74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe
Size

1.1MB
MD5

56e31b6e96239c162131733f6118c8e2
SHA1

9fd012f3120dffcfecf22f01bc01cdd73fbe0b05
SHA256

74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e
SHA512

b367d8a0ede24061b46433fa81a49f4a4a97806d1baa261476566916ad87137529c6830716cf83643f22715e1c73f9cdbe3a2b99eb9e9a633c0a34783f50f938
SSDEEP

24576:dMMpXS0hN0V0HiS3WSrD5PDZb7oWo0KB/Ay+aZK:Gwi0L0qX3drD5PtnoPB/t+aZK

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ÿØÿàHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	ÿØÿà
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Detects executables packed with ASPack 4 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	INDICATOR_EXE_Packed_ASPack
C:\Users\Admin\AppData\Local\Temp\ÿØÿà	INDICATOR_EXE_Packed_ASPack
C:\Windows\SysWOW64\notepad.exe.exe	INDICATOR_EXE_Packed_ASPack
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.exe	INDICATOR_EXE_Packed_ASPack

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\ÿØÿà	aspack_v212_v242
C:\Windows\SysWOW64\notepad.exe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.exe	aspack_v212_v242

Drops startup file 3 IoCs

Processes:

HelpMe.exeÿØÿà

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	ÿØÿà
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 2 IoCs

Processes:

HelpMe.exeÿØÿà

pid process

3080 HelpMe.exe
3876 ÿØÿà

pid	process
3080	HelpMe.exe
3876	ÿØÿà

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exeÿØÿà

description	ioc	process
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\M:	ÿØÿà
File opened (read-only)	\??\V:	ÿØÿà
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	ÿØÿà
File opened (read-only)	\??\S:	ÿØÿà
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\E:	ÿØÿà
File opened (read-only)	\??\Q:	ÿØÿà
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\I:	ÿØÿà
File opened (read-only)	\??\R:	ÿØÿà
File opened (read-only)	\??\T:	ÿØÿà
File opened (read-only)	\??\U:	ÿØÿà
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\A:	ÿØÿà
File opened (read-only)	\??\N:	ÿØÿà
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\B:	ÿØÿà
File opened (read-only)	\??\W:	ÿØÿà
File opened (read-only)	\??\Z:	ÿØÿà
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\H:	ÿØÿà
File opened (read-only)	\??\P:	ÿØÿà
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	ÿØÿà
File opened (read-only)	\??\J:	ÿØÿà
File opened (read-only)	\??\L:	ÿØÿà
File opened (read-only)	\??\O:	ÿØÿà
File opened (read-only)	\??\X:	ÿØÿà
File opened (read-only)	\??\Y:	ÿØÿà

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

HelpMe.exeÿØÿà

description	ioc	process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	ÿØÿà

Drops file in System32 directory 5 IoCs

Processes:

ÿØÿà74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	ÿØÿà
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 1 IoCs

Processes:

74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe

pid	process
2796	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe
2796	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe

description	pid	process	target process
PID 2796 wrote to memory of 3080	2796	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe	HelpMe.exe
PID 2796 wrote to memory of 3080	2796	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe	HelpMe.exe
PID 2796 wrote to memory of 3080	2796	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe	HelpMe.exe
PID 2796 wrote to memory of 3876	2796	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe	ÿØÿà
PID 2796 wrote to memory of 3876	2796	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe	ÿØÿà
PID 2796 wrote to memory of 3876	2796	74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe	ÿØÿà

C:\Users\Admin\AppData\Local\Temp\74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe
"C:\Users\Admin\AppData\Local\Temp\74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:3080

C:\Users\Admin\AppData\Local\Temp\ÿØÿà
C:\Users\Admin\AppData\Local\Temp\\ÿØÿà
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini.exe

Filesize
487KB

MD5
a44f2ba9d89069e44ec48d7574429459

SHA1
ad64defd7fc7e2b770a07c037c5f3a603b77c1f9

SHA256
ff9b319743f247351e187020aa1e3e1d5838c5f920bcc0959a23a88c25d8bbba

SHA512
a60255c7d04a99747c8a031a5016f296b0bfba5f723f1f65501d1e8dbab1114c0086de1cc5c648ae4ddb5df911f00cf009b96e1fe5d48222320b78adf877d4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÿØÿà

Filesize
1.1MB

MD5
56e31b6e96239c162131733f6118c8e2

SHA1
9fd012f3120dffcfecf22f01bc01cdd73fbe0b05

SHA256
74bcb753f4da68f4147e2d78753f0b229787a62b8c998c9d3c893599413f5c4e

SHA512
b367d8a0ede24061b46433fa81a49f4a4a97806d1baa261476566916ad87137529c6830716cf83643f22715e1c73f9cdbe3a2b99eb9e9a633c0a34783f50f938

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
1353818db7975ec6384f139cbb254652

SHA1
312fbf33115d0753f59e8555b57b010194cc8475

SHA256
e66cd391d9aebf9ba1157ee6f6aeb9a6f2cd0cd2196a5d9cce8ff1e1ed2bd895

SHA512
980ce6cee0ae9f8d67401fffa57f94debf609e8c62d8012a9f8e00aa4cbc1fb8680686724549964ab2b7b9b4c81748623e1721828c2f51491ffa6a4522673773

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9b512e28aec75fbc7f0191b152ff8dd7

SHA1
e3902af5cafdf01f7176c05b952a1786b2959705

SHA256
b13df9b36070beeee5796a9a20c1cc7fbdd2ffc80f7c8f62508cbe9512564650

SHA512
de81efb80c03af90f417807c77e1613ca2804326375bd47d7d853f5e25bf369fa6f7aa4e1aa0caa588738330f2aa0a0a1fa86fe05e2fc3d14ff725ba7388d99d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
91ffba1d981b5f41deadb80a0d41ee89

SHA1
a73603c38485d0eb026d88d881f0287847447627

SHA256
d8d29a898ab6b7265b865edf6b0c67d27ab7c89d29e78a8cab876ba39104a0ea

SHA512
5e7df634fb650e32fc8756bd9609eecfe2441cafec4da90e4776644dafa3235d58a5b4ec633a7ec680c1d8beeafef01bf18ee5bd4265335bfc15e9dcab003163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
b14e6fa794d60e35610dcb921f734ea9

SHA1
9b5a2dd3c7b997a487225d6de2f5d62908215fdc

SHA256
58daf2114ae5f0b03add57353a8a4b02ce525d538dbbb065a17563e6473ebbdd

SHA512
ccc85bd15f3a58ee2b6d25b06e33a2b3eba32657b3538faf4dc18def5b89b7512a7cd885fc59ff2f123aeb4bdf39dd7c9de43ba45b44f763236d6b5c1a32db38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3fc5d549bb4f3a75c956b3f90296715c

SHA1
00323e3279a53c5318e250a1f1960d9c7f72f9c1

SHA256
dabc4594da57c7a5d8228b9600177d207b910b02dbed2a682498325f184e414e

SHA512
75a8717984cb9c0793b96533c64c30645c8fdf92b3f3f260f7c8847dd04810a20fc8e6265ac39e86f74bbacf24fe26ac33631fd50fbd1fa6a6897d66e817a1d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
05cd875ab0954d52725f02f383a8a125

SHA1
46fc7923dd1ca72e291093456a46b2a3fe6104de

SHA256
3507b96153db554ec10faa956d4a1cf9135d25f19defd807a4d26142c1f5e0a2

SHA512
223990e38c330bb722b5fab6d4f6f96a9df088d4615d5f9e682a0dcf23bde53c24ba98cbcac71d833b720ed2b24b78fabbd73542251ec454d07f51615eba1128

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0bf3d70b010318d80592916b2d9bdc85

SHA1
d5dac35ab5dda2172eee5dd9b13240ef0ce7cc25

SHA256
4bb0a9d584419a3d2603bba9e026ec52023e98153be57ce370fdbd65f1d7e9c1

SHA512
f5dbe6c19ead9609f95b07ab85e476ae1bb059710d6a4b139d6e7299751bf0000078f5e458967dc0cd0eb00176c311bba631b06b830b8289cd30857e9aabca76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
73b750c91cd6e5db955d030ee4285693

SHA1
6569ba5584682d55b03d3ac730a76cd93c17b0fd

SHA256
7636c74375201eeac53067b01df5cd0c306731a70c54b2afe2fc12e181841264

SHA512
2250e403889044fa2d1322a535b1ebecf02e43b36ae2413876acf4695d0eea7b7062372ddeba92ba3c2b8e3d17956c95978ec3f6ba59e84ea0dea348c70d6b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
9e77b24e687fa365d987d96b8cc5d142

