Analysis

  • max time kernel
    151s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2022 00:18

General

  • Target

    e85491ccbfb467b9b6afdb6e8859326dc97fb158b6b077d6eff1db140f5d086e.exe

  • Size

    507KB

  • MD5

    6f86f42ca121495987e35e20f5c8f080

  • SHA1

    414429facddf14b8b4bf9609d19e97ffc1e5272c

  • SHA256

    e85491ccbfb467b9b6afdb6e8859326dc97fb158b6b077d6eff1db140f5d086e

  • SHA512

    846874c419552eee2a2b9dd54459482086d4d47342888e5ec9344359135196dfd96b395988cc8428e6faf9c00b0e09cfec48d841752d7d39931d0b308722119c

  • SSDEEP

    6144:k82p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBil0:Cp4pNfz3ymJnJ8QCFkxCaQTOl20

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e85491ccbfb467b9b6afdb6e8859326dc97fb158b6b077d6eff1db140f5d086e.exe
    "C:\Users\Admin\AppData\Local\Temp\e85491ccbfb467b9b6afdb6e8859326dc97fb158b6b077d6eff1db140f5d086e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops startup file
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\desktop.ini.exe

    Filesize

    508KB

    MD5

    117c301ea2275efa4638120355c44b2b

    SHA1

    4ad15bd7691c48187b5479cf71f9f966f26fbebb

    SHA256

    08b663532fb78232c493a76234004a2594807f2e73c3e9d7f338bcd11ccf1072

    SHA512

    6129f1e59383ee0c59ef4251de99946769d0218b72791b53c3851bb7c8ef7634eb40df2dcdea1e9bc189337de0d928ee702056781cd56ec57369b245534eaa15

  • C:\AutoRun.exe

    Filesize

    507KB

    MD5

    6f86f42ca121495987e35e20f5c8f080

    SHA1

    414429facddf14b8b4bf9609d19e97ffc1e5272c

    SHA256

    e85491ccbfb467b9b6afdb6e8859326dc97fb158b6b077d6eff1db140f5d086e

    SHA512

    846874c419552eee2a2b9dd54459482086d4d47342888e5ec9344359135196dfd96b395988cc8428e6faf9c00b0e09cfec48d841752d7d39931d0b308722119c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    2557956504eaa7046f91ea470b36af3b

    SHA1

    ec884a0f91f72d02290e43d4bb632a175bf9a732

    SHA256

    725a08ef7a1b231d1d69b76a5f89d4cdee2e3919a391d6b45c024c246902b7b8

    SHA512

    0202930114aa48a4a08e13b39262fb21f7be635e3aa7c4a0d2c4a585300ac8b93eff77652b4d9ac2c8bfca4b6efaa96d34e4f3dbe2d4a176eea9fbf4672f9a54

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1460ecdfb95662ab9b354539b3605b80

    SHA1

    7817f7b68a43516fb65790054bc4e84531f25d53

    SHA256

    587a2ec9ca6a3079537b40a9f747ba9adf3155f90bd8fbdb72c3321d06564354

    SHA512

    30d139d40cbd4e403f53cb0c29e666b9fde4ed4b47c432dd874062dcf1d4c9662fc632872461cfa1c8d4250013ad6d63ad8ad870fbbea7403378d086f4449832

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    506KB

    MD5

    1bff3eeffd9be4e40e95b2e31b9f2c89

    SHA1

    527697e91a30615e1294b629f6b87792a6b9d64d

    SHA256

    e8a2e4e71278e0cbd3bd17204be038fff85293ad580b0fd8a08f934a391efaf6

    SHA512

    be4241b26002149561dc75301908ce21b29b04e3bc49e798a776f2f936da60e93281a514d06777bab3c3ee8ab691c8356a69e95cfd2d6549a8976510d7554cc0

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    506KB

    MD5

    1bff3eeffd9be4e40e95b2e31b9f2c89

    SHA1

    527697e91a30615e1294b629f6b87792a6b9d64d

    SHA256

    e8a2e4e71278e0cbd3bd17204be038fff85293ad580b0fd8a08f934a391efaf6

    SHA512

    be4241b26002149561dc75301908ce21b29b04e3bc49e798a776f2f936da60e93281a514d06777bab3c3ee8ab691c8356a69e95cfd2d6549a8976510d7554cc0

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    506KB

    MD5

    1bff3eeffd9be4e40e95b2e31b9f2c89

    SHA1

    527697e91a30615e1294b629f6b87792a6b9d64d

    SHA256

    e8a2e4e71278e0cbd3bd17204be038fff85293ad580b0fd8a08f934a391efaf6

    SHA512

    be4241b26002149561dc75301908ce21b29b04e3bc49e798a776f2f936da60e93281a514d06777bab3c3ee8ab691c8356a69e95cfd2d6549a8976510d7554cc0

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    506KB

    MD5

    1bff3eeffd9be4e40e95b2e31b9f2c89

    SHA1

    527697e91a30615e1294b629f6b87792a6b9d64d

    SHA256

    e8a2e4e71278e0cbd3bd17204be038fff85293ad580b0fd8a08f934a391efaf6

    SHA512

    be4241b26002149561dc75301908ce21b29b04e3bc49e798a776f2f936da60e93281a514d06777bab3c3ee8ab691c8356a69e95cfd2d6549a8976510d7554cc0

  • memory/1780-57-0x0000000000000000-mapping.dmp

  • memory/1792-54-0x0000000076321000-0x0000000076323000-memory.dmp

    Filesize

    8KB