ba116e4fd13011fd127db8532e369f9e33e97e223e2eb28507bdb75fc544ce1f

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

752ff845c9d9f276048d097af9b70b01.exe
Size

420KB
MD5

752ff845c9d9f276048d097af9b70b01
SHA1

1bf514577071ff2f8779ad2ab2eba65a8979f4e7
SHA256

ba116e4fd13011fd127db8532e369f9e33e97e223e2eb28507bdb75fc544ce1f
SHA512

fdf7aff342786f7a5c7d55c4b3725988ed9d4f91f679fd9529c8bf9429150489dd3630539f290354549c00c71b0235a302649a15429dbd353012d7565723b676
SSDEEP

12288:5MMpXKb0hNGh1kG0HWnALiPX+pd167Qh:5MMpXS0hN0V0H+E6Eh

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	752ff845c9d9f276048d097af9b70b01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (5577) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023220-3.dat	aspack_v212_v242
behavioral2/files/0x0006000000023227-8.dat	aspack_v212_v242
behavioral2/files/0x0007000000023224-37.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-61.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	752ff845c9d9f276048d097af9b70b01.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	752ff845c9d9f276048d097af9b70b01.exe

Executes dropped EXE 1 IoCs

pid	Process
3496	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\B:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\E:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\I:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\W:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\S:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\L:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\N:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\R:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\T:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\Z:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\U:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\V:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\Y:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\O:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\J:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\K:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\Q:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\G:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\H:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\M:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\P:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\X:	752ff845c9d9f276048d097af9b70b01.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	752ff845c9d9f276048d097af9b70b01.exe
File opened for modification	C:\AUTORUN.INF	752ff845c9d9f276048d097af9b70b01.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebSockets.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\cacerts.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Client\mfc140u.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\rsod\onenotemui.msi.16.en-us.tree.dat.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.INF.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.FileUtils.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinTree.v11.1.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as80.xsl.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.DataSetExtensions.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\ExitTrace.dotx.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Localytics.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.ELM.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-rtlsupport-l1-1-0.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Windows.Forms.Primitives.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPP.VBS.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l1-1-0.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\WindowsFormsIntegration.resources.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Accessibility.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-console-l1-1-0.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\UIAutomationProvider.resources.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\AddDismount.reg.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AIRWER.DLL.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\Word 2010 look.dotx.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\7-Zip\License.txt.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8FR.LEX.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vcruntime140.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.ELM.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-heap-l1-1-0.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-private-l1-1-0.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-process-l1-1-0.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp140.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.Core.dll.exe	752ff845c9d9f276048d097af9b70b01.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll.exe	752ff845c9d9f276048d097af9b70b01.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3496	HelpMe.exe
3496	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 3496	1068	752ff845c9d9f276048d097af9b70b01.exe	87
PID 1068 wrote to memory of 3496	1068	752ff845c9d9f276048d097af9b70b01.exe	87
PID 1068 wrote to memory of 3496	1068	752ff845c9d9f276048d097af9b70b01.exe	87

C:\Users\Admin\AppData\Local\Temp\752ff845c9d9f276048d097af9b70b01.exe
"C:\Users\Admin\AppData\Local\Temp\752ff845c9d9f276048d097af9b70b01.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini.exe

Filesize
421KB

MD5
01ef33a3908fc0bb0b0c5a3a00a80618

SHA1
d0e0b3d0945e74c6141e4037e13c155301ca171d

SHA256
cb8e95b2d439c96ddb572b780c80ff0492093632e193ff2bf7ea1fee4b3f51c4

SHA512
87edc49d265004861b52159056bad243909e10beb9f3cef67d2eec9e1ff675bc52b50b0d9ef92e839d05112819458cc5b438d03a357422171928c758e01283b1

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
1.2MB

MD5
d702c5ffa688eee27e1aacb5d73c46be

SHA1
5ffb79db383d91873b62f9a2e85a300c47cbc1a4

SHA256
0cfb298625766fd757c461fcfef383a6da6c9614bbfc15fbf7d0b07726642db7

SHA512
82354499a8185efa7c935c9c789acc7a0c6f04cd4df2791990bb3dc1d60cc37af7dc12d0d8f0aab9e37fe2ba038a1a02050b2c1a841107a59fa5b308d6f763dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e99fd0fae9077b4e5f123f2cddf719f4

