Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-02-2024 19:31

General

  • Target

    a292ea775423dd6fe1d3238b860d2ce1.exe

  • Size

    1.3MB

  • MD5

    a292ea775423dd6fe1d3238b860d2ce1

  • SHA1

    f974164c6aa0a023d2f76505148915ab58aa186e

  • SHA256

    3d03fe5cd1390db7fa94660e059b43c172ba18a0c239081efabb268ac237f1fe

  • SHA512

    7c480ec0b94fc60e58852079751d63c1ca97d12fbf45136780ad5a4537679d96267f540981d2f1021fdc4294240df75e2f51f6e9c71ef44d8040847e41ef41ad

  • SSDEEP

    24576:ZMMpXS0hN0V0HZSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0Nq:Kwi0L0qkIA

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (1282) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a292ea775423dd6fe1d3238b860d2ce1.exe
    "C:\Users\Admin\AppData\Local\Temp\a292ea775423dd6fe1d3238b860d2ce1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3844919115-497234255-166257750-1000\desktop.ini.exe

    Filesize

    1.3MB

    MD5

    e33a19169d5b82d2bbd510c420d0daa2

    SHA1

    72f9857879912d49b613bd5043513b5531293825

    SHA256

    903025c85f17adb5d571dfbbdeb90d18378daf766129cc47492f93cfccdaf87d

    SHA512

    da57299201710311bc6c7861552875d558c3c70711fbbf666b59973cc8ddc022a4e2fcfcd7d055fa7c61117b7e944eb55ebc1eb0d22955d823b02cf7d51fda0d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    475c406cec3e955a7e0a61457c5c6974

    SHA1

    2dbf98e8ca02d66c3b372cac43586bee69c7c98d

    SHA256

    7bfa23be986979ade1e089d088aebc350f9196c60df0ef4ede3ef3c1db5aa61c

    SHA512

    ab9fbc2b19e9831c2e6cd7c480d5b5395c1809b45912d995cec0f85111ea95f928b3c63b6c3ddd5b62ac0694c2657ea371cc312ed0ae21c6ef263f824ecc2032

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    a9041a5120ee032afbc2cafd6f845c4b

    SHA1

    a2d65aef2f8c8d28a528b4228c5c78258b0c67cd

    SHA256

    0882ab1069d0e741dbb8f269c19e5b2c6472aa4d82cf7059db884861891355fa

    SHA512

    c122e3743cdbce562daacda33633eafa9f1073ed0d7204df7a6ffaf21412a163616375a176993d8d4fa7caa5be0d8849145871311a6f7e7531723f9c341049dc

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    444eac69768c0fd162c411f20fe4c596

    SHA1

    38c1c463ffebdf0ca93c65593c8ead63415e5b1c

    SHA256

    844acc27cf1e3851b9d1e0a3bfe14414bc0d823994bb0d9f6173c2bac59dddcd

    SHA512

    987390d5171c4825a10a77cdfd79cc0ce2b16eb933a37d2e9411f28c28b767b3fe987055fc5c1ca2ce3624cb3114959f35c29e4b44d707aa7cdd5ffe81dba055

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    c37fd1274954b0803073127ec1ddafb0

    SHA1

    fa10c20582fd8a5ee6f31067b60fa70632029345

    SHA256

    b29c2253610d8ea4294b17fea580bceacbad9182a4d5b2b3e10247744e278bc1

    SHA512

    64a9f8b155b1415f71681a77f82cfdff0add6bd2e9d5f980b8bdbe6c77ce07e34a005292f86bc8cbd1c20b8d9a2a8f323e20552d1002703a720af662a4c1c281

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    fc39cf7074dc876f18e01eb11aefbfbf

    SHA1

    68e90145d04ce26c43806f8baaf42def10d404e6

    SHA256

    e6e27f2c60c6439fe25031d9c47780b89fa7d7e9a278321a6cc036e34f310a2b

    SHA512

    c2d91d86d9b85409d8661649b4797123963a0b895fbee42c790d266ee56a328dcb5154f5827f77540bfbc4304d61726734058b525fe0b0a7e1943602a559ebe8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    712ebcd589e222d4adbfec2cea690d50

    SHA1

    9aa506e26eca0a36d8f691992a889f3a9475a310

    SHA256

    a7aa9f0a541e9a136ae1bfc5d96841438dd48d9185e9f6ac3ff69352e1b7d296

    SHA512

    fba85351f64010f7de848e7da36144c3e3ce96e939278e94bda5e26ff1cbd0a26a9157222c4ab494321166a44de64208de82b3255ff7a011ae29469509e048b9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    569caca6906610251a9cd861cb8f53da

