Analysis

  • max time kernel
    145s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/02/2024, 02:27

General

  • Target

    ad742104f5da2b146e926f1eab741103.exe

  • Size

    2.9MB

  • MD5

    ad742104f5da2b146e926f1eab741103

  • SHA1

    0f8ddc0bf413c54159752ec412546ac8794a6819

  • SHA256

    7de456532b87725cb5be6a3b13d4859c1b3d0fcd220b1935741373b567c8803d

  • SHA512

    ca4ce3da260debbc9a87b7ff9e03f81bec5641e6eed36b27f24d9c900a749214b81f49686a72c8ae66b66f0d9a47ad1084cf235b6f2a9cf76744ec9802fd7dd9

  • SSDEEP

    24576:ZMMpXS0hN0V0HZSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0Ns:Kwi0L0qk3

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (5576) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe
    "C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2020

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini.exe

          Filesize

          2.9MB

          MD5

          62a574f65928f653c749930deec85950

          SHA1

          944289936cf041364f0557fa91dd97f9da70caae

          SHA256

          0bd818a4a97e9f2644b2ea6463915f08c8f7fba5535babc89c9b8ee8c76d884f

          SHA512

          89b28c66b1f3657847d083fdbaae1ed1a714cd9658c8b2ec867e1d5587f3f3d22eec4ac3d8414c6b2573ba842b6cd78c18045a81f0eda2cf650a69df04ba78ea

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          a37424efa5ce8524c442c3c1ca2a7140

          SHA1

          9ed81f7407dd3c5d81a239b185d863e913fe0aad

          SHA256

          eab90eecbed3583c217d66b173cd6ed406fbfa12147d84a037b8f298e0935bc5

          SHA512

          9522fbf3acec9f1f4a7376f01058ee7711c4a44a28d6627c6843e694624bd4cab6aa35b33100ce2999c93e147fcf9e139d770f7071b0763c51aa67827e7347fa

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          8efac66765803283e47aec2610d61184

          SHA1

          80ce976adbf4fcf9b3419117184200a72edecdf3

          SHA256

          bd7b25720a671267c2df526832a76b7c206b0433933011596da8cd1e193f3c81

          SHA512

          e62872a965ae70e1a35121ba8be0f85c74a8aa1b1afdd6273f0fb8416f31788329921d9c86427dd4eb6ef832d769df2aa69b1ed0b0bb18797ba49ea92f11d93f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          6800f99699a2eca229262acc3a490f9b

          SHA1

          4b074a0d1bc2eab0fe44eaab3a94b46372afdc40

          SHA256

          8b3e64411f7673ddfb6de124bd9610b93c10a3e259cf61bb91261a817b13071d

          SHA512

          5821a8afbc66624bbfef91d15ce8944b3677ede72e2a76d310656d030bf6b804eaf34412f1ca618fef3884865abc5809bd2d3e4cf0fb046b38c1de7719404c76

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          5f6b28d1ff97403c5b99197799808787

          SHA1

          b471a131fca2f4c038d5da9912eb8c92ae5b9480

          SHA256

          cfae9f1f3460b6a212aaf078f3e08d1cfe502f11593ffe1d23cb62b1b757c856

          SHA512

          a8aea0290a1a6595931ee1a25d37ab5ae254f222f548c50c7f80ab4a9701b68e13a00c6d806f58bb7799f145a70280c109814a5c7e96a12b18b923d76c14f119

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          a4181b03f1faa81fcd52ee16f1233419

          SHA1

          6ba694d5a3c724641827950f34aa4427b346c550

          SHA256

          c89a52056a074d623dbd82eee02eafffe0fe44ff80755a9cac5aebf5fbf93a10

          SHA512

          a090748250baf5eda06764737724bd7cfd9d51d10be4de2f078eed012f5bfac99504beb977e9d9541e0416e6844ed9490817bc1997980e57f813686598340586

