cc65535243dfd3cd54a9c5ecfcb93c7f918a87c725e9c52925017ab92effe278

Resubmissions

15-10-2024 03:47

241015-ecgjlashrh 10

05-08-2024 04:49

240805-ffygys1eke 10

05-08-2024 03:50

240805-eee4jszepd 10

Analysis

max time kernel
145s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
Size

2.4MB
MD5

84e2bf751724e3b0acc70b67ee1b8e96
SHA1

2e1c9638b022901d67c69ef17c6acd12fd6e493f
SHA256

1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0
SHA512

56a229897c812cddd7f0b1847cf439f910350aa11138f7165b7c7f697095dfe5ee64e875e4262706c20e7bdbb59a94512386965e83ac9327b0b6967377882aef
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCp:eEtl9mRda12sX7hKB8NIyXbacAfe

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exeHelpMe.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

Processes:

1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exeHelpMe.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid	Process
4620	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exeHelpMe.exe

description	ioc	Process
File opened (read-only)	\??\U:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\E:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\R:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\I:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\T:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\Z:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\S:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\Y:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\G:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\N:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\L:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\M:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\P:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\W:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\O:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\V:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\K:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\Q:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\X:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\H:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\J:	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exeHelpMe.exe

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened for modification	C:\AUTORUN.INF	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exeHelpMe.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exeHelpMe.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe

description	pid	Process	procid_target
PID 2660 wrote to memory of 4620	2660	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe	83
PID 2660 wrote to memory of 4620	2660	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe	83
PID 2660 wrote to memory of 4620	2660	1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe	83

C:\Users\Admin\AppData\Local\Temp\1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe
"C:\Users\Admin\AppData\Local\Temp\1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.exe

Filesize
2.4MB

MD5
317dd23d32f28d5ad8a1587f1c77edf4

SHA1
91ef4757adb6a8060af1311ac26289c3088d17c7

SHA256
fab6706d062757f62b33647164f344f9224fee81d1181a4d33c8b9b57d7f2196

SHA512
9839a8f535c9dfe202234af7f38f524625ed7c90eaaeeba89a7a4e0703d914d2d0706e5691897a712c935162c356800a71f2211951ae5a4d734f9938f9c9a289

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4f3dd8747e13891243a7bb153b92d875

SHA1
7d002029dfca84f9da370d77ce0fca56e3353e47

SHA256
0da7cdeb210a20c52c9896fc449a558e6fd1a55faabce598d959a38eff214263

SHA512
cc1c1bb2a406a484744ce13e260c0f91a77c51f98ec91b10734b87c16e6810c89617082931bdd60fe0c9d7e0fc1af61989e4d56f1a709af4df58b26a856d9f3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
75e5f75f4629ae91ae37da37c18649b0

SHA1
f7666c1f58cc34beda471a3a57dc2ced2691c294

SHA256
90dc4c33d9b347feea17b8917af93ee554c7ccb5d0cb5997302a3105f704e7f5

SHA512
a72378f75aa07956592edbebe5fb8e6e7e6befd26ad80a0fccee294b62d311548e56cc89eed7c333a5d2536466294c9c494db504f50ede3f4c5210addf500f64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
9305e262356b517a716efff9cee71de0

SHA1
fdbe4ebc8640874cdc18665fdb436dd6db032714

SHA256
a8adc3019110a65a058de6705cd4577f1a66d6fecd1fde2ab82a7e51ce3c1c9e

SHA512
af71f2f6dafc8c280d69c25a871c7da2f2eb6a8d4ab140a438df7cb2d886d9c43e6bd07b3bacb9c4a1e3fdcfcc606c1654f062728f5589e98cc2356ca9a3424a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2a6f08f0b54ee9af2236d966125cdb5d

SHA1
f559ed0b51cefd4dd5dd86e6d6846c3ff5cdd6d6

SHA256
16072563b8ccdb9de59db4eb41cd4ee901b8d9e210ccd991935e9371a4d08d9a

SHA512
0cc1457e9c7ad1f2ddd328ab5838eb140bf44645a3253be875d28d22512f94ffca423a69cc7cac99fe9d24672dcd7aaa503625077f0832ea218af8720011f143

