812a96a9138782f

SHA256
c5391591ff2cee3760c2ef0d547ddd4a148810a8e36189c575f7390d17a3d41e

SHA512
dd8c5d6093c3fc87b2e7fe613cd87d754e378fbbf5b4a1346ff9149404a3bccb4cdd45e3a19e2bb972890694a3521cefbea072eed6938effa9b5baa7aced9f62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
57ae282198b8a9badb5d713442af0c56

SHA1
bb2856acfdb2627efcb047eb467d67370b1ccd04

SHA256
2b63c018b51bb074d923cf02f251f7e77a67d6e46a958348315aed174f16d673

SHA512
ebe4036159383d9608d5d15d123206e10347ec665af57169d044c8e1e78580c0614f47ef7c3079fc51e7f0ffce6fc3a24f97ff596d603b095cbefebb33fc8413

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
900090f7095e78753d91183218fd0b4e

SHA1
1a0caf13d588bb8e9426d0bb5df8fa51aa3a529c

SHA256
23d2e06c9328d818a04b4686bdd8473d7b5d00871aef0ce43f28330e6f327d00

SHA512
87c0d07729042ee38dd46ce0366ae7952ecfb78fee0a10e88250e225cd24b74f4be23392d6f0c1403745bec929658bb4d23d24443cbd9dab1b8c9b24e577bac4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
00c1c3b700b3a095aebcbd78f4c66112

SHA1
4bcf4f3e40669850bb90f7a124911e034fe298e7

SHA256
5fee58ab83a27b3d3bc99b4c3008099852f4783030a4d8a8edeb7fb6e91e529c

SHA512
f7156d0619f49f9a0e9b95fc3d53f99d6387091efe9ed83720a27067d3c7fdfecbaa4c4603d98b6638474b125219afef650d54c59429a0c5dded896b39a7a6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
66ce4105c87ab82c7522c9e4f1ae5dd6

SHA1
a6d9c3cf606504096dc1bb51888b19980b269a60

SHA256
4a513162940ab253e75e709fb2f91b7abff5f1f457d36b16dfb07fa0d55dec83

SHA512
e6a196d68daee3fcbccf8942e000b8421fe5d63525e39850e4df4627564ce246dc063fc851c83b3c829f93369eaebb2927d16b28231f19e22dbe8986b8618338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
466f56efbb0bb08dbe328a626694cb4b

SHA1
7f4ce2eed71cf3e4a801bb20f58cbe0c27af8504

SHA256
022fb11bc5cdd2815d1a5536e7006ee217e6a1ced85335eb20ac54e47be1118b

SHA512
b661b81e882ee45163ab7b650d7dd59f2f45700e6fc2021126dfaacfa1c480292019427894fd3367cd2c5ae38472c7c31b612289bfa43c2649df798548a6888f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
47871969b0eb778f828d5a4f5beb7ca2

SHA1
27f2010c0805682704ccae0690419f3cb57ff38e

SHA256
b930bace2c6388e59dfdbd88f4598fdfca55f6d1e8a85284165abb4f29a4d5c2

SHA512
dd72eae3ae1d837b6f37d71b23f6082b24b38b91078a4fbe500967e02226abf79b0bb2c31996cda61b56c43d3ce36065ed8eedbccb60a068a86bbf58244962d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e5908932df94f05e0470ef8205bf617c

SHA1
c7642674638fae6252e8dd2f482551047d36f9f0

SHA256
b370e2859fcf55aa900a14c3160f096ee552395520f07b0176d7b502c85d476b

SHA512
a08b17a7ac2928c000a0cf715f84a93ad18f44afa2e39597894ff1938e7ec47315c4e7a44be1ce44107579b8dee37b6fb81df9ce62a64e800853f8f687ce62e3

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
1.1MB

MD5
3c7cacbb2de56fe3bbf18387faa3933b

SHA1
1b992dd8072fe0b7b5dfaf8068fe692573fa12f2

SHA256
2d32fcf049b5851357c4c8e99083d6a84e671a444cc1fdee07d49cad3a6f43e9

SHA512
818a51b84c61a5d6692b324537e767a773c57c91897016add4eff93b45d95b3ff014a0debcd6c85fe456eaab175f555e0461c0d975b262becdf6953dbabf792e

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
1.1MB

MD5
3c7cacbb2de56fe3bbf18387faa3933b

SHA1
1b992dd8072fe0b7b5dfaf8068fe692573fa12f2

SHA256
2d32fcf049b5851357c4c8e99083d6a84e671a444cc1fdee07d49cad3a6f43e9

SHA512
818a51b84c61a5d6692b324537e767a773c57c91897016add4eff93b45d95b3ff014a0debcd6c85fe456eaab175f555e0461c0d975b262becdf6953dbabf792e

Download Submit
memory/4996-130-0x0000000000000000-mapping.dmp

Download