    SHA1

    b7370bd86e622cd32d72f4045f3c749202fbf448

    SHA256

    d5351b9bb1bafa039974b06518171040492f70cd62de0242299e2d23e6462f38

    SHA512

    6da901ab301ec0b3a19e909e14aaa02dbc09cb19df082041ae06971448a7fd5e4932fd70da0fc4cfef85f5d167aa433be5e4feadc3b3cee5b2827be8214e47ce

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    add8620aedc70a2ab45e4cc47acd81f2

    SHA1

    41c2492427ce09006dd0b4cb430c60f49fa8260a

    SHA256

    50d96ddd0c2b3bbe7eb058a037fba0b95b09789cac0437004f9f2d2a1d506463

    SHA512

    d578c1792f48fb58b4d7194652bb4e1fb9c698b78c24bd4ea5c4d11e1bbb0a23d66f00c8613c475080b4ca707d9fe90235a6a448696747d9ebef84580e8e9449

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    4d1d11a031959b1f914792f5fdad94e9

    SHA1

    d4d762252bd51147fa337e45cae60f2a10668161

    SHA256

    ddbd78ec63823f84949b7aaa08489d205ce84bd9b69b560bea64d32db46fe5c3

    SHA512

    f1c0c425a51427d61a3cc87fa7b5f01679f9d42c9b28d407535abe6708bdaab47c59eaa220c167169e1547cf77ba16524a1ab6080bb9c0fb2d88b362b8774c65

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    0159558bfacec930b8a58bd35984c143

    SHA1

    bd8b5f8c1d3e24466f49c53e010ac71bc8fe0d31

    SHA256

    bf5b7849594d3169c59edd02c0653259fa27e1ac182ab4a605e83d07d01da612

    SHA512

    a78c8005e9b49689a9437b054c872b28bb223ab15adf5c99b316932f4a6eecc221b2d3dbb5397ec139faf3e6c4ceaf6aeab33bb51fa03c55f4ddc04856eeaf1a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    12c4bfe7a7a6f151efa947722f789712

    SHA1

    7c4f36d9733436d1eed97d36220b9b67d5529e2e

    SHA256

    d4e934fb2e21f4fa8f7927e69c984e1eb2e8bb98fa6c7b4400e001f13f5c8450

    SHA512

    c839d969d6fba29b28da1d96110be9d9764d4ebcf02cf70de119c7c3b4eb60bde28285f838971469fb736012147835e75c87f8fd9400b796eaf1aee51a000f8e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    0f76193c328a86325c6e8bb564a32cb8

    SHA1

    e750039bd9b324b58e3fe58333156f02f0079387

    SHA256

    b8a20a2737cfbc781f967cedb886a7626ba6e5c027ed2b0ea9a1b7abb5a4cbed

    SHA512

    5d92abc65005ac2dc42f553dbee0d900c8a6b08197074a708cc57a1d04550d7357498606d8569957b33160710d184ca24eb20cd47910e2ce2cb5c3865b97b8a9

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    f0ea3a2bfe1f60682a5a03f299e6132d

    SHA1

    1545ac0e0d2e0fdae5da594afc6fb2fcdfd3c211

    SHA256

    559e35c0cedbd1b66c80963f3e399b1a0b945ec9e2fdd6be16490c91c44bbee8

    SHA512

    25686a1d23e866698d14dbef014bfb8a25cf97be2b3cbbbd4721614f9bf4acd4c1fe1eaaac3cc2fc03598cbfc3ee28792279b6c2b060309485355208ec4eab0f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    6e68913d39564e72fb83967b57803ba3

    SHA1

    37fe8463e296fd038a08a2fbcac8dd7eeae7694c

    SHA256

    4dbcdac87931b3ffc228c321eea565b5f7add86c9c1b5857c9996e9f6d176f84

    SHA512

    79aced0a95d74a386d57091bf585d185c1798e3e0cbd1cd477efbcb87176b4bfd177331a934fac8bca79ddaef1d59517c593658cbfdca33aab947efe23a10c0e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    a98b15c84af34414d2b66cc1558dfb86