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b92ab2966e76825bc1ae6b5b99093fb7

SHA1
d5067527e870cdf69038673067562f9123578516

SHA256
1ec493c19d9b8360514c8870a45c5fff4ebc9fe1a8b502ceb211ed8bc825dbce

SHA512
afc96b1ca4b3bb53408f22c1edf94db21f26a9a9fb77b0edb3e61d4f0df11c251783ef4329cebc0fa5baeade2acfe2db6b0a561fbba29f5ae94d58172429594f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e321f7703a5e74d2ab1c6338310ed8b5

SHA1
9b2894185d6d9c25b984e8e5cfe9fa27585010cf

SHA256
b954e10e6d2b4b2d94365c98f3118c23873dc8ae2333e2a66167bd6ff98f8c7e

SHA512
034993db8e3c20a81457ccd63d541c745000c0a4b40797b174a2c8ce8a22b90a257f4676937ab616219c00815bd387a1251b6fe8bac3bc53e3b2206d6af7326a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7be93479141607e1e24c1e509ae5b5a7

SHA1
0e40b2f310ec3641fb364cf929ede563ae64a13c

SHA256
66eeab0c2b0ef800733dac7e2daaada71cb4904fb3ddc698bce1cf8c945a99ea

SHA512
5d6dede7c73f960fbcdaa02afb91bbddd78b8c2e65009665a03d2e9a5bc1d2b1f5b75148dcb7b75b22f465dc3caa40ba332ab18fb7ab93e6835ceb7ed4a35fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3bf632ac7c5a3c8d1bab4b6178cdb52c

SHA1
c6e2a058ecc5ce097eb6d9ff82f27f194f12fe06

SHA256
56a4c8d52fac04313c74961c4cc628164f05f0844f6dfab0f4a6905f1ab43cd5

SHA512
310e2b006865aacafc08bc129f31c7a3cbb638178aff47b4ce79771ae7c2f1c65e88b4839e998f6d43c26a2e0e7da9b80eea3a31354c0ec795daf7e4e03d6dd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f7c4a65f6784634fc05a96dbc090f93d

SHA1
83f68e9c2ca14ed00d64fbc7bf89ce6d8e39684e

SHA256
0d135b8fb885da3879c924d480cf9fbdce8390eb7a0c9857833a13703b07e845

SHA512
ccbc640cfcff057e3e98dadc2865be7a0a719f3199d096507d45c3358a16189c66721f8d08dd35d642ecc8384fea02cf0a41e7a5e4bcb0d5352e2118f8c40a03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
da3a2fedb8d17c713a4a71bf1cbf9e31

SHA1
a438fe7d50dae0cbfbc89c7e3c829a3a6e46e989

SHA256
b34d57e670cf903a4c58dbe9be5751887257b081a9fc6800e8357e98def61598

SHA512
bc447ff758514b9c1a4e925afb8e34d5e8cc02827cf1c189384086f0cad7c96acd65e8b7acb32eff96cba13664f63da892d9b23448b45b73d23a3997b224f176

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2db55d8b034fe2b12436e137d37d9d65

SHA1
985baa34053e21fd74fa4e9dfaf54b685a314c05

SHA256
63d23b34b8cbd07ce5c8eaa2dd65f6b8be13a8ceaaa4df10bb9003c96c47eda8

SHA512
5852fdc1bb7d9aa67d1556b98e5fbd817d7904e854e25022327e68a5f4c1f914f6e737f09c98db8fdd37b569ae1f08d74755feb84cef33cd9e588ab5b07fc211

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
81e0a9aef67660823b8438b3b8ae9906