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          d2afb12a4010e584be715e37ca02b864

          SHA1

          4e253e8470586ebe93ee8c8eeda68cff83a89039

          SHA256

          fbbde36a07f3eca01f9731c85752e8bba8397facca01377b20bb9768717a40ca

          SHA512

          fce805379a6a0833b17164e9883329771c60194292f7648f077a5c88fd8d94e625b1be84292d3466ee7d9372161ff8809b991cab14d8b2f2a88feda310145bef

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          78d7e56c4d0a315eab762cecd7bb3351

          SHA1

          b81f28cdc05a4b5a7041838cc1d8435787c168a9

          SHA256

          57f824a00bfd4193add5d7a51445bc62fa7c61b6ed5ba3927a0b76eab7622761

          SHA512

          122cccd56d031c11a0453bd94043d538a297fb2701afff3b2816f2934694cf2564f842e4524b8de1be666a8bba9d8677d8be2ee6d22e29234187563849b7376f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          57e2058dc36aa95ccfd66d56f9646eb8

          SHA1

          a78a2720f98cfdfbdaccaecb16940c4129fdc809

          SHA256

          ea8564cad54f8bbd5a13476d1d68863a3e4673a659166f16ffff9e32c4d632cc

          SHA512

          71bf4380a8e4f545fe6646171dffd3bb82275182ed88e436ffe0a97fc90f9f62786e20d816bcd00c04bb5f841deb5c13eabb613a651b221b0d55cf1b862c7a26

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          48b2dca23df05fbe7a07a8f4ecb67778

          SHA1

          51e24ab56c75cb103b16f0aab4a8133d7be0f936

          SHA256

          7b308fd10c89d6a42374ee9f0e4b8e03da694f06a47df09c406bacdf19e6d496

          SHA512

          dba3b6be35d027b2d217cded35c92cc45d1b28cbd7e67f3923a90bc45bf66d8f8cdba093e673b18aafeb7dc22df677185d61c86d6b52db9d03a5d7961695ee2b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          0a22012a28b48c197d1ac73199c7b051

          SHA1

          1a5bdecbf21f1027bfca49ac08633bfcab0f78ca

          SHA256

          38edf35cd92c4086b6e1b253d042a356c5976d34ce5f100282632ace39d65277

          SHA512

          986182199a74e8333e96455fd2e20bf4311a7803de7dd0fa3247b7fd6fe8efb3e4ba09cd3e35ab7a00f4dbf6d7ba05ac07f2e8e43d68ded6c8f978b7ef38fc65

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          92d9fbe38cf84dcb4c29a0b627d5ba9c

          SHA1

          467a3ed8c5da131f3c29ebe8d864ff19e65d78c7

          SHA256

          753c353b8f0f36f39508abb7333de40bee8b51b97278c828d5278dfeab9b0749

          SHA512

          8bbdb45082f27052f612583dab71d8e5f50fca1784f3e01a05d77793833e71f357ae9f25d537d5dd9e1a7bb0452aed9a2b18349d7d82e770323d2edf38452e95

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          d0d34378c2f97eb62ac29a2e8f02e525

          SHA1

          04a606b78c122af340edcfc0d07d2e82a55d80e4

          SHA256

          f75a54ab46a0fa2f2af640b2d6f62fc947512abf36ed17e31d58d6d8c8630cc0

          SHA512

          c7f231c0aa7aeefb2d630565ce3e0e0bbcd765ed00133d3f5cf2e707c9bb6ef3344f2d61ce9871de1f444e347ef784786d2b125d0336949138f90df16d16f746

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          dd5d55eae166c787c51e316352483890

          SHA1

          2b08533e4fca7908a2f13ac3b73c5a3f865177e7

          SHA256

          897ad2cb4107c7edc3928a9caac76fb4d149c9624ee651da7aaefb18916ab907

          SHA512

          20ed0ad71914af6c57433b50dba5a5417ebf7accc94bf831f90f4bd3de37ffebf711cbb0c025a69a85702f1b976ba7fdd5bb8cd017066407a20cb12059549bb4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          2d363ad085276315167427fd1cd6fcfe