SHA1
6ce1804d043edacd7c09f80ca1c4794a5889a6c9

SHA256
3a118f494b840dc112e1c711e17b59e60e2480f542763445b4da2aaec78d4148

SHA512
d13049f7af1302290cd968fb8376369cf84b8461d778a24e8dde00d395b8a1c9c700e556b4420e331f025615c15a475102c3c67cb29081d0a5fb2c2560008ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
93e92d634a9b71a296ddb41a236aed14

SHA1
580b20fbdbb71034a2ce52a6e5acc096541fa553

SHA256
c532940595f8015483550cd0a6d79a1fcee9a89ca12cea4523d4e4efb66b6996

SHA512
000f661aabbae4f726753d4e12577172008026fac2878103419a14a37356d2c5e40e3e47d86f2f7c4b94431d6ff8fbcbd9e74377f55d81b5f6b22d556b543610

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
173aae18789c33d0976484afa2eb332c

SHA1
61ae8e5ec1719a84e0aca729d5f8058a32eea236

SHA256
42d70035c5970201f143865d6379186de9ef209511e92fb7eaf710d47c544e52

SHA512
5c7fe96c135cef43c03a91d0ac0c296ef3ae1bd2e5960d964edd7d1952b73e7f63a3162112ccb5687fe4e2b6b088f8d8ee282422ae158b547b3e67df29040649

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5cfc94d12b31872408e0a4453b028c24

SHA1
8bba0107cb12e34df7bda33f0e8c1cfc6d577baa

SHA256
94786d342d6e5e5970155aebbd4e9c5324dd37a61b7707f1be572382c340d9d7

SHA512
df15c9acdcbc7588a950cf5823b6808899114b8166ed364c19cb3f9bfa5d18563df97d7dc4d6e7e7ecd55bf34133a976c8e7ee5aeb2b8f0d7806983e540acfdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
9290d00fade444cd5056721f5b3523a9

SHA1
079e1c834a06071e272409bac7d6f3339669a878

SHA256
942785dcc6314d55eb62f976299042f0326825dc8caad23e34a50b2171c11e30

SHA512
d5652c9298c1d04190a8929c19f2f0148f26f0706d98157143fe9b0533123eb3ed243c820459fabcfcf628196be7dd1a94c1930efe82adbd4186dcd060cad9c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c7a8f2e4a601c63cc154366806709c8f

SHA1
1b06a38c4a14c14cb22c7f864ad2f6750fa31b81

SHA256
6aa03c835874e5dc0f743a75ce8825f4abfe779fdb6ed4a4ff89ef129b3f34b9

SHA512
6b8e4f3285093f3109676f84ae9bc128276b7f8fb26513a4ca3a42e678d467da06c5c805fef43f4de665d965d416f0d3349a80cebd448536ee931ae33ff86972

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e4a7aa91de50c57f063f5840d30323f8

SHA1
e0a5d687e235dff1c0a3b75b88b38b52ae29fbf8

SHA256
5d374b5b4c13df13464b10aae5294a1049f8bf7a2c8d555151ae0a678dd7c01d

SHA512
70241e9996da2213dc8dc38e65fc98b91c8d41b6891d266972824a63e67e3a038b0cb79026760ae6dddf31902bce0f66874069051851fa1ffc104d99cae28cfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3346d699fd7c20baeb5b46e2c27c49ec

SHA1
c7f2c432f348e1669720a094a51a7f54f2376381

SHA256
e2aacfba047f905acfbaec8c1136203718ad82a0098449398041e8952f9330af

SHA512
f1b7e9593a8240049e3479af0f76360e59a5f75f7a310a2edcde5f45028018f46f50ee856dea451737333f493839d0050645abc91dd9f94da5f1a362bd2df2c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3f99eb50951348efb2a9a581e8d245d3

