3b8f28f78fe59d7ab9ea73bc0056629a28a0f21535e689c50751b27711fe618e

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

367d27553554eb281083371e301e3838.exe
Size

2.8MB
MD5

367d27553554eb281083371e301e3838
SHA1

0f71d45c999d0eec8e0be31928976c62df249684
SHA256

3b8f28f78fe59d7ab9ea73bc0056629a28a0f21535e689c50751b27711fe618e
SHA512

676846d625e28c83caa2a5f36a64f5e1a37cc63442bb2c4ce6c5214ca9b04e6981de562d001318897539675501ea3dc7674043e6a74a5c98fcaa1a2be71c9e57
SSDEEP

24576:xEtl9mRda1LKB8NIyXbacAfUSunEp+XRGEUvkXw6zezNFtcyyeIHyeE7iixWHm1G:iEs1mB8NIMI8Sfpwotkzaxcp+2NHm1G

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	367d27553554eb281083371e301e3838.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (649) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	367d27553554eb281083371e301e3838.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	367d27553554eb281083371e301e3838.exe

Executes dropped EXE 1 IoCs

pid	Process
892	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\Y:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\B:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\H:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\I:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\L:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\P:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\R:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\S:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\U:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\G:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\O:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\E:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\V:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\K:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\W:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\J:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\Q:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\X:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\A:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\N:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\Z:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\M:	367d27553554eb281083371e301e3838.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	367d27553554eb281083371e301e3838.exe
File opened for modification	C:\AUTORUN.INF	367d27553554eb281083371e301e3838.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-profile-l1-1-0.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Memory.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.AppContext.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Linq.Parallel.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Thread.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebClient.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Claims.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.WebSockets.Client.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprsr.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\mscordaccore_amd64_amd64_6.0.2523.51912.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Contracts.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Buffers.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ComponentModel.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Linq.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.DiagnosticSource.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Resources.Writer.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Drawing.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.VisualBasic.Core.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\mscorlib.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Globalization.Calendars.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-handle-l1-1-0.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-synch-l1-2-0.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Extensions.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Requests.dll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.exe	367d27553554eb281083371e301e3838.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.exe	367d27553554eb281083371e301e3838.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
892	HelpMe.exe
892	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 892	4968	367d27553554eb281083371e301e3838.exe	89
PID 4968 wrote to memory of 892	4968	367d27553554eb281083371e301e3838.exe	89
PID 4968 wrote to memory of 892	4968	367d27553554eb281083371e301e3838.exe	89

C:\Users\Admin\AppData\Local\Temp\367d27553554eb281083371e301e3838.exe
"C:\Users\Admin\AppData\Local\Temp\367d27553554eb281083371e301e3838.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-983843758-932321429-1636175382-1000\desktop.ini.exe

Filesize
2.1MB

MD5
636fdef841219136bcdd5beaaf89697d

SHA1
1266e4b58c38945c7cb4446514370cde2a0ed8c7

SHA256
e846f5b6731f6a8775af360381e6d771dd5d3111568d2b68253838bd046d5398

SHA512
13945bc7287cbc17551888a3335b08cf17c064886689707eda924a7f03cc1cb5213b0c19d50539d1f606b0aca6a6c42614fef5b76f53efa24d192c541b54b885

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
3.4MB

MD5
d548d23eb96e7883cc9d7c0d6f65254e

SHA1
aef7399e617a73994736536618d7456808c20598

SHA256
ab733a0bd3f37c2affc62195d75714a93cab6fa7103b187fda68bc9552980667

SHA512
3a114840d0d47a2adaf07c9fc9a8385679f5bac0f572ae1ced38169cebe49e14254bc39d4110cea68538bf34498c1421104b6a63fbfcf6f92bdbae6e00e105d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
88529a37693081ac20f028b8f9a0a707