          SHA1

          de1202026c845ddb0597f8f6a526e78c596b66bc

          SHA256

          3118daf24cf7c52937dc081c42762e0e9f999c449aff3a11b9b8882b0d4289fa

          SHA512

          3e5b5063ba39231fb29e8345eee40bca6322d2573141ddef7936b8bcb3a7bbb656ead5d9c46511acebedd98861c7bca5cd47378213df9d2f91f9b659c70e4ced

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c4f6f19dbbc64ce0e2ae374f234bee59

          SHA1

          eded5a5b18a8d5368bf7af59add35fe26fb3837b

          SHA256

          f0c22a161606a0e337dabc3b003794374086b6e03becb0ec5b77ad6851631ad9

          SHA512

          779ec158ac018ca98627774e41e30b7f4094700f8be9a6ff1ebae17483f4a05c5f0aa419d0967306e8fb6024fa43acd78c69b28d899766cf23d354ec9c72bf00

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b50699ba85823712d8f108ea69a243d8

          SHA1

          512d6907826c7ad7fa52f0dc4a5bad5b2d7cb0ed

          SHA256

          275906bbaf34edaa733a0636bf32d95b664df58c59e1fdc2161c28df0ac4ac70

          SHA512

          7b22342e4ceec80b60348a66193ae532ffdb4a146fbcf854e887ce00ac68b4830352a50ee3219e2c82d7878c2174a4595497411d27ea5e7eb8b6d76db072fbeb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          9cc993fbfd8688bc02d267b811abaa2f

          SHA1

          9f2ab5f1e2e37bc79b9ef6b617506f7c342f4788

          SHA256

          574bbc988a81ace821495af148f49031192ce8925b23534572d7ce6128139011

          SHA512

          dd4cd1ac5807a24d32844cd4ec8a3fa59faa3d436127309724a25c8bc77e10cf42d660471135c63a00130aaeeeb74d5b2a6b1bdb5f82a2d4944f4b3501a3d971

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          32cd4b20ae0c600933287c71f5349b9c

          SHA1

          8216808b02aa7064caf8d1b91abc55ddd662b38d

          SHA256

          45c8194ef7c47f11e9562d73ae5ab14dc9c60bf32890e4bbc5327ff596739937

          SHA512

          78d646bcf8cf0cb298678782c8b914f93e1cb50f138c0f59e4df808c39e51cb8e4df7bb547625dbffbc878401a2ba365a810fc89f9a118ba8659b5cf8861b5e0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          c6afdd7394b0b2d305a297f43dba17ed

          SHA1

          52daaa96161e2eaec8598d1cdd1aeabf7e55a50b

          SHA256

          3e256f0c85c6456a1f5efacc9993e2e628887f5c3ff1985762c4cb54dab1fc10

          SHA512

          437abecd2ab0b792642dc101ba9397a514762037a855d5c8503924754c061af14418a250d9546b1537e7787cb9aaa1962df25c759172b455aca53aa4b04e9c14

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          305895e3cb84c38f4848d7e85d0234b6

          SHA1

          963ef9c9ccab7f57673dc3db2c7b4fafb359223e

          SHA256

          72be0950199558abf0c88ff753f4fd965e5f9cf172eeddfbf85a2a1248255966

          SHA512

          d08d3c6a784b391ac34aab0717be530ce9df5c6d9acd159129381a682daae842c159a0d3ae0f2357850fd0aec18eed68151cf6b5f85f3d177b6d4330f0bb9da5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          ff8c0a3ab54a3a99ff6784400928b653