SHA1
3c31adf5d3cff509fce02b847201de9edce7cb09

SHA256
2df5b0f54bc327e5274b015135c1c26eba2c005085f4afce0aacde2d5ea0f3c6

SHA512
da1b3d7d0b6a0cb6c11c839f0d01c969358f5ca5705bf86a2541490df6d715675b8006f851459265922cf1bdc2d0d9376c82c762bd5dd417285170d41eb70225

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
94f38cd54eea78d1ae9581aae567c848

SHA1
6c386fe67c5c1be62982a3253c80cfcbcb6f2f00

SHA256
975795c07d0103aea5d23910acaf9c66bf98b6c8b4bcdfaad7859afcfcfe9a83

SHA512
bf81732f5fffc63663de562c39a736809f8991ac7c07c0cca842c53e7367cb4dc5fa102d98c47b80fcc5f53cff5e0821d7b2d219347285a67edb13ed2ea988ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2df4f8c2ba39f22415e83fd0834077aa

SHA1
1949608498038085263e24f4cc432b8731e2eea5

SHA256
adeba92f017b0b0927a26b690f12c6a57f0c1506a4cc4698bcf5b870a3d6f009

SHA512
e0cbf2ac51e5306fe3b787433c2a5d7b054f341809b569c1d2eee28fada4f7ab49a256ba3c256d21848f8b9d4d88c69acf0a1f59ad180e060a47bb0fcb77ed4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
713aa2ae7258b2f6cfe23194d77224d8

SHA1
84372c390d8f49d3ef814aa86606509063f923d8

SHA256
3ddf88ed0caec5d411c0806a27a44d8f67787a70f99c9579bfb99828afeb8433

SHA512
8ce284151631673e2c363c0df7abff90f6db7097fcb4fba2002a26ca5e04f46213bac465edf7b214db6012ef24f09104f3f5d0463fec9da5d0472db3f414965a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0d6277860e016074de7cd1f4786c493c

SHA1
e02b5069af3487d70d095fc23bc43d2061348f9b

SHA256
ff21f742295e1e5a2b44ae452fda639fe906e3478abd81e94bbff78f15d33be4

SHA512
bd401ae2189401f1355ed92c92b974b223c449429e20afe5a82022d675c5fbdd87de44eff8d17482eb2d4eb6b34e15ab76617357b71c76c4997a1b1f1cbe8747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
363e2abd4cc9e36c0bd49760d4b92c61

SHA1
3528ed32e488c3d798d6c7197a3751f55318dfec

SHA256
e4c2d4ad6f8e80577bb577919ab94c6135ca480e7bd773357e1a227b615c16fa

SHA512
b748dd848d5a138a030911ef16da46d128624ef4f64a51006a4e0173b86f338b87ebad9557dff0a3da5791cd1fdaf33cd19c6c9da334111fd0c232132d49bafa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e27482e686b33e8f65dd57b3681333ce

SHA1
51080c553ab16aba88fdb56bc188ee2c7da270bb

SHA256
ec83c46bf9af328f14b79c79430d5e60624409cb4cb59117469c836484bacfd7

SHA512
7686ebbdf80bce7633975ccd08b0d3734e7b907c29512e80a97f646f41faa571114158a5c5228fe07044ddf42318d259dbfb63b1e750c69b0e90cfbea225ad57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
134f1668b70f2af5c2296c9320d375dc

SHA1
1d06e25554a6a35be2c069b92c4d436f9e2146c4

SHA256
855dcf9e482a1f1115f7a83551d66f2f0167f9f398498b7763576df36e307b78

SHA512
52cf60c3184e9e0f4a0a863d0dc2db8b1707dfa3f994503fd5e19e76b90a05c7f7f5629d8c7d490bea6926b01bcc1a9b71139489331d46d1db62ef521d85f789

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bb9e119843765f7d682e48edabb2c6ff

SHA1
063342567bfc895560fc75cd1b2bfcea3e550891

SHA256
1803ea9adceef85fb5085cf9254e661b3bf9fdfba6ded84c36c7724d313ee6bb

SHA512
1835bed0054ea775b769b3cbffd1fcd03624839c5225696a33bf61767b41248cefc523dc56ab9e505de0e039231bfadaa90dedbc5bc9ad79b8d36bb392474862