    SHA1

    f708e4107c17f5b7bfccb7aaafa64a2ff0db7c96

    SHA256

    a2e21a5641863246cf2e85874c7fbfdb6fa8c7e0ace5e7b0026366f28825b1db

    SHA512

    4f33ec5734fb7352abb882eb5e5f75ac4ef75cd2da0a71a1de818a69e171749b39e020ce0a4b32f67e8bbe4d5b1f4535f4859bd5f9a055d1735b11a8c69cbef4

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    74e503ed3d37d5fdbece73d6937a1974

    SHA1

    dde24e7091c13720556a9ad26872f080d2ef79ef

    SHA256

    2e18c0806da11e12fe7abb5222a7dcefd61b0f5b39f9a71f2b5b468fb5710476

    SHA512

    2fe53796e99914bbce87050c6427db888c58453b83a0748863c83ebf19f53727a5b1ad045b402b57513e50da3c898bd7f7fecf8c52cdb490707daf49c9dd0b68

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    26ff127d14d4666a4278934c6ba695f9

    SHA1

    1cdf7bcda6abd22e15a5584f1609000f237775df

    SHA256

    61d86f7690bb4eb39a7b87c23e6dbf595d5d6756f17f86709489a3e4346f271a

    SHA512

    f3de5748cc40cf64880bb54dc0ca7a5bb4d6291023cad6b759bf3fdc23a84df26d59dc75cc3d2cf8eaaa1f03ae9129a58666d092dbaa8c2279817ef0b1d83c70

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    cdadeb5d8b877dccf235be0c11230401

    SHA1

    c5c438db151c98f6d7e17529773100827cbd98eb

    SHA256

    8655209824a1e047be2518e545ca0006ff13f0784388c309b09920d379e7b285

    SHA512

    f8beeb49c9d1147813da24cb74443d99cb3ef549ed435c41ff539d0ce43461f2dfffcd07417de485aa723cb933abdf8538607aaaee60bc0bfe1a403d2e2d06da

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    814321d94935bbc875da43acb433b117

    SHA1

    7506d284e7636e7230fea2a637c843fed58afc6e

    SHA256

    1fbc7956db4916076ea50211d1a261fa649c73a7642b06b40d646fb5a5e53690

    SHA512

    72b72bf147ac7299ada2ff0b2d8622f50975128f4d36cedf005967a43b7d29a8731951407c0f12072fd55cb7ba80ec890c3d29a88c055893c22cfd06b3b65262

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    5824a303f0e58b8a9a6cf17df75e794a

    SHA1

    3b3875b57ed21f873e5d889f0fd8ffa3848a0439

    SHA256

    733040d5bded2e22e6ce87a34051ba389428d088ec5ce5fbfcd0011c6479836e

    SHA512

    bf5c9ae33e9d69ec24951b7685f65d33c07c60a3f7b50b2e3a956fc38165f99f66bebdb61bb9e01c2124cac18466d84c52b20debf3c733721ed9d7245d8fcc5b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    0da0703df523b33cdb8f5ede52c0595f

    SHA1

    7ec2aff79d86cbc32bac6c5be13024bfd0ac4252

    SHA256

    c49c56ee53501f7bcde0db2ecc6fcac52badf6933942a3ac3f5686150a628a09

    SHA512

    8860c9d0fb3fd32cbd88587f01573ba16632d9d29108218a8d9e9201cbb3fdd637c1a0c0229faa2af3447b0f618b3c8e6a36ecc09ca401ed39a60bc1f5ee8e29

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    10cd63341da289511e2516b36576a544

    SHA1

    5b8c3cf84a33fbe24dca98b33a54eeeb760fea66

    SHA256

    1f6efa57a819c304fb26c858c1c223d2352865d9000826e1ee23b33d47dbf59b

    SHA512

    4b19f255c0054ea5a786b8c0faf932b942cdb9285dacd11d25d8db32656980aac669286fa8bc4efba73d768d5ed899a6044639c814da006c4602cec903d2d06f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    ebab9ed25e213f9d69c9defd6eaa510c

    SHA1

    38b4ddf0cafc5c7d213b57aa603e3f52720787ec

    SHA256

    725f93718e1a8c12d8a984cfdb1b4054b971054861d4e5b092dc7a736d1bebeb

    SHA512

    c4f8f4b3b493090d5381294cf95217696be0de043d018f59519b2364ee61d9a68b3e2a595912d285dda9f4303e5635d7570c7535ce562afda46e3fd4c938953a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    9b7c8e77615b41d4c9d5b2be94b82f0d