          SHA1

          27aa38e3bdf296ce869862244fa2a6b3a0898b69

          SHA256

          3cd6f913a459fe649023e175bb26de13353e4dc88ff9b9cc0634d394980b0019

          SHA512

          5b76f95553b0b4f994c1080b34ffc08291eb986751d0280274c2408db2190683fd002db3b11c86a6d346b5d5c783f8a73548a2fa13c0b8f82ecef873cccf25f6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c9b358bdd7f23e1fd62021c16920ed85

          SHA1

          47e87bdd667d55cd82e810c08a9095d380caa62e

          SHA256

          cdaffaa58f012fcc5d2648eca9ec5db03ae93694eed66f7c78cf022f20685d26

          SHA512

          483de97904eb3dbe5fc767250b12acc5332ad4bedaa75d21a181f7b0b5a4e130fbe5eb9be7c8ed0c10f0138c2b128d0b9858ebf8f395f7d71f1e374cd9595bec

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          368473f43b368cda8f222bbdd8865fb4

          SHA1

          5cd9e3faa862a36d5052b8ebc7218853647112f3

          SHA256

          ef29c2d7980cbe07d795c197c140e10cec3262f521ba40e5d033402b09cfcdb0

          SHA512

          d712ec5fba01a2116b2c34c75e3c4022e274e7ec40ca13c742581468958623e7e7479fe368d8787672cc7beb7bbab190715aefd4563162a40406e32831232c60

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          1e37058a63184ba0f348121a9b924353

          SHA1

          50d1d32c1b2adc43f5fb84965bdac4c00c1c2b1c

          SHA256

          e0d97cb7ec756fa076d1ca2f09b76ce4112704d65366bb10f61eb58fdc593f77

          SHA512

          527eee2803c98e20c2d53851f9161efa340e40277722c93c05045454782a522baa8bae02d284ea0e5a42ddc6661adb97e14226b30df166777e23a4d1843548b8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          9141502be9ed748e08877769bd30dd30

          SHA1

          434d847480dc4738c3aa0586ef46b688acfd91fb

          SHA256

          fbe67108c2465eb4a1b8f6c95a8fb3f153c976a48a5c361b4fb36638a78a5551

          SHA512

          3455814dbe184c9a10975df37340fb6bbb333de5f7957b2d30949b7d76045dce71ddd0a230e5771be33dad8135a53072d6549ff2d5a5330daeacfb33afd6baeb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          0ca5d193a838c080c6a2ab6fe1bd11b4

          SHA1

          95b0e536744448c9282aa20565087cb87a1e6a25

          SHA256

          2bc4e6e26637412045aaa4c8d29785adc56b26e381b8dd62d02925fef9678dec

          SHA512

          ef2d010a976c86019ad6671e52ecf1e3c796284a5a7790de91fd40823571287151f4d6175c49ce151e2243a67c4022c35e76a1f03adf8b2755ad079f6283a2e2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          776d22d3293768e7e12045b01d10f456

          SHA1

          389d6843c065734ab4cb06c7e5e5213216ff79e4

          SHA256

          42a2723a1e03d4f637ce2eb96863aa8ca518f016618bd9bc5e72d51c4aed525b

          SHA512

          e332747372f5d82b340921df04f5a0ab6d3c42bcac9f637c19605a608127888ec7316b7fb2663e09ade43349dca44a64151e77b3f084be6d738d462f33e245df

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          3eb93e9a78ec27c79eeca6f0cf43616f

          SHA1

          055a0e74d18318abbc8e0dbc1a1ac28126ddd238

          SHA256

          0cb552088dae7d3e50b22a89c371edd897a0c208226765920e02e291723e3972

          SHA512

          c924c5db5d17b72f9fcdbddd6d758523c289dfc7fab4459d4ccd315c7579dd9a1806a1822deec3f84461071a76af253c418624d3d7145937d891d59c13dec2e0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e1c3051e816a6ca0c2322fd38c52fd3c