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
933486ae8ab357d740a65b9b5bc4df1e

SHA1
e6490457b83d9a2bdf923f930bf04126bae280bc

SHA256
b0780fde90175de0ec277f3bab75a74026c7f1c60ef863ca6ab0a92cb79f1533

SHA512
a17becb8e71bfe4be6f580ed5d58ce546ac122adb62aca305b30f5447c8233807d8c228e6af6d042a3de9c86a13b7abe0fac376e415fd5169ba44396f845f380

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8fb2be1d2ddb5dd09f2b3bd84a1935ff

SHA1
b87d795c1c3bedeb1787f36c0cf141e7bcfc5742

SHA256
309454f03fb9cf0a83786651b7905ae5ab598e9bf362234c6250ef5d06b471a2

SHA512
8b82fa289c20d859d8a4b7d1cccdadabd588e18ccd85b154adda10c0d8bdc202441bca158da4d5bab2dda9569c9bebc465a88272f7c9a2c9f50f6ef286939788

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2309aa83849e5cd573bb5051794146c0

SHA1
74f6e140394c08035e639d5296cc02712ce010b1

SHA256
12bc27b381840beea134feb645deb2ac596c16f79e4044bd11c7e396f35e595a

SHA512
b2cfd44b2643f625830a11c47e0b87e93646c4412cdec61fde516e9e1b208118f73e0d2a1c84c0489a2c708b84e83c1c0a2fb5db2f33d388c46eddc56922b590

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e5b9e489c79d3ae88cc6ede0c29c032f

SHA1
df035a0da3e9cfaac4ffa3977f0a3c865a83ab8c

SHA256
102def178b39d056c5e7eb064a42a13e7e49faee5044e0ad30c5f5f1bb3462e3

SHA512
1c2295fe25ff778689d5b2d9cc1bbe601698671e2eaf8994162df6dd6cd0eb2512405d90e7fa2a2e7b6d319b3306b511cc587c079740bf23a26db42a0a5b9e80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
24907ebc4e3d5dfa6b2968fe33b9c806

SHA1
d3b7987febfb3fb2bd46cb051100565dd4fcb835

SHA256
263553b0bdf55d405d42aab9634f8270c9653352df09089289f548932f4cc6e4

SHA512
d3f0fc817ccc0cfbc6aa4a348fd38ac1dd184a9dd32ecf4ac9009e63ae8051885aebe0c7ad5dd339522eec25d75cb5789d8261c015ad1bac99b392269ef014ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b6c90df6feb6e061f6e598ef28f82cd5

SHA1
70e70dbd01766be51a3ff9c6a973f7dd5124c405

SHA256
c0f9d7245975bcdec179a7d89b1d36f63c0f39adc371b0bbda91d2d934b938ea

SHA512
3e0718e2940387cc88f2c7bf1b62c45e86e385620886359cf753e1d32d186a4129de29b4bd52d9d642e16f002880363033dc6f494322388efe569fa3bf4ecdea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
243d51dd0ea50ad6b9bc75ef7d343343

SHA1
47c4a893840450326c27281e9941ac4cb6d12d32

SHA256
a19d2bfe50d1f1a2e5d47bc8e08bc73490f2b287de72bcc622f4337446e40eaa

SHA512
45ede760c748f297e3f9140241f06648e6812551be5c67a55cc7611dee336b50b007bcc3d2c0bcfdf3ec63adad10e5cacd07dd9e69d3316919cb626372a221ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e3cf953f3ddb672bba0351d381ce61ab

SHA1
4355cdb7c60aca6fb8d19d0e156930918abdd657

SHA256
f12779e0215c04fc72a56bd77221acdbbeac5d100d322f5cece5b19eeb383740

SHA512
3f9a02bd0788f61b4ac2ee40bdfbc946602e30b0cfade39b5dfd692d211a4445c0a7e662f145eb973f87aa03833701333e3b2560b21d2ad33ec0600ecf4028f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
153c96f15b6bf1c99e211717dc1a24ea

SHA1
a331cb5c8e55fd20530993cc2aba31f2ad17eaf5

SHA256
ada6c4bdfe092e90db28da29f01036dd57b61c81b1347953f1370ad1aacf6c56

SHA512
f7453a20cfadc47411018187c97380439b3519eac2e50eabe42f01265bd6d220c3aa038c35e2f75dc23402f917edf0d9d023eb9d17d69e6a782e83d6f0b36f41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
eb4ead3d42cf98a6dd530a54f09b171d

SHA1
4c7021badb224e87a6e60595aad1fba1a361450f

SHA256
4f8f42f7584193e029c4a3fe91c1429586ad82a2dd86ee675aa685f256dd87ee

SHA512
57790e04deca6a51b6583c64c8a7ec15e50121adbb571af4b8c24dbec1e8927fd03ae289204790871044a31a981ebf06dcdd72efd5c42e0475a1e015d2be429d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a0806f9ba653a8612dbfa3f8f4a5976e

SHA1
feea7994d455caa8dfb34fea4630b708ad2e54d3

SHA256
5b16b77f0c095e9b63dc29a905ce7dd5df411c51f4b33f916860fee4c1c31c1a

SHA512
01711543ec3677241c84c3c66bb90b25a54bc75ea7096a6c3bab894f97cdd85a0841fe836ab606ad28dfb9da3edefd42ab22ed7fc42e3105c270344dcbf83e87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
883f59783147ee8a8b7730853cede030

SHA1
ab2682d5d447f7d28c76cd2b62826d2999a60b04

SHA256
d58916087be034948b5e6c678ffe0465c147be93abbdace9dd1101e9296120c4

SHA512
442c94821f36eb0ce7c7ed26b5ef4c27a272e34f11544ce137e069f1e35fe431675befa4619fe7ab68ef1871ea987b4700c6249f0d53a2be623098cdd1476a3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5ea1b3ebdac631b358ad6664de2609c6

SHA1
cf1c1840796dbc28012c9b2b98311b224392b7c1

SHA256
216f807bd198ce38087fa9210d9b75b84dc84cb4bc14ef68aaca215a1cfbbbfe

SHA512
ec74455e2c01ece36a072f48c02bf1e0e2216a6c844a63bc9adff716f5b83f4479ac8d3670b7a97a9faed02040fdfb6c53e71fd0c488dbdbfa35c1d8dde2679f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
730a7917acd671873959667ab74ae9c8

SHA1
10bd67affe03b612a427feb0aa68733430a21db5

SHA256
3f2e0198e90b95c1f3ca7ccf2f63f350a69611ec9b102a1d582297eb961c9ca2

SHA512
d7d3e26b9f4392ef015c72b439c60def248958ac8a3157fdfc9af435ea1871b3f4f7baea2c457a69c44e704d45a91c1d73446c73a2f6cc829c29a01cafab5d45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
34229d0cadb57235a2cc0b3d48f814c3

SHA1
65ea734634129049826c69bfc468be78fca73bda

SHA256
8fc90872168e51f022a7b6fe92c0ff552af5a702c50f576a68c6cdb4d0c71b52

SHA512
11e0db11e7e10981b4d22ae469bbc3c5704ae954b160b67a502e6ff0332d7f89fad543028eaa5d266efd39525eeb2d9d9a10a0ee580fc85bba80179cd014654f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5dce206c92d9f266d339144a8bebba75

SHA1
0174da8a88f6eb17d192b3d9638da65110d05f54

SHA256
bde6f07b9a83b5bf0a7bcf5ac7ac13683973c31e1ea9f13b032bcddea69ef196

SHA512
b48c4dbf1d23631f44aabb8d07c315fb8b83508d4c96f205695b8dda2db9f1b105c24ed2f5c09f27d67a9499c4a58544271b5106ba1b0f359adcb97510c906db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
29aaf880a69e053b5f7689ba47c2862a