    SHA1

    7c8b8ae781df79800ac72abe10d4c66f6548e1a9

    SHA256

    b1c4ed84ac0f2e3fa8475a0828b7b3909d7ac4545df44d487e314eac277afc5d

    SHA512

    81aa2c2da491de7cc86a7390af9def860a53a73c1ade7253a3ef7285569f55172564f665c4862fadded7c1879cd7a6bceda6edc8a3e8c3c40a10b20e11c41112

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    656ede3f36d6dabd6ed81cf8279f450e

    SHA1

    67a05d0182ee21aefd4ecf4e8662b60912b876ed

    SHA256

    7094f93a3af20be781ef5c29ecbb507fea3597b0f7896350fd7c67903648b317

    SHA512

    658c5005baa5c76ab562921aba3a7babacf4e3a253240f6e5f54d79aeded117a074e1e112e67cd17e8475ed3b26dbd09743e62aad04b8740a3718a583fd9e8d0

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    31f3a8932a1f2acf1e9a0a9acc469a62

    SHA1

    8c7bd89d2b17052c677c252913c4948753c82e76

    SHA256

    fe9251710c457cecceb4006e33c194c6c86274c6eb13f4ca09635a53f0748e0f

    SHA512

    2248c29c8d9ea10c4fc9a6e393f413c554fc141885b29bd9d27f1b3bfd956bcce76452ac3411776ccd1e4fa94796ea7c048c26054ae8f2f0dad5c21696cd658e

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    eadbf606522810282f6cc4585bdbc5f2

    SHA1

    a4cdc18ebf7a6ec73e19e626f50575a87254038a

    SHA256

    510a371a400e98bd6857e6f94f0bfaf8126d593670ced476d4037887b1041157

    SHA512

    b07d7c2158b5ee276723024223a7c89e511c9f5afba064cbc51b2ff5dccfd63b8f4862e178c2949d0c357de0d3096ca1c153dd435964072c38f46ad7b02e5760

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    0a121e01fcc7c88f72c53415f104c28b

    SHA1

    e5d1938ceb870df0a138a5c1a77eef34e8a4c744

    SHA256

    62b9608d7da902d5f6064d950307b030fd103591264378dc53a6d2b2b153aed3

    SHA512

    d435ecc9960a068cdb9858b16667010037b4519d71c66f72dc8012df5f6ff033869d0aeedf11fd6c89c9a9f26a604c6d97fd96db1a7266e75570aa88d04699ea

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    968ccce6dd56a76428f61fed98298b37

    SHA1

    2fd89e8037704571bb10e6044dd9484eda5044f3

    SHA256

    6aabe2f95a0f576263859fe242ae0acbcb6830069b910ad4bcef41e7ea9e5e2a

    SHA512

    65afd4573298dadaae7f89dc0910b304f55459057df492f8b219039bdfa130efa1698a21aa5ad3782ad6030e37ac456fa201b6d678aeca1a0d8bcaf5911daaf5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    a3e8c828dc55dfd936a4983f2b28fa73

    SHA1

    12db17fb5a35bda7024aebfe20d025ed7ca4cb7f

    SHA256

    9884b628e9b6310c38933e470fa6990484e674d4b71f643dc0618aa9cd4161c1

    SHA512

    4412f233b997205458aeb9323d2efa9714b2b01bd730ecfd637bafd271faac967420c819e121cf95c8c1b0e7f4e4a3f9e11c5cedac1d602d8a8e8fb2e75280e5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    ade93a939ba01cd43fdda56224020c33

    SHA1

    4a381f60f21db3d7b0bd7feb79da71e77463b91e

    SHA256

    5d8cb9d7be349b95dd2edf0b8e6bdabe2b1d616057bf7da52f592ca26ee9fd6e

    SHA512

    fb16f51a7b81b7dd5a5669e4aac75a0a1d08dae5b8d2495c12867d1cc0ceced4ab4d723a0bfdb726234be41030fee829655b5757f5798d58e7d2b5614700c3ab

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    2fb821c25a7c0439628379afe706c77a

    SHA1

    1abbab0dfb0ccbbf538200c727ee369646e43a33

    SHA256

    1a91d08ed3348308277fc5ff864b7731cfc5ba649f1d48cfd4144bc200012efc

    SHA512

    83c9ecf6b9ba8037dd1e6e48ad7a1aacbb8ad8da5bde45873639ffcbdf7c99f5bcf66bb2110c821781e35ed5efa26db7f88cc16e5a5f380c9f47689e6fbd0c31