SHA1
f6ce25faaed698f48ac71e3921bd04d8f4f8b1d0

SHA256
f4b3131a7675030dfeb66f66b14260aa18ce5bf8947b4e21104c1faebcde4733

SHA512
6f0c865dd1f74aa5786147c52f52c3f0b7be0724b0d62298e6cd0ee0dc4ba33669ce1609cdb8d0f065cc1fa12d17ef82b69c67cec6d72394094fa3e918ddd4b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
426ad0cf284d2b85472c808b970c864c

SHA1
6bf4bdc951da277e3a8351c948bd7d81631b0d45

SHA256
9bb15d596eb9de6081720b65e3c3b909f58cac33b82d3d827c0116f1f4a27ae4

SHA512
90fe0061c357d53372ce8a5797efb1ef3d1e346be4cf88cdd765bcdcbb30f13e153c10a1477f78cd8634897de3060c89dac43e783c46a2d05beeee3a68538428

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b4cea6917030cd3824d497386fb69c5d

SHA1
361c68abccfce12c6a3808124114e41cc9edd96a

SHA256
49708bb70e4ababac88eb4a00a2e10e97562d50937af4d9ff478e0327e507e84

SHA512
02fb2b3bdc143f0d53e3f661e3087b2b8f5a90b5aa4e891d70a3ed695a5730be4057cb8d98b2ea4edf8e124dbb153ea1a3665a72521d6f71bec5caef318600f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8e0061e6b721a1ff96659739b47a8ba0

SHA1
8ad080d81f3c20504f9cb4dd001467e8766299e2

SHA256
9b0a25465ef24a15340784392ca885d4f9088d96ffbf47cea137ac4cf85c4f8c

SHA512
7b48e2f02c9b9f31d511a3713232031a530b23da9e22f2584e2022b7039885109918d94059bf241af840ef42cdf24f99503737ac91a84d036b2789f6d97d8819

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
ca59b1337f61692cf72d97f3950950b4

SHA1
0548d5f4545e188f4f5786ebafa9d509f613e58e

SHA256
a90ccfb551ab3300626c969690f9e821f38791aa0d192e18913ccc7a7963dcdd

SHA512
b42236d3a2430a2f2404fcddd4bf86b9ecf485f866fbdf0da57f41f8447cabce52f230eb63f2d552352dd766d9b793642856d516be1ab2ad2ce33c9cf44989aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7138b4510e1a7a9c72b88b8819919bf0

SHA1
64b7fe01d685bce71f2fd6e5d4a75a64a2afbacf

SHA256
6adb057a7bb62af91f61302e85302ffbf109ea0d9498bc87d546d6929614bebd

SHA512
ab78f791558c86b5eaa87bf27b577b1c53cb219c9af8cf1b8d165b5396398b0833111536a8524dec98e2063e1b418f8a9d63eecf958953c8de0e15e5d34d32ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
dafe9afab078345ac7faaa0399eaef15

SHA1
af8bd6b9856d6e4ac10adb4e5eb50f721ed8e999

SHA256
3ce814108f38eecf852950bd7e719123ad00acc87272a897b9af578d18777b9e

SHA512
040bc5cc3ad966a63ee787a3481da6df1f560dd032c3fab7c78770e2b87d788686e48deebaf1579db24e532016557ef5cbdf7e5e077ad3e7e3f944cb6fa9491b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
6d49626337c351f5aff6efab7a889407

SHA1
4c5a0b8ae64775d6fc609db596ed0e082e9f129f

SHA256
fec896f7fb7730dca37e9b6b8612829b82bccddc2c278878be86d8b3ff17a374

SHA512
bfb459a545a28d0e21dcd22ddbfe51f8b75692491534adb7389ea837982c6952475272bdf8389b8221a45096c5442e9539c8b5f6be4b129b662ab6a705ab0c1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5c697870a99ca50dfa81a4d5e8b3f971

SHA1
75ed2f23c7b1af77545e58dbf3c35dd87ebb2365

SHA256
4bb5c9cd595688f32321c35867169b28aaa909040c313a2f6457f6015c384704

SHA512
4fa1976adcea8a018c96c5588d6dc0bd25c78b14d827e75cf6a84b4e49fff21f56c199d71b15614758426c20de795cd2c380213d3c0a2cbcd95ce480f6557688