SHA1
82ab694bd8386b5f1b61a8fd929b76174203f343

SHA256
1af2f919a2fba50c1c475003eebe4fab39b55214ebc8d889c46befecd6cc5cf5

SHA512
3d0c57135f73122cfafb81cbdf6d555525d83f09ae39b786f5de527a14ea6b27f3bc4822a217c852a18894c3bc597f14e19c9157f5285bbca9fbadb736dfd779

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
cc498823db42faa9b81270ad298ae3d6

SHA1
1c227667e97b407f7a7f252ee89a80918d6edbc1

SHA256
0f5fba81d607c7fb7ed77f4dffd02c9a775373bca8a9cbe8954dc8ecfbb2f42d

SHA512
cb0ff24fc9478ea6d3a6a53871fa08fff2e5fd2279ac66ba22576880a44b295eee515c1f71b7593ac5508e0f81311c0b3fd2fdbdfa5e09c6185282165a2e42fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1698714fc27eb37bf79ea77e9d11a62a

SHA1
0b98929e0c7df2301d90c3885c9fcab2fcbb6c2c

SHA256
fb6802e517ab12bf6c20629f8b4b07539038116579012d4abdda7785e8a5f51d

SHA512
7efcca7453e71f348919ae2b69360abb1cf558d3d1d9c0e77b4bc313098da2bbf33e9b5ac0244fd96c7381d0aacb3d5f06793f421736574b97b81c57654e7b18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e43147b4a87aea9c367149341f101b1a

SHA1
8e0cbe8a03f054660ebb7f661f8194ba144abe06

SHA256
545843b1ed35d10b23207df5441df0bea059bfb3e75684f51d9ba6c107b8f7af

SHA512
b290184d5fa1ee4d955228c9ff47fb0091cea8c92b1254e8111e06401762d05c6e6b87a2e0906808d14a3b6203e1868d55fc62a0a8a1abddd5bd2e8e856b0383

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
56958cf864a61d0539301613e8bbb399

SHA1
fc55353eeaefcde53b37e4ac5fa64b86c892ff96

SHA256
86079a8bfdeb87c7895c91c1cf857e0fbbb7ddd8687d04fe308e9a4dceb01cef

SHA512
eba73c828fd738432defea3b9a1a8182c07fbc4643b46163320a380b30f2fd8952f21a91ff802eb62335c4e1b9b38a149708f6db23f693d05a97836612fe7555

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
76026c69fc1832b439937cbbd433316b

SHA1
6ba121ef92db84e869baa89995845dddc10518b5

SHA256
91a45999b99854fd156ccce4e474aebe5d24162f2450f0b5afc9881417bdc141

SHA512
632bfe229f905de8de8060d2bf607e46f654a29105f276d5464da71581423155a6cf4d123c17555efb0dbea16c71b61d5b33ac82ecc18b24dcdde6f1bf76123b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a0bd4f51b9499851d6389d4ef064dd6c

SHA1
b9f92e19351d5295baaf5ee57ab9a152a0d4c6ba

SHA256
bc0d1f78ba50253193a8b9244fab1597a7ad0210d9273f554309839046b5d495

SHA512
ae6357432690a7ef1bf9ceb3ae9408863ecdf720cc0072f23d79685f1d93b76ec8da6a7e4d7d38c9b668a8ac1a59bfa1a49ec0c7e72e8b34503d2cb9163d93ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
12305cd47a055f39bca8fcf3eaad02bd

SHA1
2ed2250a4e7deb006057bc29c3c5bc5afe11ae12

SHA256
5d57f11203936d6b051847c1e60dfd3585b1f4fe1eef73a8a37ecaf66f968a9d

SHA512
92a56d44c6bd7f96ee64cdf222a6671d687b8ac674b568d0de9a45d38c8d5bc4bc9e1f9c3c9e7b73b76da2939e139cc2ea2bcf78c8cc9bfc0f4929c29d08d1eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7900351ba3683ed170a92dcc7b0db4b3

SHA1
80002fcb53863eb6de6caa0aababc3bb390657e5

SHA256
e429cad5ac9ccdbbc052926c547fd1c1fd361185da4f4aa165771a0f45be931b

SHA512
cb84f97c76497809220fec2921c4604b0f2cf3560e6f664b22a24777e5b4c794bd2f68592ae79fe6766dc0364afcdade26697eefee75ef3701d615b5acd47b5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
98b359fa8c210f699706dcf36821cb67

SHA1
a787e0f692c408056177abd6e8dd70e72c81eb8f

SHA256
381e7bb1badf9d269a4bd3b0cf80e339f0c1ed2d7430d6984f60136a827aef6c

SHA512
78956cbaf4a3d56fe871f5982e13176c0702d682649e06174fd58fd671c4843d3968950c8979b2df73ca417ccc70ff6f1d1f3f2f79da3dc63a5a26615448d4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4bf7314270cb758dd5a69098e247df3a

SHA1
ed0279c9052aac85b1c316c190216007fbf11d30

SHA256
d7e2e5c069421e16f512a7d49092f84f103bdf93c8f9db7da6242ab707eec698

SHA512
563a2315406fa7b8ba36cb2df2b5832b454f05ab83eee6dd1c5beba872d372d4873193ee56b4c043bece15f9446e16949c08b7ee5904e081bfab7261b83284a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2b8cdc3e49e25793324759e17eb34b81

SHA1
748a5c37f338d19658b481aadfacda687e49a96b

SHA256
9e673ff3dca6aa2fbe866be49ce8c34d525711d4968f0b12c9074d8b8cc78972

SHA512
859073f8b0bd2832066a9cb5c80965e93c513425551cb19f2a0502f03ff4cf794ea19cf391af179c32199ee2659f7bb8531512ab8ecb925497688473ea601a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1f0998921ec5e90f49d925a8cdc90956

SHA1
a23e030be605e47be81b651736d237a622d1460e

SHA256
2c6f3fa9badd821de41601fb3fe3b72f45cc675947db86208b31a24a39eb6eee

SHA512
8651700d355a259d8f89e456664c9cb923af0e3605c51ab29d2af4330193f4e8a3d38bb34bb0a0f922f3fa06564cc31f436d085d949589b2b80711843691b035

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
3186b2fa1bccd38746b3fa55865556ce

SHA1
37c87959085f3f2903592330b8bb745d8917c79f

SHA256
7cdbe203acf89434221c69804bf8bd1e44b413376fbb509301c80a84d73e3ee9

SHA512
81b61776570826a77acba1f44ab6cb5fb64721a8d2848521b8b394b3d957840261becb7bf914ac4e64e8f68f1c4cb2a79280b375f0f63aa1dbde69b926800dcb

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.exe

Filesize
2.4MB

MD5
fc8a23de2b587ac6bff9dc79ce4f3e03

SHA1
9979bfa9521ae3eeb5e5842813ab3eea8c874b36

SHA256
18c0242a9f4475a9944d05a6d49d874af76332a065a03e46af2706060199e20f

SHA512
583eb168fac43aba958e9b36ae15bbcc7b3551c90fef82cb6cb58bc1b1efdb52698f403631e48919f2fa42132bcb07e455ed5c8af5eb24f9fcf1c15700698541

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
2.4MB

MD5
84e2bf751724e3b0acc70b67ee1b8e96

SHA1
2e1c9638b022901d67c69ef17c6acd12fd6e493f

SHA256
1db9ec5678e417eef3d6e080a031c8adfc1fc85127317b952bc33733d93841e0

SHA512
56a229897c812cddd7f0b1847cf439f910350aa11138f7165b7c7f697095dfe5ee64e875e4262706c20e7bdbb59a94512386965e83ac9327b0b6967377882aef

Download Submit
memory/2660-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2660-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2660-1-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/4620-7-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4620-6-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4620-59-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download