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    370b64b8f602840d4ef067749259cc7d

    SHA1

    59b4da712929dd6d40deff5ad81f320938d1fa53

    SHA256

    29634aa48d673fbb4220f0280f09ecaf70d11e604ad7f36da98b5a24fadfc672

    SHA512

    23d8d65d6b8f541dd18f44810888369e67d6b0debd1a9b46b1525dc0350a65bbb8f40c51984ba9a7172dc6ee803ecfd9702350e3a6d6b94400cc65ec2d173a89

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    b58a32830ca11520352b7b641fd60942

    SHA1

    c37c17c09bbe00c905063933b436c6c6f3ddbc9c

    SHA256

    efbe3d6e605d0647fa4099c6d1feecf92605b1784eec838c0f286fa08ed18e76

    SHA512

    73c92a6bfa2a354e63422f5d4dec5c96f667ba526b5f95ab8c4d7cac5127e3bffb8c087e956a608f9c65cd24872399f44016dc44e66df2158518b4e6a1bd3efd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    80b6f5c56206380cf38a010ed85486d4

    SHA1

    4590adb52192f6610cacd4406858e3dd77009d53

    SHA256

    5e301553212f14445874b5c75d1f89ab0d4a9f5dd6ff91c676dd613c68ccc29d

    SHA512

    2aecb99e87131accd280741a8714b45c10b099189b45ee12a09c9ed6cede418e1f1ba243b57c6ebe7733625e243d43563dd89749f183500e939bf9127516b07c

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    70bf4fe786a5f71093270352bee6ecc5

    SHA1

    bdd415787157d3804fc01a4303a0d502fa2afdad

    SHA256

    c243d2fb5aa3893d3aa49ecb1980cbaedf252fe3c281ed7ddafed44e12f7185e

    SHA512

    8f35570d48fb9c5450a8774634a3889fdfe7cefb176d30dec93802170ff9241fb8524f878cbc13ca955dd2dec308b8cc9e7c9df0a17aaa0fbe45faad76177397

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    5cc4975e329a56de5eeae26a0648bf47

    SHA1

    03ccb7e7ab9e5aa5c875c01cff06f42d3881794f

    SHA256

    6044695cff393da62353821776323c2b8f2a10aed0231bc407557a181ca7815d

    SHA512

    1698601457aae3419e94f6db3822e18df779768a26a6f73fe04cbd47f2c6191623f9fedd51833fedbc54fa2c0586ccfd0008e1ebec2198afa0ff7d35f9186733

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    1b8ba6627c23f7cc64dbc94ef66c23c7

    SHA1

    da63143fcfde8b28d53f6b5ff9640e9ab0404fe8

    SHA256

    919243ea4faa871ae1cb4ed9e26bc321fac3cb10ff0cd03ac6337687347be749

    SHA512

    54138a41c5c2bd64daad0118e27df0b83a2c975aeb74805239d7f8dfc2db33dd9e8b8b65a373062975a661fc9ef0f510bd9b67f0ae96664296f50205a5c8aaa7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    bb990530150fff5a4c7908da6b552b5c

    SHA1

    aa8fe10d2970222e0bc1a452b60566c3083f7cff

    SHA256

    0aba383806876ebe8e36482dba9d2caf99443ec96695c78b8defef8b285a783f

    SHA512

    38f26467e964e7e84e7439f20103d831f5ae761fcb29fef1d7d4197305046e37b38afdffc526f0a765aca1f9973c4bf562a460061fee5f350f5e41c5d3a035f6

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    78124fc504f3333e684fd693be9e084a

    SHA1

    8757ea9b4bd65824b5d3a82490252b641d0f26ee

    SHA256

    c82aa86d30b235892da4032a1344c07cff4b9aabb31da4e57c57f976a6178235

    SHA512

    85456fc247890f9d005084e986021ab75d6202d4b86f8a43cd660e00c45bbec66e90ed66997109496813950e1101f85fed95dcf3acd63efed2c7e59f0d7dd552

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    42a7dd2a5ced720797bb78927ccb9de1