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0a2600a9bc5ec301e5948eba1044dd7c

SHA1
71e95beb932752e667ba9d767c9a3939bbd63210

SHA256
1dda693f8380afdabefa1e323b29d514772ed7cc2502783de232a4f6b4ad680e

SHA512
cad4221416cb2155c0d1d5ff23d5d67ab465068ae3562416fcbbaebe0c4aa0f3a19e02a0e24e535f073b6c1f306c7f33eade24e187b19f815a5db5e52cf49e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
1546126bfdf974495f95f58144563568

SHA1
b8eb10233d860932a5c3c0dfda2c031c1ce68d06

SHA256
11c01ee78f4e2ddcba9b336b88e8b7379b792feb23d3209ce9e9cbecc41dbf6c

SHA512
c08305333b083c7d032c4db6b5db6391ca940d827ebbbd47aacaf603216fc243946385bee11fb253636c61ba5c30777774476521c0dfb1971e9f2977e85f5629

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a2804dbff6560203e04831e2d4de5e54

SHA1
56895a665ae45fd9218e1aa2a0b941c7f8698cf3

SHA256
927574350d229a98bdd12f9b2afb50234afb8a1dd2ddbd10c09c7bc14f3b9061

SHA512
50c22d428d5abb55a8811071ddb0e6af94f48afa5c4563826d4c309b54e9aed5377d3882b76155522d4f218a653cdb1bd2bd6e55adcf50c2602b51f0fe769846

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
db4c1289264ffcece093a3e6f3af2048

SHA1
2d34df39a62a440eeb5aa43e63e571439dd0c40a

SHA256
53120bc217a35b7c91781ba3578d2f93e86bbd5d9c71f15f726c1e5c2781a6cf

SHA512
32483c915ccde74dda575e30cf0fa06d409348df948c58312e5eef7e573a5cde2a1cc5fe324cba286511992bb6fa348dc3b2f351fde4f393b0fcc76b1579c5b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fbd335a3d21c278e9444c4455a18f177

SHA1
df1428dba72f911c4d6c74fc8d1e17e3007414f8

SHA256
748826171c037ea5cc4dcd9d0507b96e4835cdee3dab3c599d71d482c8316594

SHA512
b4f35bfea446e1331072d3a3f4c85039f38086abfca6f9eb9aefa3e308d6371436aecedc84c32e4b830a096357dff1168a44d33d22951e7ca2dffb1597668b43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e4bf6a2cef7ed3534d7565294172241c

SHA1
3feae502153d803450a0911565e5331207afd738

SHA256
6d294f89c2a5765867bf7285d808d0fd1d6727195702d77673b14630e3aee00e

SHA512
4347b8510aa5603d5b86b7bdb5dd6d23ea8fe4f2483c0c6b63fa7076e4aebd477ff0ebaed9b510e0c8bb51c4ed9c8bf42908169cec66a0848237e1c4e009a8fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
a6e839f7aac513777de5a9047744fa7a

SHA1
2ca0ae9a06a537c431f75f3593f57daa46093f4b

SHA256
b550a4488a683eff3960b3ad1d339528f00ef6ed300b52fcd7eb7b3ca7bfd62e

SHA512
040c0e9ef63e92f4bca664f93bd14d31cfd0f8c409a35bd5cd0dcac5b5f0bb735ada82f7fde67418433541861f4177fa5f6bbd9aaeba54cdc0b6c5da6c2fa5b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0da061e3b7dec83c46b4bc2e45470166

SHA1
f59797108e6aee6d06ffec653efed742ee8164a9

SHA256
af9d1572a2c6b0cafc33275d5038578bbeb37251e4d317f191682b7edf560700

SHA512
46bc48163252f7a0409d8f2388fcf37d18e54435e350e95ea04f5bfd39278369cae77ce28f53ae5ee9d96505c3443ba2bd9c86608dc397c6a52161cb8bc88aa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
de796ae56200565412c8fdb546265916

SHA1
b16683e097617e141110a3855d6b09a80e8ebbc3

SHA256
9ba16b12bc1ce01df3ed3b3014a2faed1183b5f8cd29e21099f0ac160c8d7c69

SHA512
7405a1e2447c27952578f2eedd5a83bc4af9e694bb3819635ea768bca5b58d4f84359e76648d481d4297e70caeee553249c52caa454c5e418c3cf8e12f0ac597