SHA1
6e6cb0f90ec310ac14614aac4961b142fe478ee2

SHA256
1b11a66cbb00edcdcb6c91d690d5af35772e832b7cbc2382141a4cd4b719fa10

SHA512
679edeff1590e9e97727e491186b783bd600771e2e9c2e309801514aa82d0f608111918c6860815135a8af974df1951bb0cda41937872f8c773975d74323d2cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4fb30933f4bdebdcc11cd251b729f2e4

SHA1
922a3ffd53919e36dacab64e95569b7c8f9058e6

SHA256
fb75d1aac306509d7f19e6e4604300f681a91891d15028e8d99ded2f9cd4d667

SHA512
c86c4a641c7b3c4bde7aa5ce4a2fece58aa020d29cd41591a286f797f2bc4b30a2b24a11a6fde7677342e888a6cb5e9cf8a65c7783c990f9e383e47a05cbccef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7317bd0670ca4b4d00f72078cd27f70b

SHA1
f03a5621af94cb1d6f0da718dec155e4341d18b4

SHA256
fc3cfc83a27eda5ef2dd9eb5f1048b9e51659313ff73e7936c5e7adb5760a968

SHA512
cf61513935f34642a0e3cd18cfa294cc829069d7abba04a117ec158ec04c1a327726f6e1cb714ac75fda82ca159246749fdbc390aff3df25837a2cc5c5e4b6f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7b8a2a9bc95ad594294ab48b89787d53

SHA1
67f27ca35f6234c303be4af66864a00cbb86a5ee

SHA256
64718147c52683e869bef213ad256ea7b0e8cf64fbd01e1378268de7b516c53d

SHA512
2fc0c5fd5655562c90025128b92b5df465b121dd927d0791af5ed6e8f04e4ed056e94c9023439f55913e9efa5cbeaddaf8f273c12e6494c68b9fb3867727f8dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5c05a0b2cca69241a7607c217b09bbcd

SHA1
70c23a84ed56fc86314c189e6aca33100a9e8091

SHA256
aa3ea204affcfa46a0962cc9ef3665962756111a00463c309572583fc1f160d9

SHA512
2b1d9e99e782aa4c3b5494b80ed0d1193d7f7bc13c8717b0c8e0054102a85d1d80fc36e2a2464cbb81253eb40d9392e41bfd7021154de50df640cba3a7d5bc4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fd6d70a7718bf34470f247264867d341

SHA1
040a6ef471948c92377d44f07e1dd33838b8b82d

SHA256
de67ec599e75dad2858bab8a652659c9536c2dbda299ca7735213ddfc0a6130f

SHA512
e4c1c6b62215d7de0a849077641a18dce517033130ebe6b1f0bab493186cf56bb7ac58969d20e1491bfaca683fbf0657d660bd7eeded463cb287ff23ced85606

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
91659d26af4a5a8ffc0cf607844574e2

SHA1
922745df309ee009ff033d7f412b95479bc10223

SHA256
9733266b945065cc08a3d9ae0eca6269ee3a63a0e1ec29b874eeda20f8db6db1

SHA512
3fe8493758c9dd1fa0b25ebf56e4f8c36393bb800e790c04e1b1388639158fec42f1f644b46733ae46f7dc92badebfebfce6913bab764f5c2144207c012f7873

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f8e41707540505842f5f7d2250a17228

SHA1
f7aaa883d1c156e684d19172de25c197ff0ffc16

SHA256
0126e04413a481a89a32b1fb00d8dbfdb73ad20f519454334944e2e34eeb178d

SHA512
b7adb43b6e52ccb0ec1d632b1b90584b25449dd48b5c2af7829be76bd62492ad5973306b155cd70209138ffb6eeafcec3095379a26810179281467dd921d896c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
075da19b0d83a7ebb45eb2c939e3c539

SHA1
9c08f3d621073668e0981ddb7078ddc9a8deeb86

SHA256
90998265a4d202276373837e16076e17f76ff9ee8d78299966444b031f1c9f0b

SHA512
8f0b90ed9231f8c05dd77f66ed195f4970bf76871fa782c2a0275e7b666683c05af33c71b0c3a13636ac3fd0fc5d1c2f986c1fe5e7f42281abdbc8feef44b190

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
76f1931ab02f5e6c3e4022893e1f19bf

SHA1
bc97a5b6b8a59169cf92f1017fbf7c067c89989a

SHA256
d24f8c2defd4dad4ff5d0a13225bb41d660c9c9fab09d76c1de3e9ba93bb7d73

SHA512
c7fb30a01b8a7a25c6796085196888586d6419eb64ae74b70954520b358f140ce962e0831a0bcee17c32ec14282986e4638ec3f622e19099133c2c9ff0703519

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
751ae30f75a8cbc79696b7667898eb1c

SHA1
e7f8218f633ccddf4f567db4c33c58936b347e14

SHA256
30fdf1602dbebd2a4569bec5ab9bd22676641c88a957b467eb3ba0a2e62cd198

SHA512
ec853dc02fbc3fc5ead6f581621d284e418d4fae26958fb807f8a17316427199040aa6dfa1fa3f488dfcaceb8e185e46cc0f3115ec82df3d4ee9a67876c773f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5252b543a2bc26e42583f24043afb3bd

SHA1
156ada451825ada3c4d07ec3b5e8a432642d77bf

SHA256
cc2fc2171e063ed6d5a6fe7b9cd1eeb6f7ca912a196881b3ac327d184ecd235b

SHA512
6be0cb80e7d136632075b4c03b6411f3407e71a663641e1b8a4d1a747749a98321e27326585539ff62d5e65e29b302988c1097436d9de317f52be11dda27bd14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c3887a7192d23499f429a14a5b9bec49

SHA1
8cd36953e108361f014370755a8eb6f09329fafd

SHA256
e88891ea750d07365941a7a3171c43e5ac12119898d0bb880992bb565159ddab

SHA512
5fe63dde72cbffab63f089e90d9914e2b125b89a586ba4505e7e5db615bc2cb1400bfbfa73a27f18b55ddf73cacddb748209695d8e626afa6f82110e67ad3176

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d35c2907a27b2bdc67535e8f0547c8ee

SHA1
bc6333447c7df7f82f16bd8b36b5645719bdf125

SHA256
c1ebb7e944bae86881a1412670996756293e3179c5a6de1f6e1dedc26292fa96

SHA512
35cb050565aeaa37157cd6bd2643321eba7c7186b1a8428495d9127c6e0277ea4de8ddafe42b1412dab3fb36f3dd668a7bdf23aa0408ff9e5935e8dabfea5e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ef819ecf01fa6ff754af0932b380f684

SHA1
7546b01637ed24aeb8558b10c2c757313a9a5c02

SHA256
2e85ea7deafa8e413f3612822b56462ea1a534c925bbe6f6bed0b561db902b1e

SHA512
ae2ba72ce49e8651612cf0233fa42ec40d8d9d29b288679ba04f7fac11cc949d2a5b34bf27acbe062ea04b40396a6c0f3fe6adb0b7607a973444d688ac27c5f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
010c230a2138a250c4f42630d2a62758

SHA1
6e171c4998dd137af5c86013b127cfcb14bc4c51

SHA256
56937a6fdd9a6944b98b2a5537d39cf93a9dc2823caaf9023e49a3e0c3426515

SHA512
8a13f85dcdafada78220ae53755586c01bd24ebe1987e28d7cd1f947093cdc7a438ab3dd211c2c7c4f12f7c0a0c376a6c26c66098e9b322482b1d782d9566d34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1ef0051f337b2fd8c51bdc49f764f00f

SHA1
07374669c066a1e6466e60ae749a50d8a73a6a4d

SHA256
09cc8a72cdd98fa5ae6ecfdacd2b0f0bb94f700052f16edd70838fffd4632ec4

SHA512
d8b8d603caabb85bf0a20a0705adec2450b2e84ab9b53ab7909ec1e18c30cde5c201ff2de2d95ca8877c4f10f8bf0d012af103f5a57b795adbf50cd0107817fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e377a67af1ebeef2616b99b7a2d94208

SHA1
0320d41c417d7f456c70c335768c89b4cef534a1

SHA256
a2171ee597f338d6a9533d399b8524c0c7d12f0eebc6d1650f42627dfe705055

SHA512
53978457ff55d5d1beb3cc02cf7cf7ed71452a676274a37e8b185850a2464cf3fae6bed9625685a2566930bc4ac34f09cb9727474ebfc1bc091683bf2b1db2a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
43e8e42424cc126d88a78dc6245e1df6

SHA1
b65a7b60eb224d61e9e15c48423f87668bb8b1d8

SHA256
831f6bacc0e9ea273059edc39b93f0ced508db9f8d782c6d2b1a59ac366fbef6

SHA512
1e933e6ad68801bbfdd1d1392253069b5bfa788f4860eddf45f82eb01b70b38b76ac16e46551121f914ff266194557e55e700ac6421a96285b1a73bdac15c947

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ea06fb50e77cdb67744c75f95bc06191

SHA1
01352d5e765baf8905e5e83ebd3c976d3162638c

SHA256
d7b0a0c2ba8f0748054bbadf24c5b39fcb899c98c8b654590f6b1c0cf4bef774

SHA512
06200c3b9a95e8081c7abc31bb50eaa507a4a705359c7d5593bdc86e8f487a2ebc42c1e9f9703989d3e2d208535e9a9b75cbd9534d002729afb1b7a1ad3d7bed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
081047b9c5135a2c5535e5fa2ce2b6ac

SHA1
8965459aba1c65f27057e3295cb51df23b8c40a3

SHA256
cc3e57f00de079f7105529f67e84de90b1b4ffa9d6b55a5662d4245894bd4266

SHA512
01306c6fae4fe95d9f75bf390e09458b491bb9f55fba24711427092f5b6ddc8d27b7eec7409c9dd4c6d1549b2e6dc9d460604330d279945c6f5241c293e15f63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ec3032ba15204dff39ecc8b4695b395f

SHA1
500550f9139305701eee7cd8a6b0877da7ad228b

SHA256
cca36baa96c32b40721b369b8d230419ba57ab0bc52a4d6d6028b3ace67c7baa

SHA512
deced584075044176d021c666b9af796c6c43fc242be464217f054103748146c909b84fd7c06b2a35f24d401ed6119b2d4853ab68d37a984960eea552e449f34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
de36f42a46c1bd65761a71d66e7bab50

SHA1
f0ec9efd36a8b378376039783447dce9c56987e3

SHA256
0e707aabc8e611bfde802783ddac0eabbe7d48c2e3cd323c1e8a7cb362ab4762

SHA512
fa02052fb036932fb9c1da31bea48e4801c638e91eb38121cbce874fbeb054b463539a5ee84528e495d5375f8b95e4ceb4495161f7d29f31fa5ebc6ff714b9a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
08e9581f162d7bb90e054a64e099e76b

SHA1
e405869c9db915f8a0557a5e6c1d22f9e8e2b990

SHA256
c6f1bdfcaefd79d006a1d098e0ca4b9699705175ec9a9e65ab203ec950597d07

SHA512
26554574676494c85dfd3d4906eda090592c6162353f18665dc7b16e74b7ea03a31dec7d5057de1559cdc29033e32dff121ad38cb532afc401ea3e95fa4562fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d5cb24873f78f4bd68066259084a149d

SHA1
d148f4d4ec46d2eb973cc0f8514c6c06cc6389de

SHA256
74e4269cbfd6374b03af4cecd53ee721db1f97139b54c063b728807b47fb0d8a

SHA512
b67cf44af38d85150dc39e1fb8344dcc9057190659923f2939688c61a490e9baa654e302ca6f2ef7e3ac616e160845e47da328a2dce0952128a9eb3f88f071c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
367fe7edae6cf9e3598ca1751759784b

