3f1e50578251b3285556a1498f3c958c8470dc98387eb595243e331084d353b4

Analysis

max time kernel
31s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e12f76b8242600b220cc17e8180f56f.exe
Size

1.1MB
MD5

1e12f76b8242600b220cc17e8180f56f
SHA1

298bb10733b96d4cb3aeedf9eff63482fb61aa89
SHA256

3f1e50578251b3285556a1498f3c958c8470dc98387eb595243e331084d353b4
SHA512

2f1a17408283868aac7284c9a37403daa5fe8b022b29121b84b7bb2650d3dddccaa0b8dd04c1e63f24f4fdf5e5f7dbb81b4d041f96d258e0896769133ced7e46
SSDEEP

6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRx:5MMpXKb0hNGh1kG0HWnALbx

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	1e12f76b8242600b220cc17e8180f56f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (4729) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000400000001e96f-3.dat	aspack_v212_v242
behavioral2/files/0x00060000000231e7-8.dat	aspack_v212_v242
behavioral2/files/0x0009000000023107-37.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-72.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	1e12f76b8242600b220cc17e8180f56f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	1e12f76b8242600b220cc17e8180f56f.exe

Executes dropped EXE 1 IoCs

pid	Process
4772	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\W:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\Y:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\K:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\N:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\V:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\G:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\H:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\L:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\E:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\I:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\J:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\O:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\S:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\T:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\A:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\M:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\R:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Q:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\U:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\Z:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\B:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\X:	1e12f76b8242600b220cc17e8180f56f.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	1e12f76b8242600b220cc17e8180f56f.exe
File opened for modification	C:\AUTORUN.INF	1e12f76b8242600b220cc17e8180f56f.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.Json.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Internet Explorer\hmmapi.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Java\jre-1.8\bin\prism_d3d.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Formats.Tar.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Aero.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\glass.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationCore.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\PresentationFramework.resources.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Channels.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MsoAriaCApiWrapper.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatching.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\ReachFramework.resources.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ppd.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\clretwrc.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\ReachFramework.resources.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\UIAutomationTypes.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\ReachFramework.resources.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ppd.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationProvider.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\System.Windows.Forms.Primitives.resources.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\ReachFramework.resources.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md.exe	1e12f76b8242600b220cc17e8180f56f.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML.exe	1e12f76b8242600b220cc17e8180f56f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4772	HelpMe.exe
4772	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 4772	3212	1e12f76b8242600b220cc17e8180f56f.exe	89
PID 3212 wrote to memory of 4772	3212	1e12f76b8242600b220cc17e8180f56f.exe	89
PID 3212 wrote to memory of 4772	3212	1e12f76b8242600b220cc17e8180f56f.exe	89

C:\Users\Admin\AppData\Local\Temp\1e12f76b8242600b220cc17e8180f56f.exe
"C:\Users\Admin\AppData\Local\Temp\1e12f76b8242600b220cc17e8180f56f.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini.exe

Filesize
1.1MB

MD5
fe4ba4a8cdfeb4a278f123f88fa8f28d

SHA1
1514c116aa1646a5d926ee58a9e92cd221e974d5

SHA256
e12d3ff7493e9d24c88adbc39e019d80233346e3385b4c191a277b06842248d7

SHA512
e3ab0682d88d2dc93cb96b9489a169c0610b29293e4a536192e059cce4f65e0a73e740a54f6e9302445400f7c51cc5080e9bcb982a219cdecb56f0be1b6decff

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
92KB

MD5
a38769c5f89b4c8997b72982b5f7e8d7

SHA1
76c83824d8a9027bc8e7f45572716b353c0ed867

SHA256
a55bc98b20e6e6d0f0f9fccd535210b64b321774f708d6be52b60fb22c968249

SHA512
c6a987666ad9149fe8b34994729b301dcbc8c6f8c04a3eeb7c572f9bfa1cbd223bf335e2232d5e3dc928671ad678494d4934a261f0945e3c33e88350a3b76d37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
98a75303cd2230336b38651c8e6785eb

SHA1
4e48767afb8fbe0929d08c8133af9cc16a12f978

SHA256
dc0eb26a5eee0d9f22bd2400e13776064ff30ea63b8f4743fae351dded6380b8

SHA512
3bfcc6975314243740575f256ffdd5fac0baa341cea8d3d01fb802d576370a9b0d9d65c077249071000d2827e0640421b47224818ebf2b9b6c8dbfc410585fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c9de152a6cd19c9a35d617766a299d22

SHA1
d6ba52c79ddc2b24c69286ca009fcef1b6e569fd

SHA256
714bd3e0dbbfde2fbb72c41e1ea0277dba9ab7b41939d64a222fa3983bddc867

SHA512
14444068bbcbe45dfdda83e307b71d57fc04a098ac1fe3abd7774435532a0947d98b87c0292bda94f4a7590eb9f7c60ada2883890e46f23f153858efbdfbec08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2603db546ca07e2ca6feb997a368de8d

SHA1
b581d51abd05f00427152f37d26404304ba2c42d

SHA256
af88fdb08b8c2c58b5e0780da3c69d0bc7136a10af3607f19a283901bc085f3a

SHA512
63044c7f1024323c31a5dee2435b13095c890f065ed30a1ba0e4d2a22bf64af8586e0f51e4638ac90ac61b51e75de444d072124092d0729cc80d5d8c0e52b44e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e60ee33e5da75fe9eab2aafdb5d6a088

SHA1
b1ce14050cc4c4af0d15440ca626e8602d879bc3

SHA256
6f306b5fed62d7e67d2b40538d0645d36dbe889a71ffbf9bd29b0b52d567fcf7

SHA512
3b458152a4854288801d3977d13d35409e5b481aea5ca07368516029bd4b94f823de48a2a94c66c4879ccaf0ac477ebe292362498a3f1f08eed3d8c721586eec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
68c3a1ede888aeeb993f445a10152bac

SHA1
d06384a2e3862b543c017ae05688d204bce92c41

SHA256
d8f78cd6513e88c91f6f1ba03094690a087937490922c7f7b24d3ff2f12a392e

SHA512
5c42c628106783a78b32e24fe82cedcc018c10d663f05ef51dcfbf2676252d08070f970ce1d119bce420452740a18db6e2356b40601f87d32d43fb9613804561

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
800f8a619c3247e28557eaac74f1968c

SHA1
5ef914a6c65534f18f2561b9ed9a32f00b81a121

SHA256
a8ce0ae990a37a75a6958c50d25bace3598d80711cf2f63a00f48e679c5a6e61

SHA512
6f688e8a063a41882811281275c5eb0c1ff8a9367c9f678e5f5db8fecd7ab5bbdedbd85c502bc20e2b6f98293db516865ae56061a4c76305e288b8b108d639ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
200329504b60cb28e1d146104e41ef47

SHA1
d6de15c47de706f68909b3c5f3a03f9923cfd9fa

SHA256
8d437c7a6b67d8555b584ecada656686f1c360959c4c2ec8dc2d86f26245444d

SHA512
f0ec804a730bdbc7dc7383b8e0725d8f0f76290b000505da62266adafab8b1a00ec948371f14de3df871f4e90e208af7e1f6eb2d0be2d163883990c4bcda82f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
eee8e10b7c2262ea15d7936ec4de0c07

SHA1
39ea5aad2e4c26cb093537be77965c548f9faa37

SHA256
bc6281669624ff9fd0bdbe3bcd9d917b44225005e31b4fd5e5afda59b5f9109d

SHA512
64276ace8bea29fd791073b83fcd0ae4e0c6cbbb44f4a571d3c48ee2df333138916eabf909fa8b0c2732908e157c80e0b9c0015121dc3e1c5367dc4164c04802

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b782e69e98f6d2ea3b0a019ac5797565

SHA1
1fa63dec2c871ea8ffd64bfb37cf895a5833df84

SHA256
cbb3f45a1745753665bfa7da92653376741e702a8cd0b8480beba868fe40b2bc

SHA512
f06133e75916a3905291f2e352680b2ec209cdcb66cd6c16da82dc3ba97a0506f8917ee28bc22d20b3797db1214368f61a118ec36fe5068c778b9506f328b96e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5a076a7f52f0cb0de559bc149dc4efe7

SHA1
e8ae65831034e27149978fa3ebb85d919739c929

SHA256
62fa0ff017f82033adcd7ed81318ed7fb0e6f1f935988e3a435334dc4df19842

SHA512
e257e1af89be032e01ce59411ce3ac77b0358e161d13b17f85a824824972ae357d1f7bb81faf8addbe1127902993b36ab29048ce83372c26f40d57e983902167

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
89802c3f4f8bc8ee0b205bed7323ef34

SHA1
e9e44515caaee60767d5bfaf682cf9bd753e4587

SHA256
a608950333f14cfcf4f14d33b0028ab8080879dabe2c5c33e8592cd44d5754cf

SHA512
62f214946d6041f950a70dfee9a0cf0eedb83648f66af06ed80ddf22ccdfe73eda20e60ec3082dd30ca8a0c24974f00088af09b10febf0ea38f3dbad5643be6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
eaa2525d77fb7934329543ba2f211856

SHA1
ec9ecfe5990ec17d850337f0fe428e91a9b6444c

SHA256
c6c7652d93dafc304eb40fb45743452233414511f9cdbac3acb7a670f8cba080

SHA512
f9d5c1f8205cef79f0012fe865990b380e43cea6b6f6066f6838da2b4c82c1e0b468071694ee58c70adc65598bd58e6393f7bf99f7da986452eac74939eefeba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3ee28076a75805fef8504b05d716ed24

SHA1
1a4d849890c6d38a52ecc8341f2a4e7c0411dced

SHA256
1b8bdcb3ea9750ac2c96c44d73bbd3023b221118b34f6e841a9c9f2566fce069

SHA512
b4ac0e2a0de1052adce02456e7583435a5615035fc9ca7227306fc64ea5eb65cc01771e163b0491a0a7e966df87a9d84adce441a220afa9321757c86ee01b087

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
126a12d1cdddb05e9c0f0f9baa67268e

SHA1
8aa81c12f76c2a33f7286f1474f861e97461f1e2

SHA256
52e9ce279f2c2943c027e67aeab08ec19b80367c335196ad58cbe4e01bbfb51e

SHA512
18c0954bccf4c18fdcbf26702fb75b302c7e6e1d6791f31241ec1378d36710b4be5e99a4987fe6747fdeb1598fd4d54eddec351322a48ebfea181c275f8c5441

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4bda7501298343eb134bc1539159ff53

SHA1
fb81534c6f68fe2752599f72c4fae27d914dad26

SHA256
9e7267a48d29480186b255145eba1232b557a5fbc80efc6d4ef2d713eb34449f

SHA512
9c7c54c3a9f029c10ba4a1f8cdde1a530adef2f338a21a0c32ad7773232a6b1c6b496d81cb3b455fafccc6747df92693e0593a6593c387abd9e2d47219567050

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
af55fdcc823d786e9c2035b313b44a71

SHA1
37df51c5fb0401cd84621dfcbbd6cf15107775e8

SHA256
eaacbbb33e9d2b120cc49c513ca651a194cf4740eac39a36557a9ade317f86b2

SHA512
5fc65bae4b98e22e66087bb32fa8bc1dce0aab9475d459936a8c17480975722ac735f6ede34c851c11404017671894ffb89cf6fea44208daded6775b4675ddf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
87a612c580b7724ceba8c3b8d872e2ca

SHA1
1994d12e2d17058e3ecd3e22da995aa6d8fad6a6

SHA256
e10cecfd3f0a44f4e99464b4809de5794b0c0e951b7fd5a6423745c61f90729d

SHA512
83840209cb34f0d2cb26c32a5e035061be11e09f91fd3ec1736f4907db3440040ed27841b3f1a3027d164a3477751134e66a49786b3922c33d084ca0b19cfa55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a33730bd7122d572d5516607fe6b5b30

SHA1
a28bc63a778505c4c1e64c6904ec88c4bc001c4d

SHA256
f56af33c9cd278230e2f1a6a1be11a2cf90e60139d8a8101235d84818331a620

SHA512
c380e6e078b335ef8f45177ff908d5601c16c2f3de9bf578f654d8047d9cec1ec575c05a3f7400685d4b29799506e66a22026e3895d80fd5d3eef0e963311b31

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
1024KB

MD5
598dae7a1bcd6feb85a9882cf9f2c3c7

SHA1
7dcf40ca6327f7997ba9ed403978035d755bade0

SHA256
19e6ca6f040c965af868ae7b113ade60e7a3b9ac59d00b2067b0757ac40c45b6

SHA512
c7962dc4c748910c1318e198de803ca783d7f5aaad0303b4c02caafc0314ee77cdc0bae48592ad9960966f9cd430fa1018c3bfded743d049caf1d5d5b252ea89

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
1.1MB

MD5
1e12f76b8242600b220cc17e8180f56f

SHA1
298bb10733b96d4cb3aeedf9eff63482fb61aa89

SHA256
3f1e50578251b3285556a1498f3c958c8470dc98387eb595243e331084d353b4

SHA512
2f1a17408283868aac7284c9a37403daa5fe8b022b29121b84b7bb2650d3dddccaa0b8dd04c1e63f24f4fdf5e5f7dbb81b4d041f96d258e0896769133ced7e46

Download Submit
memory/3212-7252-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3212-0-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4772-8251-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4772-5-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download