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2b4a89c67cca878499a9f5912b6031d7

SHA1
f1ced5c65a94f63de5ebaa06478a91a55f56ba54

SHA256
24e15b6d166a43cf3ea6c7cc2203b2fd775faec7ec56f2bc7a5a9a976110762c

SHA512
d0b5baf45e0e7511780c0140234b13cd436935e8397aa3bb921ad757a73cc64018fd6a6586e1b313d5c57f1c8814bfbf0b1ca071210913c5befddfd4063ccd7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bf0b40b3973bb865183f45dcf697e6d1

SHA1
de2c69dc23580c06c0d827e13a443eccceb571c0

SHA256
c403477725edfbbc500d65bbac1041fe7f31598516fb6106f44a12bf1a808eff

SHA512
f848b7c136e6a6e01725af0f5642c413911eaa41a4f1774b8da0eb9e7f5eca7489445bd6037f5023b406a7889126031a52698eeb26b5c1313446af5f151290f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0e97ecdafff76a2c0b98b794b0d64c31

SHA1
dc51a409f9836d00d8bad87ca1becd7cb1fe102c

SHA256
a746bf0c520a2512c843d0c5e1b20a7ccc66a1ac6bd1c98d1aebb65b11e1f516

SHA512
2e1d268f90284bd44b2f98c0074e343f5df17ac90d7d18935b89dc7f1d75060be6c02b8f5da4a6363632e7afdafffca7b001e997a1896dd42aacb0587c992880

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
470e17e70ac014314e493bad3c1e3319

SHA1
157af521d256ce23e448412298ebe2c6a252e1b4

SHA256
cea7edf2084b0d482f359143ae4c7dcb4132d466cd04b10cde56148fb050cec7

SHA512
a2745b8727cb9b28592b86a6f4fc28dd3037f2fd15f02ff8c79d30cb486cfcae611856f5bf36283af3a99c6884aec600dbd81629a6a6538fdaecb4497e3a31a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
bc608cb4bc74201800cc123a8a9e13e1

SHA1
9782b4daf0da6eebd7137e796b3bb26ccf2280b9

SHA256
d11216600067df1bdc5556d20864f9edaaaafe4e7925cc7c7235ead28b265204

SHA512
8314055940a27524f6b7ddb3c6e435b61cfb042cbc2793a6a8fdb7ccbb6a97af6581d09ddc279b874d67ccbe32ff2ace73ae51c90985da51978e2ee059075b42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
13db8010b76595d774d244f021dc4560

SHA1
3f7d346ab1c24bc9f8db47aab2dbebdd93a9b327

SHA256
29373e97f10142f502967b437fad908d197900bb913ba18ca5771cba422ce462

SHA512
81325d37155c4c6244ed1426a4c546751d074b3cf8c88eaf9e82e2fac1cffedf2fd6d4650e4825c5e0df3f0730baf9d2809cd21915d6d48cf50f494d7ec19b9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d25b2d9b20033c284c5e70b70f65c11e

SHA1
daa6a75ca7ca472e147ac3f0082c574ef69568cb

SHA256
5a01bbf4b9e4930663a5e1cd19ed060d6cad8de9165fb2b36f475cda226819f5

SHA512
813de33243c1b8dc9d67a2bc3162cc663e05cadc59e44067a40775c6050c5690169a0c4fa8b280caca5da520a24c29fec3d267dc9f2400571f6e6485804bae61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
6a41064afbbe5e97d7135798cb320d97

SHA1
31baa05a8131f0892c5020f8ff27180df0b2fbda

SHA256
24df513467dde4f3aee206bd991974abd5db036743e835135905cfe0a3587881

SHA512
3a4e4a1e571fd6eea324330bf8796d6d086160e249f06e13f2c488fd39d98df1feef336e40f064baaa381e037149a374661c84f17e5de675f4043adb0be43920

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5a5130e55916554c472861cb353a7661

SHA1
5f0e3aea903a35fd7e2603845f8ef50ae557b1b9

SHA256
0845d5cf7b435320ba8867b08352b91d79a02ac2caaa8c4b6a3098383733a586

SHA512
1f426c447f3f9ae6a3db967e08d84b7d729f33b8b3edb973d593f77c1f7afdfbee5442d87a329bc14e8698ec5afecb10d30f9513c53ddf80a15544b52b2ef0c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
d5ef7ef54631e49755af894a9ea211c4

SHA1
cd323e585ab44490c30934ae63d9ab70fb52c8ca

SHA256
e950d61e8d26461210b08ffb482cc772773432ee26918c9f46a85c937a075b40

SHA512
1563d029272bd5bf7613131807cabe4e93848fd35b92cc3dc7feb85313877643980a63b8595f134b54e839d794565fee9188f7de4be2296c4851f452c709e836

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8708b76c6a8a195d853853962127091a

SHA1
c164a237b4ac0f4ae62d054d8b043b3be5158757

SHA256
486151cef4206be5bfad79abe2e58095807022eaebe6d93cbc694d794b8f9375

SHA512
b1f5abc646cc9225df0a26f53e61e1b4addab26643fbd1d110687da2ac0f8a1f2b3f408c678a0394a15eb7147ab6d0c007183a946cb65903971e97207f4d2c19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
30b618a11513ab166f2478c820f7f6e6

SHA1
e142b371c79da7b1d5f8f38b41e4a8e692a9f13e

SHA256
96070ecd14cd5595a25a9443736b92fc9699649aa05822e523c7994794038ca4

SHA512
51df614bb51369f22a87b8be69552adab9f627b522aeb20e2425daa2b212f8ad6c8c45cf047ae21028fbe80072e87848b410a9780e5a144fbffc81ad47875a39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
0dbe85c620f5cec6bc5c019ff8ac8e3c

SHA1
b5498a30adb70294d52f8386592ff1ffd9ba5271

SHA256
d92c5717bac69574e079d0a6f859c0705e9ce26d42c77b083930657dfe41a50e

SHA512
b5debd2f40057ba395f3b5d4d95a43325589c716f508ad77644238561b161e5ab18017df2ea2edc8949a71878389b4c4257cf6b02308194fb28e7d2ef82177f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
9fbfc72ccac78a634c9abb4ac55afb11

SHA1
6fcfacefc93d143b082f0d0859fb4a0e266059a5

SHA256
ed47dc31ad9448fb83a5276b800f2052ff1667104ea611950fe535739a361e58

SHA512
4ff7843513df66be4786d27ccdf7161f74f879924b92b7c61b861799dd7141396d92d93fb2630150241ca38a7d8067cdc19cf506c1a4a8965a8b4024d421fec5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
66b2a9a69c241299ea3e1dc0a1c3409a

SHA1
9708525e76d2f18e42f237734d5e37504695cc4c

SHA256
16cdccc7157f80a3101300023c482c0357df7e12aee0d8f1bfecbfcbae84ea49

SHA512
e90bfe42399616fa4382953fd858934726a165cbeaeca3376420e337fe476c7afbcd23faac99339c10b12ec1c32b5198a6fb71833d8cb63343bb1af08c060b06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8fe59d0b7f5a78b0fc33f267e51b9619

SHA1
38b7857a837b83bcde3d3024e3ccc6f7b0f17570

SHA256
e5ceeff311a3240a4b721b6993501ceb91e5163e4dcc577434d6f900c7e32ec0

SHA512
757bd0958652652b7af1d59260daf8269bd01888db3416cdd1a7c128d1d8d852016664592bbfe52bcd7ce3dcb067fbe7db0f2bf966efa9bdb75bd97bb650a139

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
487KB

MD5
e401078843c0e44f6d62897de167443d

SHA1
73a19bbfa828c62620e197d04290cd1de3b122a7

SHA256
0cecae5642c02c65d95c14a98a338450b1a5f5d71bcb0ffb96fe6bfb1eb5b0b9

SHA512
fa4c63d23122a3c4ab847b5f7f16b905c0e745ee046521737ff9dff5d5a1076f6317097035a516dfb23ef614b5504160b3628671c3982f92b77e12de6c78e117

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe

Filesize
1.2MB

MD5
9fb13b7d6070ddb06a00ac7dfa9bba19

SHA1
4ad2780b0c82808f4e336477e2b23095674477b3

SHA256
7b7fa1ba0e6585c51c2b2848ff2db6f78254bd11033f14b495eda3b8aa65bca6

SHA512
66e348c86d3498f0e47c1945e1dfe648491cc0d4241b0e451156bc78769751a8d84ccb689854889d3ace0ace3341a702245f3912d545d59dae3d85c18cb2138e

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/2796-0-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/3080-5-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3876-10-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download