SHA1
907871162b787f0ff9108dd5bbd884e7336b821b

SHA256
16a053b4933b55c654130af21a73c6127ef92a3904672eb9e224af386d027799

SHA512
64e6c19cc286d5d1755f67fb023baddacc2d6013353b4c6a25aa1affefefe5b92b959ac9cbb331d94787c4f80bd491fdfccf18dbf4b058936c7ccccadcb31c44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d4e57e683a2a06433ae4758c482e2744

SHA1
a0f4183631e2625c35fa24a9628bec8818fec62f

SHA256
d098316d6736a0236e62ed5079e09e645d54277c1a05b09aed48ce1599e70e67

SHA512
8225ac2c54cc340dbeb1d9481237e232badcee8bba7cf347c733230acc8cd02adf8ceaa466b2c4ab7c6e42b284ede2da81fb74b6aa817b06b521228fa351c193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6e4456743c5a4a98bc80688bcb490dbc

SHA1
dbd796b31ef9216cbcc737b1c865f0565e3e64d3

SHA256
4cc87fce3b4a0b99e2e828bdc33123cbe4754759db138293aa5ef5ce6d1b42e2

SHA512
85adc359656f321fb16f1fffeed169e39cfd3066a18506996a4b0cab70984b19e8b6a5ced0947aaca6162ef608bd0bf470ae2b2de182ec806afb7a96d59ebe53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
11295c23d5bfe9e966f874814f3f7a57

SHA1
6e28697a2a8507210ecb71cb436800d77a2c81b7

SHA256
a3f7086a78a8a103afec633fc3e0b86f724f45db615974c27a01aacd807ae709

SHA512
cc1cf5b2aae37ae2cf114d50fcf141b7e0ea863b5a3b5d02658b8db7af4b515ba227c76f10bc850b95c7311c7e6da4fc8b7dd9921e0167203107d984ad94ce5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
452737f8eb08f07fbaa72f9158501012

SHA1
bab693b2f065babe97f1b99086309f1f8837cf02

SHA256
666df5c7c6f56e0c5bf729316ad24747ddf672876f272baccd77b9186d9a3a79

SHA512
14ba50e46e2ea37e990ec626a5b4be95bb1e6799c4dddf5529fb2fe350db5c7017433a2b2963433f63e1a9ef82433ca55b2fab6a6b5cbeb7d51fef8391d721b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c1ab0b2162c22bc324ce89708227186a

SHA1
91c052631bbda076fe9ccd7cf0b275aa6b5d684e

SHA256
9e1e7cc9a4a8a403c28fac31a9ffaee6c47f9e707a8d940d30a7d7310ae2ab06

SHA512
bd756756f8152bc1b31f15d7ff9c7a860069455b25982e99500a6a4e3f0e568dd9642ab53c085fcfabaabbf5d888b70ee65fae2edc3bd269197d02301d9a735f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
441b2e3f3053e4365d1d25543d9cf74b

SHA1
c37b0be629a73aa87c2e069e6a22b6614a3c8754

SHA256
3b764442a77d2c7df018ac2bc0749a52b3d1f09bcdbfa0bf254ef75dc72a4a15

SHA512
acf92df19885fe691372a8a4f7141aaefb0ddd1f8ab9ae2edefab3280c6ebd08936ea77664808ad3d0a90302fb75a93d714acd408f9a8b2aa082b75f178963ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
85fea6f8485bcac5d55b700d06687985

SHA1
83e10aa3886f409f42aff57e1fd10326c9fc89eb

SHA256
2b74f003c18dfa505a3bf25d02de26912f8356c0e1dea0eafe3b17208db194df

SHA512
1655b9c0ecaf4508bb76d109b08b7068422c20c3285248cb261ca951bc8ce9d79d761a8ff9025dd77147de836be7ba18746e400892cadfe750e61683b83a475d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
db125f558d1965bcc8c444967d936fb9