    SHA1

    60415d198f74acf7eb3d0efe4c142614e49254fe

    SHA256

    89f158bf11fc7c84b6fc15580ba5761f7cc403435f11ffccd3396dfbf145c943

    SHA512

    40af7d1c5830cc603ae7f30ca32d2c9f207e50b76bdd674c75f79563168678610bb38f427d6efa6f898d5481188fda53d101d54bb853dbc6d7fd34feef626d92

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    34d92a0613418c79da5e2057d6ce9de4

    SHA1

    31cf1a2c9e2784f2a3291fb3f7874f996bc7c179

    SHA256

    23a6905982a22997a26bcd463b60fd9f7a2f76cc4e7473513221dc9561aac9e0

    SHA512

    16d7e1d89abf4ed0bd2956443c1a5d9bf0a91b50a960c07527a6a31f2a805be6ae05784f24e04c6099c3d56ee921d1fbc0b7d4048c0f09a040e22b2e023e0a4d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    92b9faf297aa27541bf76aa2f4d6ea38

    SHA1

    dc30840a5bfe0e30f9f7807a0089626406fe472a

    SHA256

    2f234a97bb363044b6fb64ebf9dec40e0ec99612b0a0374970cf55bfca57bccb

    SHA512

    38a07742c14eb6179498aed959d03ad50b672903c3fccd69435b08224f48f682495f1b91d65253b45362be028d440757ca42c51158317ca1db4be3970f001ead

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    885d4844b47eb629c37264af03677988

    SHA1

    49b7205531a3fe98ab9bd78f180a24e14cb531be

    SHA256

    b6315e22ef4406816bdb34184d2995fe81b5fed81eddd04357cfe00d51fe915f

    SHA512

    7708d47bb20e0ea7a48dcae625cbcb12db375bf57b5031dd79874ab51b75e56f59d12ac57278cabf61f6375be1491446b5964b3bc9e92a5f841c21ac1fc19216

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    51687570ec9b3578ca49bb5781cff61f

    SHA1

    896a73c09851672df984684d45d1fc5967a77263

    SHA256

    ef5931d1b850da23a9da581516707ad154f2ecf7010219b5aa1ee52f9f4bdf90

    SHA512

    c94df155134d72ebbef47b67e65f7e3ac07d07bbacc7dce91674fd95defd1821162436fdf7ff4507c715d047165104c5725405f8538da32a9eb5267cbeba4fd3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    6cdb39c8d229c1403968eba01b7f806f

    SHA1

    3ade557a82e2f58f1c9ddb45b7518d44da500605

    SHA256

    ae950599b283c5a78889fb4453245acbaad3464a147c7c75ed4aad50bafb9550

    SHA512

    d453cf7c2e90d3af7a89d1b83c20baab5e323b66df42a33540274fea40075a78cfcfe68602ef1ddbbfa38ae89f20d278131300295f15e5965975535ef57418f2

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    e280015f77dada6a3b28db16bb21cd9e

    SHA1

    3a6a5618163865122a77ac34812af58c544a3c96

    SHA256

    425a4a44c9de10bcc621591a00a734d1e433e6d5d583d81bcdcd11e2ce1d061a

    SHA512

    4418d85abf5432c11df3ce31cefce2f65b5b5af229a3e964b1ace903f2397ac2c31917d69445342d5a0c23c7fa2e9bc9c6a5892342af2ac7238322c1506da338

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    225f2d6c042fb59bba835a21fc286b7a

    SHA1

    4b12ac75bae56991303ceeb810dae21eac3bd0d4

    SHA256

    9829fdaebac8e4ff8a89167bcebdb6f9ebb2407c76410da2f107f2a7b4ac7cae

    SHA512

    51cc98cf2ab34bb86e449d681127807df7d710eb961fc5acf9db1ba4daa1fa0e07c98cb98638948d8b59f19d92ca429142a2f8dd5a1a78907e33b070cd503648

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    32feb41dce3ca7488bb074d9eb6bd806

    SHA1

    5a312b6b376e0fd1b0cd04e9a2eeba5627b8c109

    SHA256

    bac060d6c3dd20b2b658b127d2ad5539451a9f7d658a7cfefc36ab91e4a62f56

    SHA512

    03cc79a3806f08bf7f987e5ae3a5a50a566e8c532cb47748e4322f86ed0906d081977f610a0144d8dc46f785c71fbec2c12935ff4e44be8d304902d261708ddf

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    540f34ad4da356d0c8ec69b2dd070d9b