SHA1
611cf2cf1dfbc92593f3e3e6fdbe5c4bfcb71a8e

SHA256
b4a62ca5b79afab32f3349aaf456375352bf7ebf5764c874325818e1641bbb75

SHA512
58ec424507cd32d41e58da9545a0748d93f55a7c5e1df7206ffeb4c27795598659992d235ad9a740112c5c22001a3a2c0f16336b64dafeaf15e03ac1089243f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3d3795de5d09e972eaa4167962975cde

SHA1
ce141c43dc940b5fe1bb3c21b37033b8009c9999

SHA256
1b3eabc2a7c7cb36ca0b7eec6a7f1739440ddc41e3ee35a67c2f77cf1504f98e

SHA512
f1f5ee909a908191bbceb9035f3f78ae1e651f22e2193aac3cd244a6422a041a45fa6f531ce21c83552c79be6b70d0e1a05b4b5b8052bb5c757f8d53aa9774e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6a7314851001b84f7615232ba99914a8

SHA1
ca37d0a2ad1f7975ee2b7bb9873a54beaefba385

SHA256
6eebc272389c4f2593120023795dcf45ed0cd44c11671921fee0cc3a1a5ed79c

SHA512
8a5cf812ab88b3df8150fcf7966f04d2648e9e1784916d97fb878fa962ee7a2ee572d85177c9f6309b1275a5a9cc2a87d1dc28cf684cb9ccd4e2079cd156e62e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
34e992d5bd69d37f705e1ae62f357ae2

SHA1
9cae318fd90d048f95c9cdb2a491531214f6a1b3

SHA256
312d61aad9d55988eac4ac5cd636d553813537336fa95304055ea3b954ba19e7

SHA512
517c6c4020c51b9e9ef8a21fa5fae265a74eca5923001eba3c7f75e073d0b2563ed822070d3a2453dda52e6a04f1f317e42bcb05843dff79fbc346b3104b6917

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fb82a488fa42fdd10cf1da4a19345afd

SHA1
4a7e0bec0f4b5c2996d1a44e5834ba7f6b76265d

SHA256
a723f9ae95d3ae26adf83e75a3ec07fcd156e6cd4c9a021583851f9d2d8adfa8

SHA512
9b18791d10cde6f98885f8542fdd6aee9193fd9b90b43994c3029232f1aaaaccd96250f0686179f046016988d5036eb5faacfe4950d83490055b235934cb9afa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
23f1af4c5d983d84c612b48dc6c362ad

SHA1
f1f99e2981d8b14f1909807a3902a7eba7de360d

SHA256
fec24fdecf84e8b53e57c2cdbc7a3e6e64865213a0a0b446e17fead8400184b8

SHA512
fac7b335d0cd3c5859eb188f7a1e99a3e8eeb7470b5d00f3a9914e4d5dbdac1f6970c2e0095597bd5e3bc660a972f9fccb0a88054a26c3d77484320d60a40272

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1590972388552cc59cfd15a9aa42297a

SHA1
98dfdfb8502a451a295791563d0f11278cbda899

SHA256
2837dd93c76b14ba029c151390f8d9f550fa68dc0043720391551cefc7307d8d

SHA512
1cf0bad7f4a7655d3f287400bc34ea0bbe4a801462c8611777fd1d8f64908fde14a27330df3f8eb014248174363f8bcd51e2f23048c9a342d623a3917bc333e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
71f0a78a419b3a21b5d5643594705ebf

SHA1
9d684a976543e1fbd3bb5b6825393aedd5b23191

SHA256
633d85e246318d3f5538128dfb14dd33886d5c87511b159cade931245a58aacf

SHA512
99f3eb51c3909d83b678046a1647dc43f2c8a4f46585046ad0bb727a292b19b8603b628e51064186c9d168e687abfc89ec8425e05684274d47c2d0779c5c5a30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b9a3c6061e118f7d7ff181944feef6

SHA1
4f3c4c368ecea7f0dbc5e969e344973672640730

SHA256
3614402b4509c17ca64954a0eab24751a8545e8538505334d4cad12fa39c7025

SHA512
d2b2d82a6a0784c7864377af6ab3a62087242632a289f5a382afd5a1fa3aff579ab15908586fdc06de36eafecc9944775cd2a87df08163e793fe58438c01237a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
09aa5a26d916866a30a62f8437bfd856

SHA1
79cc9f8650921e151264b0208372ca455f9c422e

SHA256
75a37c04635244468dcbec13f43c62c890d2baa055de84a93ec7b5cf02fc24bd

SHA512
85a135ca0ddb66325328c10b314126bc9fd945723c6cb34826c8b054299eaab0df69d9e07a43e72d36c9b5797cd750cf67f906e60a637db06546ff73066db7fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f66d39a7e61172cd62e59fa404869c76

SHA1
8e47e9f627fe0b107652c80399f2982ae1ebde89

SHA256
05a347af70f692e885c7033265edd4c94034e5be52b7228178799c1ccbb2f7c7

SHA512
5ca9d243ddeeb1cc468256d30a1e9038e830ff76d0d40056751aa33ba54166a7d04e718a3830e99385bdca7d3b2252d36bf8dccb84faa45185a0219a7e3947c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
dd18db9b82184dbcbda967070ff3ee52

SHA1
dc24888842bef5cecd6ae48100ea78352076bd60

SHA256
8ff755ffe593a5b9ae809b2c2801f3568c41d7f20cbe183ec90047e7ea56676e

SHA512
190070856e925e4281883d94108d93e3c64b0019284bdadf08ef7e83c0b56227c86c88e243207ad5e420eadc3997e021104955eaae510936564c3d0f6baf835b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
267933507aae622f281673ed193dcc7d

SHA1
17bb059ed4d856ea7dd4626f1b92df3e6782e0e0

SHA256
18153774214b4998232e80aaf7b840bb215399d213b1aa710ee82d32a71aec0f

SHA512
a2f87340ddbfad7063431d365813c5276f11809014223f85df5a8c61cd017580f1a7a774b923db00ae9608e72875f9ef6e2eb55171b76490f46dae43c0e9468e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a59efa73307484430bd0c08072ea88b0

SHA1
a5a5ce73cd57d674d9e041e3645258ad74120984

SHA256
9f6421463296b0c89b1a2c9e30fed67381205c838a9315f3368692477ccdd747

SHA512
48b6cd845b3f17ff6f2815401c2cfcb519e147db0a5ed5714dfde74c7f70a249644d570103b5fd72823a7d2071d067522ffa247b44eb7bfc7cbc1f9ac52d6dbd

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
463KB

MD5
7c3746be83aa3f5d7acc22c9328d2aa2

SHA1
8ae595bcad67f0d64c23f76c0e1f8787d98322b4

SHA256
60c53c17033daa59502968d8cfb3c8fc9ed54c7212e3456aab0cc840aa2a0da7

SHA512
5f50332544af27605275c3629ffee295796aa2f935e50a580db3f8f852907f08c935155e7a87622ac0a734ac0ead57dde7b9f559805dbb5fe397a7d356ee3216

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
124KB

MD5
1253dcad7b37c80f25248759b4770e09

SHA1
1cc632b6fd7e0c945ff368801f7a5cf6b4241b19

SHA256
5c6e0249ffb8e2913c65504a4cb66ab2e195fbbb5aace3367754f033f340377d

SHA512
4260f80a23a35bd6c387e0e928433afc92d84cddf39526a63a94c70096d3656d9d865488fa51ca665f8ff3840cb38b3d8695a11d2f71b26354ad0f95098eb058

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
2.8MB

MD5
367d27553554eb281083371e301e3838

SHA1
0f71d45c999d0eec8e0be31928976c62df249684

SHA256
3b8f28f78fe59d7ab9ea73bc0056629a28a0f21535e689c50751b27711fe618e

SHA512
676846d625e28c83caa2a5f36a64f5e1a37cc63442bb2c4ce6c5214ca9b04e6981de562d001318897539675501ea3dc7674043e6a74a5c98fcaa1a2be71c9e57

Download Submit
memory/892-5-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4968-0-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/4968-311-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download