SHA1
9e4ddb8fd67aab269266d8be02fb83f76b1b0aac

SHA256
df50acb044cf66fb7f7ff8e657f151c2f4c270328586f5c8a6723ec790ab0076

SHA512
29ec56b9b33e562dbd1770a9a50a2b9d722ad09bceb11fa193ee9a58dcaff8486cf6546ae704ca629edcac997fa4c2bfbaee43007fbc707790cb4c7e9d37a62b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
08c9dd9e751b09179f88370eabe3bd7c

SHA1
1c7ddd227e23bd5698ef48a879c7c9b0720f843b

SHA256
4cd2755e9bf6b19811065fe250522e22f1fa3b820b5f86e234e33125ac681b85

SHA512
017305004c616c3382e914304482c676c427b3fc8a8e1e4fb9fd4efdadcd34700c9b059f6c4f8bd4f5d82086ee224acf0b184250ab1e15ded66ab1bdb1680f17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
58f2a60facf7991d7cc217bd4ccdb030

SHA1
2ed2fbf71e13cd5c5ab6e409c645efc9de781216

SHA256
f55301376138f40e0aae3975be997519fc31c67d9a2b7aee3e78b1d670a8ea0f

SHA512
e31eb8906a1d9fc57c24bad21c585b844d30d9977dc49339902caf71503ae981bf3dcd2a44dc5e81a35efadbd015c8f31d93ad27b607c0983913d97587a4876e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
582c4c7df37c835ffa3ce568e26cb8fd

SHA1
57dc0c5286939cad3e7ef4a262340714d73ac02d

SHA256
a047170f6d7ea6e90a3c35ea187fe8be7c041f4d899c487b6169e64220f1ea69

SHA512
7298a28c2f6f16912ac0e621b15acfa69a76922ea291cd666037a278e3262ef61b4c9c76fcc5ae051b38fc68c21cbdb2c4b5896dad14edc78ddd232abac4b1f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c1d055dd6bb747f5cb60ff2eb8eeca3

SHA1
670da4e90c9b522235685084c6321647f72e69e1

SHA256
2757d7fe9398672824d85e2611d64be892b89cde2ab3e1fb8ee04698909c48a3

SHA512
d5b1814d8db7cebb59299813163e13e59ba8eebba02b2d2a5fafa52e7841421c4b531ff7d376d1d33dc18606cbad33ab5ba7ab22e7f8b6f07384a3c7409b65fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
15bfffcaa231c35d666278c377a7736b

SHA1
bb211c5f31b1ef9e17bc240677c3f1ce97254e81

SHA256
a310eb70cd86121368b0355a60e9d862a0cedc9c589c644f0b78430fe45360e0

SHA512
21da8b1ab01e4ab252c1c6fe95f249378cb5d00e2915b651f39cf221e129b7ff06d01f5afcb2b35ba29fdc7839e7a9dac0565c4e1a836d35039184a6c133ab43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d7b630dc9f807495502669fdcbe3be69

SHA1
7478e32547d59877c99d8fec3bcf793b50511ff9

SHA256
68d94b341622f7a16a90791a0946815ee0c6bffb401a25a7eadae16597f54380

SHA512
ec1f5caf28da6b73abd8aa09cb074c670981027d2561a27b23d110054ae56bf7744992c9c0d387ad150dad0603db5588af7d2a04adfd8609d18fe1b315ea8a3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1975cfa36d912b347aae7c8525954c2f

SHA1
ae37d9d2d986d28b9ba3edf866f7d9db9694fada

SHA256
d51e14753b5ba81cdf185b8f3cd7e525ef018dcbffa93b3872038849d21bc2b9

SHA512
1bb11daf2d944676e4ffe7f277a5a03b64a1c339af559979bb4c7545188e78afbf6cf6ddf6d73e008f274fe6662a4c0b7d4c444d7477533d526e93208acd6da9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c82f96d3ab29097729f0068763e2137f

SHA1
443042c5bdc7051df6a9ce114554c96011e3458d

SHA256
50adf42f61dfe0a2a5945dbbfa7bdadba34ed6192171c9be5b25af684148f252

SHA512
09a730c6d743f481c80ef141d0e955b156ca67a3684820b75e4a2a15d936beaa4308b46df286cbc596199f86918668cc15d97bf939b47020b6b23d7841928b2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ac543a1c4c3e8ca382009908e4b952f4

SHA1
2f2b0b3f33cc01400bd3126ed5990280231605a6

SHA256
2c60e6f2ff8604320d2134273911bd9c63c446181ab359c4e52d164b889458cd

SHA512
6cab1e7bcaa0386bc0e3393524c70debbee5d6a28fa76015f5bfbe17da2dfc2b1c1842e583821ccccca83a6a16f7bdd6d21f5806830c0a1b36b8b313e8a07d1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0ef8caba36c62f10cce4c2854d05a6e1

SHA1
133bc4e13740ba4044b0f970a48550fe017ab8d2

SHA256
44ae41b1b1fcf51c4328edadab7140f9ed45cf53561205d9bf799be38f6782ff

SHA512
0a421c3db5ada5e1d270bb636574b11b3182b76793b1dd6562c6009fc6df36a0651746193e2654e298ab24ec9f953e35fdf4aa07774dfe4e13ea04e352df8127

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
adfdcf7e29452c08e36216e767d8bf6b

SHA1
daa7349da4ac427992a9fb0b5807f630dfeb3612

SHA256
d40f6db96eb5ffa9eb154ccdb5596242f3164f9d71a73bbc841923e5f2ed6568

SHA512
e262c71c37d494b3ca7867dc6da5213d7c47c9352e6bb90986f8835e77879866e515df4472928f98e56a4758b6de9dc9882e7c20b7dc2d1765164d0cbeac522b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2bc0aa5ed5cf1299a74f1eca0044e30f

SHA1
ac8441bd05629db1f813b2ce45ae7e2b33045cee

SHA256
168f9e196c0ef3e03d58a44e78c071743561cf01ee1c503b2644afe713fa0c24

SHA512
99c08f657100a4663c5ac557e283343959634bacec3ef3c30fd7b6874e69e015d0da804fd3a4d6be8338873df8e7c94c4b1bb3ba1e209837de44dd0ea0d6752b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1cd6cfcc6b93a62601555a004560f093

SHA1
94c05164f64f0d3e440e47298f0d09015bf04b54

SHA256
a5d5dd99464d4dabd70f4a32275c07bb7c3373ac5e9fee45a6193cfe011a509f

SHA512
41422a436af1e4cd69e4124866c69b63972caac62f623a9b80939ed6be5f3af3d302445711e72967729cd6596cc7a50e4db94074467b7e9f3ae6f956705634c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ee1838f0d789b00af2dc0a23d9d815eb

SHA1
b2029ce11e7a2434371648f75d28cba08b1ec920

SHA256
f9b65d7269230ac80889405229896b0cc6f0b950e05a0c13549a66eb8f73203c

SHA512
8c815ad779b613b8f9f59c8ab586833b04a4dbef47ce8147717466e47eb0286285bce154c3770ea8ca3a0fc94aaa4e2b2482dfdfd77c70541f4a325f2e8534eb

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
420KB

MD5
28792b2b4af7a96357a2035d3d2d4cab

SHA1
2c5a27963c028fc72af61ddf8d1f209fa5ebafab

SHA256
d45a2e31a994e129f715998264bc8739ebfd3c9ec635f61da4da2340c9d8a36a

SHA512
9fcf020887af6760e3fc84b5df8883e9245cc097f7a8db992f39bea19512dee12ea06a63d9b84e84ed1c22f75d689931b8588566de26f812c226ecc5afbd1ad6

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
420KB

MD5
752ff845c9d9f276048d097af9b70b01

SHA1
1bf514577071ff2f8779ad2ab2eba65a8979f4e7

SHA256
ba116e4fd13011fd127db8532e369f9e33e97e223e2eb28507bdb75fc544ce1f

SHA512
fdf7aff342786f7a5c7d55c4b3725988ed9d4f91f679fd9529c8bf9429150489dd3630539f290354549c00c71b0235a302649a15429dbd353012d7565723b676

Download Submit
memory/1068-0-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1068-8169-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/3496-5-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download