          SHA1

          df5f1d99c15dfcaea03bc5b70711ac885d9b1711

          SHA256

          a3d28d83608c39478cb806d2b483099442b5f85754b922f55c452825d4246f48

          SHA512

          7050b004f86be40c8839a6f4bffc802a12c7dac3ed9b4581ab62c3e5a87f3c3a6df98baf9da93715db5320c67f91e32ef55f9c4a77d49f5183743d849e818000

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          9bdadb3c0cac543020420ff44b52c74a

          SHA1

          d65043557900e94dfe8e3bddab5faec3fe024356

          SHA256

          9f9348386d9c5aece0e97b4681d331392448734b624b47efec70e2c0fc3e103d

          SHA512

          809474c49805932f94feb5b1521f044c3985ef101e023e313c63d22bb7e84fbec642ec824a7d48f8a9dc6aec2dad34fddfdbc56928c14eeff229b11723981db5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f626a0dbea68e6ed2d4eb140bc5231a5

          SHA1

          27e1f5d0efb00562407842044325e8f8202ef0cc

          SHA256

          578171353ecf3e7e176c102cb1a97ec0e808f5f2338f8a63871529bc4b3682b8

          SHA512

          84c6f0489ad2203c7755969b294f4fd8031cbbdd6ed299170ae249a4560ae076542588b50425373c74cc87a74d5c9bf14ecbdc1120c9cc76cdad88aa4c01e4ce

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          13dc5d04e725a1a663d066053eab0a85

          SHA1

          82e714d16f2f6706a043bb4db092043f5d0a75a1

          SHA256

          a3607e03d7ec592ec01334dfd9e94eb177adecfdba78b293684b211f946ad383

          SHA512

          fbb3e86e5094dc76e93b739780a541ba00f08202ac254bd600eb2d02dd7732ce47bb082bdec9df100e20210f569bac1577200f00d2c80edc76bb0919c32f01b3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4fda4ea8d148121378461abdd2d60fe9

          SHA1

          6ba670964acf513f3dfa0bf36c67e844379986b8

          SHA256

          7b6e436ab9c4d00d91df71470a2a313deaef1855c627e4c80871fc27aa6bbcc6

          SHA512

          ff29ecace79e3b2e1aee61d547d104d5f759d14f47fd41e9e1baf1a1760f86fcc992b829860685b9a39d334e7e35f3a9747e812ee333235b7a8cbdd4f5d0612b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          7119e25abd9c222163c5e2e043bc08cf

          SHA1

          24a117ff306cc21fc99f9bf9c9235ecc292d1a5c

          SHA256

          a67b7c591144fca1d5fb2277ea373f3e704b6d2cf299acc5149034cd6c1021c0

          SHA512

          c2d0385858915a66ad939bff74a0d707d1ac7c63a34d4c124946bce7992a3e5bf7f72ec7e9f2c22a250441baae695d846a17c460c90d1d313fb5921145f77a89

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          cd7b10b467e676f115f91121b8dc0236

          SHA1

          4a013c11e9c0f9879cee147bd33d5a5dcf9435d8

          SHA256

          9e0905a4dee5c9dd80f96dc1e61829f3594236a94fc4ab3ebe8e03b258a9c260

          SHA512

          da062a1c0a09c89d80fc2e4eabb50255e5ddfb607788e4505fd797eef36b773635da81a2337ecf3da5911e3aebfd9b0c8dad64984f6c3d7e6f5d772f7dc120b0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          f7491353124bf614f11842b267729ec9

          SHA1

          241f07ce39ff8df9fc05a2e979d2ecbb86fe1ff0

          SHA256

          21f3e04a4441a2a3cb87d3ac009bb078fc0e5d45682d7ddd63b96968d34d7975

          SHA512

          ad5bf0ce91ed103f3060eddfe80b79e63d6bf8a5efdb0945d2e4274865fcac41c86b10a6d649cc0c537ae9d5ca7c0af7e30a861546ae87cf505e3c60f17df95c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          ee4f06a7dced6f60a0e7710d1b2e0294