    SHA1

    a11432053b56300b79747b37643115f1ec8c8570

    SHA256

    895aac5e337b689841f866a22eaf67b5dc71d199c5f7b9cc3d6814ab9bf2b648

    SHA512

    0650c02b930947bdddcc8e54e832877de2f2532ffd67e91a796163b3ef1f1cebeb1875fcb6379eab8b0eb9dc0f7c01644503d84cbc052497d9252ab0009cc47f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    0df1067976d0f392e0ad4e52a9435704

    SHA1

    0e1c5cc9b2c8d06ab30e59ea0166c3f9e560efd2

    SHA256

    7d9015bf4a4d4cc15c132c776e090a58e5d2378a2cecd7dbb528f333d89f4d76

    SHA512

    a284fe9d070d23cf510e538c30bd9f82ba5e9622525e432de70c49f253d66c251fa05b20f6411a2c83ec6eb51a69d48d5f3d026af0144f18e6c6bcc0c5c3d99f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    4b5d4d812fcfc87f0e38581aa3065d0e

    SHA1

    2946d7bc0786bed8e99f6cf79d809cc1b331b132

    SHA256

    445061967447b63e20a9d6c1ac814215afc446969a530cd0aa2ce54124ce62fc

    SHA512

    87801a08ca16d072023a2665f7ee2f88ef04fa42fa6215420ca1b9cc94d66798661d03da574141495dee767e55c1db84e8abc2fab9eb96edf9f9fbcb285211e5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1019B

    MD5

    3d643ab20e5b318171e0941e34062370

    SHA1

    ab953b68996856472737ed67896b5f80911d1dcc

    SHA256

    3f0787e134ccc5c3de1452e373011998ecd1e4f009ed54d3f281381f2aa4aeb0

    SHA512

    836bf6ecb69a1108e35dc3ec86f88e1e92af1d36dc21bf7b561fc0624cab292e35725bdee7360f198e17e5b4c38a3ff6cdfcaf4e382fee9284364f209dabb9fb

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    1.3MB

    MD5

    dc8c892838d4a50e0d57d7f9b796ada2

    SHA1

    dd3d0aadb88204024c9e79aa4aeffac0b03bf738

    SHA256

    c35626bcfd28b03281b68ecf27a25cee4d2cccf1305d4ed121dd197e43503f9e

    SHA512

    3fb2a8ac5de006586ef8d1eb488726627c7dd8160a06570b38b0b09f99f60efafd400ad133af3f3df2a8836003a3fc999c2367b5e44b45449ba5b79130e33b96

  • F:\$RECYCLE.BIN\S-1-5-21-3844919115-497234255-166257750-1000\desktop.ini.exe

    Filesize

    1.3MB

    MD5

    b37ac385e515b043ff5541667a0459e8

    SHA1

    107b502fdd63393308d8247112e8b69776f1bd87

    SHA256

    0d2ab4dcaef9cbbda6d6089d01302d137506f3b2cf4cba550286e326a3e703f5

    SHA512

    d7dde119a0844c5485aa3691d1824e1d057f68558c360716d007353351cc6b2307ad066c79b113a18f2af97967bd37ab7479a19e666b4d8e48a5fe295934d7a6

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    1.3MB

    MD5

    a292ea775423dd6fe1d3238b860d2ce1

    SHA1

    f974164c6aa0a023d2f76505148915ab58aa186e

    SHA256

    3d03fe5cd1390db7fa94660e059b43c172ba18a0c239081efabb268ac237f1fe

    SHA512

    7c480ec0b94fc60e58852079751d63c1ca97d12fbf45136780ad5a4537679d96267f540981d2f1021fdc4294240df75e2f51f6e9c71ef44d8040847e41ef41ad

  • memory/528-1417-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-2213-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-5-0x0000000000740000-0x0000000000741000-memory.dmp

    Filesize

    4KB

  • memory/528-1243-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-727-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-3163-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-527-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-1001-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-928-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-1169-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-2805-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-1746-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-229-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-465-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-361-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/528-367-0x0000000000740000-0x0000000000741000-memory.dmp

    Filesize

    4KB

  • memory/900-1114-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-2512-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-444-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-2031-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-45-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-286-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-0-0x0000000002220000-0x0000000002221000-memory.dmp

    Filesize

    4KB

  • memory/900-2996-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-362-0x0000000002220000-0x0000000002221000-memory.dmp

    Filesize

    4KB

  • memory/900-1292-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-496-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-1552-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-854-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-1204-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-616-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-3250-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/900-962-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB