0cc1d0306f59a4e5d555928c128df6bb95e1916c3ebf535f3b4aa8b4b91b0453

Analysis

max time kernel
165s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a5895dd6b1e8878086b3329020ff67a.exe
Size

290KB
MD5

1a5895dd6b1e8878086b3329020ff67a
SHA1

4bbf9fb0b24eb120f0f1ee4d3440fc43ac381416
SHA256

0cc1d0306f59a4e5d555928c128df6bb95e1916c3ebf535f3b4aa8b4b91b0453
SHA512

c4acb4ce07b90c43813258986a34dd463ef11330fd06b66a7c275d9e6fe1219a3e77874968a06b809cae1f2df449095e9fb787c29d3a2d1ed811a255c3194166
SSDEEP

6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRs:5MMpXKb0hNGh1kG0HWnALbs

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	L

Renames multiple (1316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000800000001e712-3.dat	aspack_v212_v242
behavioral2/files/0x00070000000231f6-8.dat	aspack_v212_v242
behavioral2/files/0x00070000000231fa-11.dat	aspack_v212_v242
behavioral2/files/0x0006000000023202-43.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	L
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	HelpMe.exe
4672	L

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\L:	L
File opened (read-only)	\??\U:	L
File opened (read-only)	\??\X:	L
File opened (read-only)	\??\O:	L
File opened (read-only)	\??\Z:	L
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\J:	L
File opened (read-only)	\??\M:	L
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\I:	L
File opened (read-only)	\??\V:	L
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	L
File opened (read-only)	\??\K:	L
File opened (read-only)	\??\N:	L
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\E:	L
File opened (read-only)	\??\Q:	L
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\P:	L
File opened (read-only)	\??\R:	L
File opened (read-only)	\??\S:	L
File opened (read-only)	\??\W:	L
File opened (read-only)	\??\G:	L
File opened (read-only)	\??\H:	L
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	L
File opened (read-only)	\??\Y:	L
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\T:	L

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	L

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	1a5895dd6b1e8878086b3329020ff67a.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	L
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	1a5895dd6b1e8878086b3329020ff67a.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	1a5895dd6b1e8878086b3329020ff67a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\UIAutomationProvider.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\DirectWriteForwarder.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\WindowsBase.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\PresentationUI.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\clrjit.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Windows.Forms.Design.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.Linq.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\PresentationFramework.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.Primitives.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\PresentationFramework.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-namedpipe-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationProvider.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Globalization.Calendars.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.NETCore.App.deps.json.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Xaml.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Design.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\ado\msado28.tlb.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\System.Windows.Forms.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\PresentationFramework.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Requests.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\System.Windows.Controls.Ribbon.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Tasks.Parallel.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\PresentationFramework.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PenImc_cor3.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Forms.Primitives.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\UIAutomationTypes.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\PresentationUI.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Dynamic.Runtime.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\PresentationUI.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\UIAutomationClientSideProviders.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.TraceSource.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\UIAutomationClientSideProviders.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\System.Xaml.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Xaml.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\System.Windows.Forms.Design.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Xaml.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\System.Windows.Forms.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.DispatchProxy.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\UIAutomationTypes.resources.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.dll.exe	HelpMe.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Text.Encoding.dll.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1276	1a5895dd6b1e8878086b3329020ff67a.exe
1276	1a5895dd6b1e8878086b3329020ff67a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2860	1276	1a5895dd6b1e8878086b3329020ff67a.exe	87
PID 1276 wrote to memory of 2860	1276	1a5895dd6b1e8878086b3329020ff67a.exe	87
PID 1276 wrote to memory of 2860	1276	1a5895dd6b1e8878086b3329020ff67a.exe	87
PID 1276 wrote to memory of 4672	1276	1a5895dd6b1e8878086b3329020ff67a.exe	89
PID 1276 wrote to memory of 4672	1276	1a5895dd6b1e8878086b3329020ff67a.exe	89
PID 1276 wrote to memory of 4672	1276	1a5895dd6b1e8878086b3329020ff67a.exe	89

C:\Users\Admin\AppData\Local\Temp\1a5895dd6b1e8878086b3329020ff67a.exe
"C:\Users\Admin\AppData\Local\Temp\1a5895dd6b1e8878086b3329020ff67a.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:2860
- C:\Users\Admin\AppData\Local\Temp\L
  C:\Users\Admin\AppData\Local\Temp\\L
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-996941297-2279405024-2328152752-1000\desktop.ini.exe

Filesize
290KB

MD5
d2b5fb54ba2bdc4b67b7fb00a4d728fb

SHA1
1b6d26af84fd74e6fd5e1b29a5430c0707287c49

SHA256
3d38724b4bc4427bf78e54f46553bf0a42924e1a5c935d03cbf6d91ce2780c16

SHA512
9a93fc21ad624bea40bae91163b961abcf7b2c6341278e2861993380444d870db7555be416477f8a36a7a235e9f23b7695e6b0bf17852aca5d3152b72506bd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\L

Filesize
290KB

MD5
1a5895dd6b1e8878086b3329020ff67a

SHA1
4bbf9fb0b24eb120f0f1ee4d3440fc43ac381416

SHA256
0cc1d0306f59a4e5d555928c128df6bb95e1916c3ebf535f3b4aa8b4b91b0453

SHA512
c4acb4ce07b90c43813258986a34dd463ef11330fd06b66a7c275d9e6fe1219a3e77874968a06b809cae1f2df449095e9fb787c29d3a2d1ed811a255c3194166

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
51bbcca72f432259b37a9de904c05635

SHA1
3bb8c547d0e27a30c13abbc662a47f6d31671b35

SHA256
40219f83ced8348fa8353c74cab9eca65a4ef33e47ba342e2149ebf8d851ae7d

SHA512
202489823d4a90780c2b4348056290182a43a8c07ac265589b219029f2fdb1548211cc0601598a84f06f3baeae673e5e4d36dff14a6db00d00e948d632efc253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e5f0e79e3610d4b479bdab4143c6eab9

SHA1
fbb214f1599142c712ebbbe0e7d220fd344e17cb

SHA256
db8a53b51bb93ae9f13e1848534ea7ce18be7985d742c34fe32c03bf3127d2a7

SHA512
a6da12a6c6888f4a7a05239b664c6d2c6e452c2e01add135a6bd027a3e91fc643dbc60aa4e367a7245bbc088356988dc82185950ac5c6eed21daa73834bc67f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
aa669308a6ec62b54372380f2297a8cb

SHA1
89e3c36d9cd8c4406635e6f06e35eb2faab6163a

SHA256
cccb4081d6f1b4dc3e3a75aab621ac77b1e72ed5a3e8577b4e19c1f954e1d316

SHA512
2169b9ef13f1578d6fae9d4015e8e971931333965ae3ea9b5dd1ade4e02efe1cb4edb10345a9621363a60a68f827da7750510e673b2180cfb751616be6747adf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f4849da194273b0711745962ba99d7b3

SHA1
256a800646419931bf4611b413df0163f700a6ed

SHA256
2c4927b0670a7613ec6efc81ec16569cdc354fe28723a7d6b931c2ca4f81f536

SHA512
dccfe33966cf77d72bf0f453ff060adac99051939e1fb55ff4258441c396bce4f689762205bc50b37be03655c29643660e7acd014e4e66aa0f2151473e2f081a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cd1807b5d763e20a6c2999dc05b12ba6

SHA1
5046715bf04d0ac96445945d86c8a8e15b85a2c0

SHA256
7dca8c0e43fc97d71b61f5ae522887ddc12be08b5737f1c94a705f5340f54a39

SHA512
370a3041c01c99298ca664cee09e06fe0dc100e2469817b16855dabe140660c367acd548910a4aaf5a47d8d18511bb1b11c60511ecf25b77fc019911d760ce89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
493b706d7058bb37a52ec432cb409952

SHA1
60048506778b5b89b07b9dbca85896f74cdac0fc

SHA256
945360b352970586587ae0a704e808b10d5314af45d20a61c7a2966a91efc6c6

SHA512
ce85f24e1382be814f57e3d43d97a0a98eed8f04c0dbeb2ff1189c813643bd2a36755b0557778d373ae6c25492968e51debb9762aeee9c49e720d269ed547adb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2dc82726aab25702506796c957d6ca3a

SHA1
1df148a9df3cd7a4c31a58ed5d8d2f30d2333a25

SHA256
071ab77a2be018911a86e810162723f4e4f91645d6dc7029b4b22165209d6fde

SHA512
5695bbeef35233b2465eba05ed93d331922c72753e2ca406065fed61101c15afd6f14b937f699ba44b4d2f418e501ff3db8c15b0457a691173841bd4d69a03d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0385d7089c87f686b7c4819204e8fe56

SHA1
57b9feca073186a99d20683ebf34cb6a817dabb4

SHA256
13c1153f2ce43ec6e47798120064bf11375c684514533774c1d17ed51630cf5b

SHA512
0da898d2b20d793941387506a87b2deaf9b4ce8b5598a8debfb588da0e88fcf4def757d0255c8a1896921280159456c1b0a202369c2fad8ce4a766a8c9ae979a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b6965c972dede7cdfef0d7526d11f0a0

SHA1
5951553181ed59354f8763375d02105bd02398be

SHA256
b437cc915c189cbedd213b0551537798f0c7825197995ab981b61cb12b1515bd

SHA512
549517d19d35f73b3996aeb33c61704f22250c1dbb41b1204c689b96ff59c4832190710a987f91a99df02e50872d5ea34861ee8a93ec19bebcce986b1aad0752

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
325ce93baedb0d683a5794893d295008

SHA1
6303f2053292d424742c5b5a17126b45e7190f63

SHA256
5a544ff77e1c9282067074fe398dfc6594b753526c8238658cb782facfcf5343

SHA512
8b9bcdbb1886086d9345f1838729aee8f80b0f64fe61a8f1da4f9a05979d7a258ec51bc50e8e168b845908552047759d3366ee4fb1624176a4b81ea7fee94df8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
9d19f288070856b5bfb24560a16f144a

SHA1
52d6c4fd641cc43988f33d938a8168d247560253

SHA256
50671c740163b89f48ab3c5d56dfb229fb93c56dc5ca92ce012d6e71cfd039a3

SHA512
5879ff06910f537ea3998189a4dea6dec1f602393ee4fd712428e9e2aa40de091a81ac5e39b3d926451c2adc33431ebe1a3a2d85424af08f6335ff53dffcc25c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
40337aa3a5a4803dcfcf7b1dd45f4301

SHA1
36810e9e4d083542716b0bef51ff4a37a72c63e4

SHA256
472bafbadf96105689ac92670710ee3c09e91212a20e2135c991bebd4f0bbf6e

SHA512
2f9b202a73b88ac14b92f07984086ef961e5433b042697836378a244b9b04f0dafa29ad7704d378e588bae4bf901ab22f0d9b899fe67b73c7ab2a12da1adddb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ff539fcdee16dec428e4d158d08b06ed

SHA1
d9b87a4996a2298819752f4ceb1b0f1c8256e616

SHA256
8bede5654ce350f4b0351cad90bd2026e9beed6c24bca86434efa0b1bcc18c88

SHA512
848fef3f8d1860948a8188764190e5546b826f3de41f0567444cf12096990d3fa5363d159887e5c7aaed862b090b0ee69a232a9fe88f1deb6b3ce24eb46587fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5365ff4da58a032a856d55482e4d080b

SHA1
0de883d6f2b60639948885e082cc4a5d857a96ad

SHA256
131474af934a3807e8719c3c460eea57da4212fbcd5af60f855266420141f5e5

SHA512
5ff0593b3e5c9625aacbe72e8d766ad9980a193cc0605561ce6e80c55b82377487ec1f3967515809d18718de52eda7d09629b9c4e4ce104d201634eb1ee60f2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4147d9730998723706a5207604488172

SHA1
e0f38120c09b6da09de594ce165c9fd915894d98

SHA256
44d1a229849851405b59737daf938d79741526e8af7615a95a4f14f900c65d93

SHA512
64495709378808aade018c477a14951d2e7458c325b2cd7d91381033ba9531773c72b0482801c08c9cc8f410aae0eb071af367e7f76c9a2abc7aab1e2484e641

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1ce41086310825376160d4bd4fc08dbb

SHA1
5afc4f83b88481fd3edd9bad15365766f5e00086

SHA256
5aca7d1b6c25de7b9d7d80a08b335d04d29b73a09438d9b394c0c10a97c386d8

SHA512
d0ef2c86919ecaf5a40263ed6bdd485830f76b9d17c6de5647f68a1316234ecda39bfd7acf398428a4e3bbd6e6a18c5023a9ac2b9b3d3276a7b3be1625173f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f7854814ed2e05d049bc428a33410ac4

SHA1
642ef0b30cbd8d9ade4bb5c61d39da189a751f89

SHA256
fc137c8aa88618b6aa7750a4488a66734e08139628a94086f0c68a89cf0edd51

SHA512
d2f4e365de164406bcc027410d2f9e019d5cde017061bf25574c11a62718f17793e4a5a2634c2490f4bed775d5415df9101bcf0d41b487b144aead6d11da7b5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ed09f179098164adf5311a5f0fd968de

SHA1
a45807e569ed0eefc9901325c0126b399251a157

SHA256
8d4f76b355e8f1db0dccf7095bd9456ca85af15b31c5769dc524aaf7f7809b82

SHA512
6223e6f713223ffb76373ce5339185cef3de3bba819015a591d8e5172712da1f3c785b6340d6a401af13b9459d03fd90b928202bc5ae7ddc945513a2015c7ff6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7eea2d1a50d5532d94f673ce97b4de8f

SHA1
001d60161e52cfe6e73077cc14b26fe0e42bf241

SHA256
7335c726298ff5f791cec46629be72a264730e2c71dab0c9e044134c1c3ecb91

SHA512
247e807fa24566e993d2bdd3c761bc5b7a8886198e52a2ec48ff50cf627c10012272c113dc6b2d2cad3735feeca9b4ebb478a976ff21651dcd378c905fa546ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
20f190903a376dbe43c85db7e3ae00ab

SHA1
1c5f6bbab353e19e1f7583883119b8ac4d299761

SHA256
db4a8a4ed84e74e537de0665b33ead490c3af7caf67553e78f06bc14a8aa3d67

SHA512
fcdd7f071cce99687a7e415ae4abb9e74c64e1ac597c088e3646c92fae6ecfb84c0e750d5f192d842fa14ffea13910a5b9d1860678830753d76be8955b78631e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
49ba53df059c036f51f2eb1a94cd9a1f

SHA1
b3ee3ccc2d5a8de6788b8da0193d4fe2df4487a2

SHA256
0dc1406790c8485385d7edeb2706450ffcee860b5f9e99f422f6da7e901d2d33

SHA512
fa251e42c417b779cf2835bf9c6e6d1d4d90a9dbf2b2512f963b001bf6b8f12a5bc8f9905097268bddfdb1230f3c99750021ea59757e985cd567acc25b3a6cfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
45f1f72bb5b54da01577512cacedc355

SHA1
f335d597c2e73ac101fe872069e9bb464409f259

SHA256
eecc7cf950e960afbd3f5f0bbbad5dd2281cdc8dc4ddb262889358925251b9d3

SHA512
013ec732fc2a0fe8d371ea6eeac1c9da279ba6b6053c0df297d167a6fb725bed13c02173ff6372db5db442164d62a027a7cfacb4dd9437771a33bfc1e19ccbcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6995334fcf2a637669fd8f9eddee4008

SHA1
e6e3221b6b8c016e45aca78ec03d04124e78eee8

SHA256
08e3be9afc2b2beb23f25aec40f402f9fe7aecbf4de127b2089a4342f2980d88

SHA512
d29a7c4e4b6554ed09f2fba113a336d566b2c0e01f4b067679cc8c8ce83496321c8f687985c4c3fba982a33272bfd8add3f39e5e81c2ef69531be5e349be915a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1b66d76a4d80caebedfabf4b090c5bb4

SHA1
e6a28addd5551eed877d1b30f86e8c9c54c1fcbb

SHA256
4b8a0d6d733e79fcaca89c27f645d87b6e9be8f3091815f6426c9b7604e7abee

SHA512
bed8008bf101f2796f2d6c985f048e585b3ffe6f2ac3e09e8601635f9574653f3161154fc68d9e29a3cffdca51406ab729b6e8acf5982ff514412d20f92fb400

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4b8badf4a7b9c91fa747f144d338833e

SHA1
32c2da5a8d2a6bb55840d3b1af970d655999b8a7

SHA256
e17bb54249c531bed1f32ccccbe58da7b7961672570324ee2685d24e2cbae7d9

SHA512
250c7897d069f814941059f78744234008d8164bb47d23d9b6d12a7cada6f68e9064d383201ac6112c02b4afe261591dccd77f6b717f1a19e06679b002199288

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8d01ea6f508ca1f952d8c6131cf28936

SHA1
f1e63eaa0f7380590100e7ec221c1d13f9261dbe

SHA256
f127e103742c8ba4a32532c2b29a2157b9949e411e915750cd02087aec3d4997

SHA512
1e7b28da2de04c545d121ea3a16b10a5aafa91feeece243f20e1950e8b71b1610385a4c9403b2ff2f7e3dd3c3cfcf8b6245b9f109dff4d1f9796e01ee3439edd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7a9cbe97a6f8201d576bd0824c116ada

SHA1
990a08e6844e2aae68f0e27632ba18ea1ada5f8a

SHA256
5ce362b768730f2686f0348432e10441089faef09071e60f682582f529af85eb

SHA512
0e2fe04619c598c3d021ab6b3c4dde50c209fcf248bcced14a684b4aad3b9ba3cb721b4e608c6a4824f6f476a0d8254f0b4f0815f79cccf355d315e79bf8f58d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4f6b02b6ab1fc31db61db1b3d21353f9

SHA1
7affba8625955847223c20bb8ae26c769d27f9e9

SHA256
d594dde48bf664a3ba2f2e105d12de743246ea9960fccb789cbb5d51bf9b09c3

SHA512
927c3361f76034f110e74043b137d2124662895f48e7930be9d51bd9595635bb4799fc25f63d5123f2b5431e4892a3057e283821c371ec9ee1cb9a84e3ac6873

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
219f07f55ae37fe9e3a0c697209fdd2c

SHA1
ef20cd823591f8ade6f0e2b9324b24eaa673c158

SHA256
f9e1c3cc3c73a0eb1eb4f38186e5e559b1c8fcfa60fd8f03e4d71a92b0aecf75

SHA512
c0c4d34ebe2cd812936bcc1bf454c2629c41dd198bfd52bb9ad4a879a2d1a03ef42629636eed01b246966046f2d2ba758beeb5fd5c61c86ee4cbb8f156113959

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
29e973b148c21759e7084029d3301ad4

SHA1
d661696705e8f0683886de1b8bd2dc828646ae72

SHA256
0d21d25fcbccb653bcb4387642a8671314eb46f870fc3e027dd11984006def50

SHA512
83b5e87b118f093f0aecbca993395dbd84cf6fe2790ffd9754ca0bc1938aa200b3ab7d62ce50c98d915548c4dcc9b9fc2c42b4b7cf86ea2d9b9b8f21cd511d35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e7f1db1171b6b320938329f8e18e3598

SHA1
177175705a8ffc8ad956a3561c22441d69fe5e3b

SHA256
fb7f5ecd6e18c17bb8e94424614a29f4f3f48cb9a8cada2e96d478712aca1e64

SHA512
84e86a920a77b10b2497caf0b202e7735178f5732e035fdc13cbb2270766f2f7812233cdc70ce3a7e0cd9f0ead133308a13f0e494af35912b24c01404f62af04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
432590b0e3e6d3bc1a338edadb2a4d79

SHA1
ecc2e8d17ddb4cb9bccab2caf3601d5918384a95

SHA256
5a2518f43ac5e6bed6d27770aee77f22de7bfe5288faf51bd794efb01a17f48f

SHA512
7af443c08ede3f434b3617fb43f83e250b2b31da72e8850c2729354b02b8e0b2a3f2b7113b93009f0b745d9ceea4c632eee0383022074dcf1ecd73f4407aadb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fe586401bc33b9ad9b9eea032b9551b0

SHA1
5cc0fd6516ffbd9484fa2d479b6d6a81803fa310

SHA256
491d3587cae0d17e721e858228fbb28407a1c5180eee155f53eea997dc438e8c

SHA512
a53eed9512f43250a6e9bb304bc3dc854daa139d07bf18909e563e7da3d94477bb3ba2ec2644cd08abe3a046793b26e07561949b465764bb42789489add928f4

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
289KB

MD5
1f99314f4214528de0fbe0f0fe5243f5

SHA1
75db58a0191c27420a0c4c73fcf50f8b09f2a7e3

SHA256
57597a90ff9e45f83b7b68307ce55e3c2de3207936abe732da60448bfb5290c7

SHA512
5aad4a3d9174ef622bfd8732b8248cd7b1c9b61949619f6b5936d4a141594aff135ad97052b1aeff3782238cfbb774d827792d748404758b18d5a08fbe1ed248

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe

Filesize
452KB

MD5
1f3b50295814b2ff4ae885a47af2ac3c

SHA1
a33127c2bb8f388abf9b7ccef57fe104936dee78

SHA256
355b6534418fd7e7f1bad5eaffee2986a00810fd9a53c636ad8371ba5916d5f8

SHA512
7cc775d6e7f1efda6d493b570562bd01f336742e636c7b22e9bc6c33589aebc5c79fc52d27587c760a3bf2b1ad039ef41fb66f94f3796f8e813d8231b7680ae9

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/1276-0-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2860-1781-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2860-5-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4672-10-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download