          SHA1

          b3b0e72075ae81b052f6fca533f40f1fca50f9bb

          SHA256

          386842cd9de84d3c3dd73b36b3129615db73ec1ab9183011792b2c1af04fc3fc

          SHA512

          388a591784011add45850522a5c33a001502a375b25898d6bd146a712f11e0e9cf3ed2d775a8a981479eb64c2d155bfc5920eb7c6b0d2fc11135fc68caf2ac98

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          180a6e681db18f87cfffaf7a99c6a77c

          SHA1

          b836e02902d2d01feb23b77b0aa4d219ac6d40f7

          SHA256

          45eb2e1dacac7e1eee5073f31d8a2c1d81960b2e1e46efa2fad90f794413d880

          SHA512

          368482128f2ebf147f56edc846d2925f5192519f65749e110555dffbe57265bef92cc2adbec3ebe73b03b97a25176b03577a922ec455a48bdb0eccd858e7fc95

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fc0fb35c1c8249b9bde7b2510d0a68bf

          SHA1

          18ceee1a06fc4f2dcbc33b336a34f2a72c3a9be0

          SHA256

          babf1b2c630d9354dc79a2a7545ccb3331a7af497cf83b4b0e33390ff20a8501

          SHA512

          66e682f4f9b307610a18cce77cadffb960057ff2433afefbb37e45883f0bfe6add256fd9633ad74c3f09092e17c5f73e2c5f409fc7195c7e8f2140545325c97e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          b56cd78f56f25be3c8b69bbb94125300

          SHA1

          cb1424244baf4cd80bf24a9f97b464c41d0eb4cf

          SHA256

          8ed6ca14f67909be319c0cf07f71531e9f3a52fce91d822931ca7e0beb494db9

          SHA512

          502cfb0b0a4a4913704a309cb427ce4aef45815d637ea24db2cfe1bcf5897c3de55da447c31aee49dbcb154184264acba8dbecda19da314595e5fbb2608e7352

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          43c69a3008521e409ffdfcf8be0bfee3

          SHA1

          df86d50d486e104a9c1b98cfeb4eade0d1eb09a1

          SHA256

          95225b4577c2fc716e2920790ca3a85c3897844e6dbb090e70517fa61a11e15b

          SHA512

          47979eca4c8f9eaef77c94efa15153ca7e2fd23d66fa7037929db1369505143545894c5086baf8a21752f863c4eb1b567fbef841b0fdcee1a0e7b5149016073b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          a24a98cba127bcdfb50bcd5d31556fb1

          SHA1

          f4ccaf46c37f1def681505e80e4c9423daa2ee02

          SHA256

          ff1e48c0dbd478b8bd7cc6d9c48f75e71ee41120ac66febe7327b4409a8d20ce

          SHA512

          606234c7fe58fbc7fbed1f75eabcb244a59a7e22a25079d991d98c0a480a48c4730aa397fac4831cae63cf712edbfd4347179696842d80d4b09af655bd48f0b4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          d647677f8cb66407c7ab32ef9b5bc9c9

          SHA1

          5a59c2a39b7b4c10b1caaeb0b092363f92e58225

          SHA256

          76036a67a369c91d5ca6ce935f0824d094b6ff7e9256765c1847f7508c9fd96d

          SHA512

          9dee75926774a7b847866047ed196191aefacb709a14c230c9e63424c2e4974a14296b03c8dd4efd6a47f50b9decc1d36fe32f65deb61c21e624a990b51cad14

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          0a13ad179a6d35070652f2dd023b2e96

          SHA1

          d6931c3a4b2cf16fb9b353dc90b08b747d50ce09

          SHA256

          55218309b66693d389fb5d749141da84f1f92950e71bb7b29e1a5bfd62aee3fa

          SHA512

          db406f05f872c1a59ad8ed7237950e10ac5271f5712509211da19b5dd96bd559f32012f3c789d647758b831e63cf1bbc6e71f7d5361ab9bbc8bb80219feb1681

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          4b08be7dcefb9f3e9fc86b11cc1b0de0

          SHA1

          20712960b9def1b2906a71c75f8d384ce1d930ae

          SHA256

          018e77ffc3b179d774f96e94b950454919cb3c6edecf41ba7999931f30e4f401

          SHA512

          cef9fa6e1d3f8f356c39e8f1e7c9752aa01dce325043c0be5df4e89a5c36cdd5cc345e1c2c51ff72f53b5c44b0b1dc4256699241449253abc4637b6b6915cc68

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4e4485fc8c51a57421fe08e23f39a7d9

          SHA1

          3aa75f23a7d0924cf42f7fdb2beaa47aa20383fa

          SHA256

          c3bcbb69d8e4cedd323371e9d7e8fbe3372721ccc920ede9b1ee003b4108e82c

          SHA512

          7421c8ac25e141c1ef8e41690195c7a72a3bae1ef26a615e414286f1c7a37ba3143702b0a381a3358e1dbd60963ec536ed34016001b38273a9c60805a094da2f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          dd3e087c994c02f7cb6bc53ee828e4d6

          SHA1

          add4995435cd9a5d2021903e67e87aaa50a6603a

          SHA256

          837cbe8cf379ba58aa4d0fdeb54035e526b09d9cf9ca4a8f8f30484dd9bb1343

          SHA512

          57810e938a4efb50b6db1cd7f0d3b72acd56c7dd5abd1e2648f76af45d477475287e99f33649d2be8920372c765f37ca530a253bb23bd2c231d315b7ecd3fd9b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          9b0b1694cfd56d698a7d12a123aaed95

          SHA1

          64364189cc411c3a51e133bd85654547b83998c1

          SHA256

          c9df265c6deecfb8ad451a7af378fd7565ec19879f51a80ec2fbf44cea387a62

          SHA512

          720a618935291c7337aad3c82fc184bdeb0f87e05416058f7712824bfb8957885cbb9a894c0e728290db71095ffb6650c633bf6b4de4069d92bd0080a19fb099

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          eff51ace3227700f82fc3af66687f90e

          SHA1

          9be7c31659cf694c878ca8566fe831350b2d7661

          SHA256

          196445cf80cb2b11113323104e7131afd7655328266ea8336d43284e2863b688

          SHA512

          b7108cd5f9b104d7048ac7c0ba2798f50b6df9969ff9b61c0fd4c7b612f8ceb3b66659d9764b9238ab6d9b9926093dd6505d4c43ee350d0d566b77aa3090dc2b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c2fd1eb14c29f63299e820fe1a117de8

          SHA1

          5223a672aa25da342264eb5cbbe9d68bed3eb518

          SHA256

          2f47f099c1564b81ecb53160c9a253b26714605525925845816296a8c0e04890

          SHA512

          757b844ca257287e9da1c6ffa8e4a70ab4c7c2b71a94cbcc2e187f8b799f581260a37ffbdb7482ab61d8979d7b06ac99ae676fe420857545987e1ae40e0a2d32

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          1856671af678ff72fd13098b3ce79009

          SHA1

          99216d36fcbea5b264b068b0fc64bd91b4dd18b8

          SHA256

          66143cedadad031dfea322ac295fdf75eba1656fb8fda50c7c5e3fdd129b523a

          SHA512

          aae422c0e2bb67edacaec51136828c8dc801cd50d29046278f46899e5feae28d30d5c2558a0c2f1fa79cf2115138d8ccacf943e10e03bd3c1d0d5c82e0bb36fc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          0754400e29a1164bd8db590e92e02c77

          SHA1

          dc4daca55946fb0b6c5f55fc0f03f0a78bd519c5

          SHA256

          5c11cfce89f09e30185d32e6f0d6ffdf30e5042ad9daca42e5fad0b7ccfca766

          SHA512

          e70a7040c0d8690c4a675be360e131cdb67520e85a1fd784cc4901359b85bc03bef9c2ed2900216a1520cb7279420caab3bc8b791abedf71412d5940ae8ebfc3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          77b2ffb46f3614dab7532cd8872c0e20

          SHA1

          bd5d42c4cc42cd215ae9cc2633dda34e8895ada6

          SHA256

          44614d009094444efa17374ab5e4870eef918f2bcb06bbbc5e9dc5e5d6ad4a27

          SHA512

          0e634767c0a68cbd22a58ae3111e4871095697376032811cfd84c3fce8a4c045582da281958a17612150dfb69afc3c9684439a749710a66b097f42d0ac4acb3f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          d8472c7a0cdfae2f8fd04094f40dde29

          SHA1

          1a04a3571530f200cd246339556abd1f3899eaa4

          SHA256

          4d7d773062dba8e2905e5000db2ce859d60e2c317e8b8d61039fa78b62459a27

          SHA512

          525cba2a38544a6e9b424fd6280a86cf6e79f568783b3118f2c5ee1b6d37b2fd84fdbe23006c71c6f79006184189d5a8837d5b83802b0ebeffaee728c147efad

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          2.9MB

          MD5

          384ab83d8ed3c45c36d60d29741464eb

          SHA1

          2597285c83a7c9d358c939fc5a8ef06e5cc57583

          SHA256

          eb53033b855dab1f328d6d188fda583a6e6c1e06527eb8cf755a253df2f4cf32

          SHA512

          3bce8af44e0bdc91c275494750ed691ca5608c099057d7d79058c0d6f3cf391933f6dcdd00e726af91889d9a4ec94b10e8f9dda31fb6ee0a81289acd680c9015

        • F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini.exe

          Filesize

          2.9MB

          MD5

          282d61d15b8697cae87c1a08d4ddadb5

          SHA1

          065f73ce2b1a558bf21ec4b9ac597553375e6844

          SHA256

          2691065b39e8369e4f56b3eb5e7ed17a49515c815d29fbae376e986222a3d0e8

          SHA512

          75b88682524dccc089c568d8c8d0cc8332e3675fec4af6012d7a76a099a72d8a6e5f1dac80be6f0c00e1cb697a501be82a31e046094aea2aaa6f455d13917228

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          2.9MB

          MD5

          ad742104f5da2b146e926f1eab741103

          SHA1

          0f8ddc0bf413c54159752ec412546ac8794a6819

          SHA256

          7de456532b87725cb5be6a3b13d4859c1b3d0fcd220b1935741373b567c8803d

          SHA512

          ca4ce3da260debbc9a87b7ff9e03f81bec5641e6eed36b27f24d9c900a749214b81f49686a72c8ae66b66f0d9a47ad1084cf235b6f2a9cf76744ec9802fd7dd9

        • memory/968-11835-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-11875-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-10467-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-1987-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-11789-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-11845-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-11885-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-7825-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-11805-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-0-0x0000000002300000-0x0000000002301000-memory.dmp

          Filesize

          4KB

        • memory/968-11855-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-5095-0x0000000002300000-0x0000000002301000-memory.dmp

          Filesize

          4KB

        • memory/968-11825-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-4203-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-11865-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/968-11815-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-5760-0x0000000000720000-0x0000000000721000-memory.dmp

          Filesize

          4KB

        • memory/2020-11794-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-5088-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-11856-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-11806-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-11826-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-11866-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-11836-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-11816-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-11876-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-5-0x0000000000720000-0x0000000000721000-memory.dmp

          Filesize

          4KB

        • memory/2020-7834-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-11846-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-11886-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-1991-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2020-10476-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB