Analysis

  • max time kernel
    145s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/02/2024, 03:10

General

  • Target

    ad8a053573f17bcef0da88f613a5aa87.exe

  • Size

    477KB

  • MD5

    ad8a053573f17bcef0da88f613a5aa87

  • SHA1

    9a4ae2a8670bd1a80662f55974491033613a8523

  • SHA256

    a33402764a864c799f950d109bc8b176c56216d4fdb0cf09bcc281e02724f005

  • SHA512

    b0a92d633a3520a9a94ea580180293f07673b19fcf0f6b187dda6954c3d9d0dc70c7c38bdd67ca96de966659494762f7457fe2adc59ff93f7f4c67725f7a87d2

  • SSDEEP

    6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRAjZGrWmsu4lnEqR6q:5MMpXKb0hNGh1kG0HWnALbkr

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (5573) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe
    "C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:3924

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini.exe

          Filesize

          477KB

          MD5

          564eda99ff17e1851303bd8fef28babc

          SHA1

          7e14f31ffe4faa8b594082710558631f823fc200

          SHA256

          0aea16bb3bb638d69905e222061b9c15bf6d3c977911c97cdebce8a8e06e8a7b

          SHA512

          316d46ad1ebce8d5127b981b1ccfae5eabe83073769c4264658d6c624aa49f67e6e928a757df9880217ffb0992fd45f78590ca088f032f7a2f806a9015acc788

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4b4d50b792f8f66410b1f175d4967eb9

          SHA1

          9ed90c1762d7ef689f922e2fe4299acd19e5432f

          SHA256

          c065188ecf20be37b23f163987123fc7eeeaee37505a78ca7aaa82fe864bcce7

          SHA512

          0dfaa1a028c55837fcb0545fb28e9b1ac98c38a5dcd76e9fa272597c3569af60e27d7c06bce03000952ce2feb428e9f67019981c6d5b90144509c82395fac4fc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          4d2103b35234095710263b439a8a516e

          SHA1

          b2dc6e82475832aefacfe790aaa8d5c9af3aa068

          SHA256

          5cf373d48eea2db369f1f065b6f26147a6d73b26ce37c00b5e59467e00802cba

          SHA512

          2d0325ea299bd492981492ff1d05a12bad2894c64d7429350b5dec5c596e1a5480de057177f135e142a0bd250e9a40f75571d6010e5dbc84c4113361e44223cc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          22fc9f1e744ddf1d89ab8c5ac65f8f5a

          SHA1

          c4fef4164c84114844eead9ecc3c33279d6c6b8c

          SHA256

          00d1e4dc8a97ffc21bef4c70573de72d608351e3b58462cf53215b0be20e2e71

          SHA512

          83eb2e9b7395eddbfe0edde43f7f77cc3f4afae8ba6b5025c29642f2ffd9e0a96792ba2b7f099b00bdd197a4f74ae720c9be5a31fd3d6a09dbe5a168118ad9f6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          14e514875cc8bbac3f5c715a7ecb3077

          SHA1

          97844e0ac28e3223b3c0bcb1642e727eb43a0ee5

          SHA256

          81e0099d7046195100fa4e0bcf981d6b87c63d90d066dc252cc799c8e9ba7fea

          SHA512

          8afed7d0aa0d25d122a60dbe1636805e2fd9d92a0d93d1e86577bc54aa4b802e718f7f8d17c5edd9f88aecb8941d660054def27ef141606ee2416b25c1d1338c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b9023baee4b87e31c6f88a5034150141

          SHA1

          53efa3702e92de01197d989c93f659c822f87bc8

          SHA256

          80536e89c7cd4ee9ee40281e3a7e3b325d62cad5090384fb4677564b18e30bb2

          SHA512

          f60d8dcd006237da06b0b45b9fe8265ff81f268ed19df3ff94342db83fc99e3b335158093d70dbd7702d2e58f05802c0c913725bfcd82e93b7943c124a03bc8c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          51740a50516267db49a092cf3565e162

          SHA1

          d23e1427def46dc49ebcd406290c282873b53f1c

          SHA256

          554ed0cc5813d25e2f5069c42283e3bf2292bc2a300b0c9848120a5e10109217

          SHA512

          4f0e31e5c75215e11d3592d11672489c67ee49eef1338dfcac4519959d69847af47bfcba57026a6ee5723759ffb4d3117d89f9dcf8ddf58cace661cfb8895d7c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          05d157cdaf624e0fca509e80c139cef3

          SHA1

          f568caa9f15da27fb54bb823e966a2c9ef201a57

          SHA256

          f0f856d78e9ab157f9c2a55ecccf01405241796cb6421b372edc8062347677eb

          SHA512

          7fbc9ca5c906130070d2d7da0fa6a20fe1345c3f6aeace0a8813dfe4676b09162c49182879cdd690b0f2fcbeadb1d140386ee7e98f810dc0605cecc5b1ab8dc8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          7d1108f17c0d6a4c62c94513f92f95dc

          SHA1

          0ed15792b0297dba272c66b7cc0cc19b0ad10697

          SHA256

          fe8e02333b48b875407510041f6cb96f2b7cb87cbedb2ee579d2e31a665075cc

          SHA512

          759f8c93c703bd5b63bfea8e9e584c62466d16ed94a3753f31ad50a2c865fabab39d19c88d6090450d4891c09b3a2bc2c65804694f1ace006a5549bc1d5a30f0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          7dc8433407143efb314b2f0b9f9fabcd

          SHA1

          2ba78d55884d2e9f5d28c9590b59ee81ce4cb82d

          SHA256

          dff1cf5cf9a2905a6245f3f7fc2e53037d50ffe134a85b050976d6fe3ce5d90e

          SHA512

          9c060365c25528e41c439a53453a0d900ce024deaf2086d17c8b191b772144760ae5a1666db38d6f550c22517a41419472367c5cbbd435b54f46e40d591373b9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          dd39657596e4740f2b16bf2a62f7ffc5

          SHA1

          ba5a0f4f96213d70ea352d19a0dacec65dff9e2e

          SHA256

          04c04907482b209f1f5b56d9d34f8758fdaad59cad87e4fd30d38484988d03fd

          SHA512

          e5c2b9319cd24302fa064a46c5864d5dcfd48b201d97d35a23b792c098ef42144607fc226276d6b66b703322e1f808e12ca61d1ef4ab773cd3b148e91d9c76d3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f0bac4cc32c71df3ca9fb9b33ce970de

          SHA1

          334f82b6c0dcf76f8a2b15f3ea99563264b9ac4b

          SHA256

          eefbac98c082019a02060d4ce7bf2222558670dee4454c8edad79cb367fa8687

          SHA512

          f132506a775500c0a6b5b948092fd5bd745e658d830250206bbb05f7bf8495f620980024208c115b5b56a1c735f61cb3da5ae7b38bad095f61408ae15748b82d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          b36968998a3fa0ed8e3a101bbf684865

          SHA1

          54e043ff8296d0aa9139e9b0c119b8a2df9ed247

          SHA256

          1e73ad5dd06d49e1474a08dcdda01e947a81dfefe62b17f05fb43f78f6a19e19

          SHA512

          99631bc076952fdfbd7d8fa1c99a178521f12f2473e310879929ed9990bf48874002b01d8601b3b6608ce8567d6f97289f333d38932f99197429d7e342e33963

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          9e3353e76c38f74857b7d9005846c08e

          SHA1

          8fe0e419f0a804647a177a64099973ce50f6cca9

          SHA256

          92f7ebba55060086774dffc399e51c9227c9253a8b6a4f21783dfde2f100302d

          SHA512

          1d0e5545f6bfd89ee695498f8ca442c308ce17457538f3391c47ca95c3c1358cbdd014ac4d71f1702acbe272252c02ab26b03bd96e943e84dfb466519c536308

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          5ab5c096ae6a5a6018a29c51d479823d

          SHA1

          bf83018d01a45d4730dfa15b7fc336270cb50aee

          SHA256

          ee7a7aac332c89d7804053d2aec4872b7a9bc9b262f3a88fe6e488ebe939dfd1

          SHA512

          76000601e8bbf750ae0c454bf88a19f6bc00153f805ac5706c30eb264d5fb3dbb30a1785704b773f5b7a4c55638f6e1e990f2d8cbe2889764bdd22ca490d3933

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          6cb1769c2bb45f0580b8ef6f4acf6efe

          SHA1

          d878a644e8dfaee1d9abdc8b23ff48bc9dbe4df2

          SHA256

          0d473dd0139de4873c6959b305badcd6c6cd2a326a352ba7a096ef184816b92c

          SHA512

          ad02614c36e4394de9580769b5e9910e38eb5f0efbeab2c2a58454def0914f1456aa3d7ebc6e3afd57ff23024741c2f4cb85d451a0c0e6c68601b570b092dae2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c5754c3f6d24855a58a9dc3ea0cb57d5

          SHA1

          e50e5c8ad52738ccf4d123e833906195eda546a4

          SHA256

          f07eaea9bdfc93889ca12d9cb143a3215d310fd48848600324aa6787605feb03

          SHA512

          6d20ea186d858bfebe376c73b1a1c14f0c285ecab7f01b49af57f0e35d466aa796775629ab3eef171eb56a3ae1efc486a0f028aee82bf3b38ca009630c584ba1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          3b8408715012718e0417925bea1942b1

          SHA1

          e3d9461aa4bd5a11243a2c574efc62afec5322f6

          SHA256

          838ed1010e6b4ed15392e168cabca1ef62ad3353346d9ee4ba9a7bcd72aa3472

          SHA512

          f0a61f394016a394b009f6256943b97ca78442b370db361dbe29d5b610dc4507dc0938f0ba53afabd189c55c6ef006fcc7a74c3a41f2f4aabbc09a487d78886e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          3a8ceed2a694e8be65a9e073bb0b66d5

          SHA1

          f0516d30c6229a9e7eab917811d2b25e4f6732ea

          SHA256

          cb235dcd7dc4e1b590c5849259a49d5e61ef51fe779a6cd8db2ea6e7a5264146

          SHA512

          01b616f818174bc9ca0458a31bd4c473934635f1aa73cc3e36fde7a8ebc0d3f799a8a830957b11049b4fb109e89c120ef8eb854391e669af83ae66f9f1a6a5b0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          1f0d35e27ff2087bf7c15b1506188b59

          SHA1

          71cdb29cbf3d9e603cd31bf1abadc6fe7c1b9ef5

          SHA256

          933c6ae6a0eecb93724f74db148e985ce707f364ac82ffb46c696df8f1928849

          SHA512

          2c84eea014d9ff62b755111f714f5a3113046fc50615f13effa329d9d8aa8c989cfec236a85336f74c01417bb4324b41dc0af008783f3e676d3f713ec184dd80

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          53c4dd8f2e645b1bf5f3a9a07f76f9dc

          SHA1

          ef67a20196d358607943c600fe67214f9de3aedb

          SHA256

          999905d0add0e2805f05b0ad35317bab3bf09a3948349b78c04e185a0d991776

          SHA512

          c2748f8ee35c853122dea7d95a185e001a3f5b0cc53f4027bd34d0e8c4e78098a29a66ed53387b5004dd1cfc79199491a3cb2cb5f22347707d297afbd6e0a576

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          26453d50f8a71791c5bef713ac31cd3e

          SHA1

          f4f5f22b79f2db0d832284321166debca2bd2ee9

          SHA256

          dd5549088c311935b0be8abdb7676a53827867746e77590cf56de9e578158059

          SHA512

          2a291544ced4294b51b65bd6e46531b92ac2567c611bcf0ef845ec8a4d7c3e3e3bda807bdf21e0fa818e8047497d45584ec94d613a0fc6ac95a7c9e960300a41

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          0f548bb23a482f65a5f9225a1c364062

          SHA1

          cc1d747d7c2c6594c7fd2fb737aebc02f2bb368a

          SHA256

          cc3c61d0899abc82d2ae31780b184ceb27caaf8ee5612ef7c20a393133750036

          SHA512

          ff325edc88b1be264b3e0303f9cbd06d91bb8c863a5c30ab950132057fd53b09addb2d644a2dec717849e7ac990539bf9c22ee0290e68d4053fb713b0b86ec32

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          654758714674616653e14062cde5348f

          SHA1

          7faf5cfedd4ce6770504d5ae47ecaf47abcfd085

          SHA256

          25cedfc8bb86852cec8d71021e857426669494d0cec900587c59cf20c8e47dfc

          SHA512

          0bffb304db041bc29cc9d5e9b5c3b6d28adcce98c673913672a93c3ddb95ffb0c65817d9290689544fe19470e13aa87b1cbf1ff7c4326ace75f4a8b0473bfbb2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          929ff59d370d221c916616241d895590

          SHA1

          2c5a40d552f2d0e352b6a76e3162fded5dfbd407

          SHA256

          5a18a602400f454a066e7645d70954a54a18a313bf103174c710392941bb9b0d

          SHA512

          66af4c9996d9992dc1e43da50e10f1a9e7a98ec6d39f4e466c7ecd27fc7681fbe2832e611c3f91938095926d9441bad26ccf76fe6667ec04e9faa97086118cec

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          3739df35b070a8d49b8cf4a1e41e5225

          SHA1

          2d27749ac5b4e8ef188781141e9476efe448f137

          SHA256

          7ed8c2be6c6fc3fa68a4e17ea4686d3682ff945edc4b59eb704cd361bc7acf8b

          SHA512

          4b23cabf6d53894328809d401ca5c9fe495c6129614a29a4f0e66ed645dd3632309971cc8d53b5d335829b7090c7d02baf566a447b81ceadb8880ffed1f6129d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          decc79e6e0cf296f104d2838e34946dd

          SHA1

          f97e725ce9ee1dfccc9b9547f210374eb0cec285

          SHA256

          b95ec69c25e25c1a48f21a8584a23bdf8294cf50149da2417af6639717d011f4

          SHA512

          63c952399f00f1aa6b835796feae40bf2f32d5dcbd12a8da67b1c25aa472378e29d7d16dbf2b941c790afc9fcf990043aaa14ef36b305fe1f6d2818f1cb77695

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          56b817e2c2cdd1a1a047f6abfd22652d

          SHA1

          7600932872002693df09032bb7e7985711f683ef

          SHA256

          0abcda5e3ca93398fe0bdaf867579e598362f6251252413692aceb80a764d9af

          SHA512

          3c13821b5f8c240b7fe64a1b1526fbf018a5a363f37310bca3c67aa404d5a84cc4a023f178413c59bea5fd0502b3ee01ba283ccf08576e544bc0e8c52d21e0cb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          0036abfd2336856a4d4496357a776da9

          SHA1

          a139700bc6e19671ce3b485b25781c8decdc8252

          SHA256

          071ced2029c4ca10bfabe1e28233335599c36ee0caffc412b043a3fcba2a2a11

          SHA512

          344aa958edc8e9882ab29c9f1fa9a1673efabd8317fcd602498b087c39ae45102889026e0658ff5ff9daf4879648ad5cf0fc1272c8a1e19a132e261b3178e161

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          88b90d8dc94547d1b4e0239aef28114f

          SHA1

          8451117af015560ff2c75cd792f1a54969f43547

          SHA256

          ed6f5dc3a83f16b477813a0fb9539a164dba2f615621733cb0b33c092b031390

          SHA512

          b79a92cecd400ae0cc9c1a70334601f39cdcb59feacb6dfab26dee3052d664bae270106a56c2901aaf9f521633c3875bb2cf53e4db95ff4e35ea6e7cd23b75a5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          030de0779935cd45518794fd1e8fbc19

          SHA1

          91d5d56bc8f30c7464cec35aca3ed5d92b3e147f

          SHA256

          a4e9d2cbdec7879c0f1eae9d8f060ecfd3ade636fd591ae54cdc038cfc548e81

          SHA512

          170d9b0f00dcd05e19be12319605398550c080834b0d863e62526bf025cdcd1ea52c416369ffa74e14884fbbed029ac8cbe6fcce6fd3b98f3257988e1975d27c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          be34e0dceb0fda9ca784f31dfa76450c

          SHA1

          581134a5a5dc04ad151cb4aee3cadfaaae91e914

          SHA256

          bd50a163a6d0b9c8e44a9cc3a592b731fe28007d478efe191342e80419e1e456

          SHA512

          04f76c938b1c2704874c0e1c80cff4adf2b015490043b1698f3ae8973ee420635d640a8d8404c67c0cba51c317db4ac45f75cc99e9d470eaf6560d063480f8c2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          a1e9a4ea18ac2cf455d39b4bb47f5490

          SHA1

          de541a6a8ba4fb2c434eddec21d68698ab36df4b

          SHA256

          6d02dc0bdcb6ecce78bd9f44c02fe219ab11e798daeb9f12964ff41e09ab6dc5

          SHA512

          d23f3d1bd10e0b481722722e46307535f3b81f3bf4d4cb0f7379285eba159d5e7c6ae375d968b8403fa556e0177b71c5dee2ad7da25fe75338118aee49403e55

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c9e88f6822f0525382c17c2ac3d43608

          SHA1

          4c6ae6c8bdbd06dbbe5610aee62958c23c49ef57

          SHA256

          f28ef3afbb0732f7b59c06a65ddddd1a75b34b6afbf7bd5ece33f8388e274c57

          SHA512

          ac4fea95c638b7b44c0c7dafaf0a87482ef15af977032c49404329ebd6522a97c71426ecb85535741899afd0898553cab32893f7f9d9855abcb61a7d98173507

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          899bda02d7a44eb05845b3249f33827b

          SHA1

          1c24ae30ae7b208c85cc216f0b3dd4e7fad0b18d

          SHA256

          9b017615384eaf54987dae6e48d4041e04464cb89705a2c03878a5a081e6f886

          SHA512

          1a05d411e959fb475fcce1314f786809e21630e8ec9dcba28b97300e46e81423c4e71ddd977c2da35cb53b81de393135280cbaa5013f62c2d0b65590f24eac5a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          ecb831d333732f5cc745f3d218b6bf7f

          SHA1

          de0ad3e05cba353a83516407d9bb8dd6e85bb71d

          SHA256

          20bb0c92a2a9ad8818bdcdd73d47201a92b82530d393fd346b2aaf772628b792

          SHA512

          ab0a5dc61f0311f54ce1e9d87fa5dfef5823c984b2a8ba6804887bf0df83973d121f00bf3ac406ea0a3181126f64270f3f7a2f1b629631c8d05593ec643a6ec0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          74ddcde966455fd7bb0de05b76afb70e

          SHA1

          d2e5ba986692c79f3c61ec7bce09284cf8d72687

          SHA256

          034ec78022419ac156fd6659ba56eb1225a9bbb03f207fbb51baf947dfae5828

          SHA512

          358c3e23c4807c77f91ff9320d6a6522a94e81bf75d546e1bca22317d57f1eab43ebca22df5c893977ff9dcdb92599f9e3f0d9e7fb2f7e5f2bf32a166caecc26

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          0dbd78c1494d3a960cd60e1676039871

          SHA1

          12d64b00a223de66c8d1da924d69af42b5a9cbac

          SHA256

          796dbb25114dc61ec19843e59f3ff1edacbbadd0e24f7a7241811bf41ab0669c

          SHA512

          196dec8ef3c481628cf2001d73bb2fd19ba77b248d324e79f89cc06392b5ddf4063308d989d09c13b58a1e89641be33203004b157838f39b0cda636d72ce3e4e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          3e701a9b24ad51adf284890c9f74cfbe

          SHA1

          88d6c07c07f011ca2e85ea108eaeb22cd7d158fa

          SHA256

          01134fc6616fba8fe15cafb0ce969839a162725e5cc395fdb458ef0eafa1cd45

          SHA512

          71d615a674915bfd3f98b32f27b8c24ce7797cf89742eff8b5f2f4c83293a27db6b7e31c48d6af7b9ce2cbb275635a05e903f91ca3d60b33b837f2783b5b8968

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          7e6d0d69718269826fd6db2a25da500a

          SHA1

          8ee532b72635c591e847a7ac3d2f633af3e6ee90

          SHA256

          48fdb89f1dae5e5eba0d10bf5e6fcc7167a2a6b56c27629b9ad2ebf7b7e8400e

          SHA512

          22c2994fb25dd129c091bc19e8c4f43b9cc20e08dbc0974e6cbb3aff309f39eab14332f76c3bc2cc1065a551579a565ce5b44dcd36620450a356fadd9b671f64

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          9d6dea6ab90c4b9069d48b72de4926cc

          SHA1

          0218267777ffb139670dff8c665632bfabbd56ba

          SHA256

          21269df190a6cbe75758928ef58c8ab62493fed3eb61beefa79070fbbb14199e

          SHA512

          00f2287e042f3ec12a5f7145514a0a3b34383d2000753ec139be082fd14bd2ea605ac31bc9a2403e29840327d762e3df1b46a5adbf954f74b0ee71a7c516212a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          0db5cf563b4022fda54aaf81d61bb671

          SHA1

          ae1276199677cc1328611b6df05e55e3bea9837d

          SHA256

          f32f7914ab1ff113fe0627f6447315760597c8392a61ffb47c8784a6b51fc1f9

          SHA512

          4d5ed19999afc1d911f56338dfbf3bb26cda3373e95f69a0e71be6862026f56522db99e613b5257f95d9c989e1ca3491dde194dc4027195e46d8dfd27f59b37c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          689658b430026e2a085ea835a5638882

          SHA1

          993ed2ec192d53dc1891852cfb7c63cd02c600db

          SHA256

          cd2a713e9bd10488870a11b6d0d058c93b22fd84b0232471f75a75076fa5a4aa

          SHA512

          22069ab74707a87e57f9fc4780f3f0b33e968a66167ff1c36bbdbd2c43c056aaf23c7e4e7abfceff8b23158c2974d6a526f65acb655db442925ea355847f9128

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b5c422e9aea4aa7a24a55901e3bf94e4

          SHA1

          b362b36795c10c393000302af458acbc8151446a

          SHA256

          8101daa274f026e1be812503b259cf2c75a7d9a543a083c119321333a9003231

          SHA512

          d9b55562de02c808096e8ffb790c1c24372af89ac4f446236c17723fb0bc2e6de259a6265d492548a2e9de46c6b15a5105ce39934f0cb3721d6e6da43b608ce0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          a86e7416cb599c741a931b64a144045a

          SHA1

          175e3714f7d7f0b0caff35ec4d19b9a887be1860

          SHA256

          f31fcede675a8e60c1670168fd08c7215a73d4e1a4217beb6efbb325ca17129f

          SHA512

          3985c428703807c8db9497b5fd5bd4b608309c9d94cc5116f6a6d6f408e86007797661935455dc2b6d5db28b93208651f5ab215829b9e9e81ea4542ea4577933

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          ab78b2b6c96636826e6a18b150878ffe

          SHA1

          57e175170982d9e5e7a1b88c911fd688ad75fbb4

          SHA256

          76ead64dfaefe8c4a9dda2bc1d8606e91c420fbfbdbea97d078632429f7395cb

          SHA512

          09297ce9704ba9da69445903953e98527e7e049402220ec693e24a3185f76bf54f3a6b259e97f9f5002d85debd888ca1985e72b201d4ef81cef7bf31f1f866c7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          575ad9e73098604e3e5001138690f09d

          SHA1

          b2453a7c64e71c683a771623517f6a61f022720f

          SHA256

          fe0f88da13d71cde21997d4a8f00401d35f20aa8ad7d09d8a957c3e5346b17c9

          SHA512

          9a3072680e28252f3591b04f727a567fe9a8b197ad55818d4ff5bce8c48cdb1f20ca5088d60f6537b244a4c38a9a2c51668114ea5b64175bb576db7247a7b949

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          75e0afff2c02a20b27f4efd0a9a12723

          SHA1

          e74b41f256a94354d8c984849a837eafa12c9762

          SHA256

          67b8b79df0e98e571a816ba00635c5d6c136ab34536f6696f40855e3e70ec12b

          SHA512

          34341544a323ad2b68ac1d8a18e21ca9e1b1d5233517cd2b9d3a86d738ecda51279d7fe1fa839f82d53c1c86692b7cb9d8bfd58e0e956b94a5c1778ec2a02519

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          5f20727f2ab54a091eab8ac33e6a71e2

          SHA1

          433a540985be07695383f8925037c8522b91fec7

          SHA256

          587649098d664509f0bb3c5171f040c5f767002553d61bcd01c6d9dd9f03d9a4

          SHA512

          d764e43e8e26b5f3f910978b2f5267e18bef82b0e13ac669834207255c022d6e030de1875b028c8d77906c5aad9d26643867464e163c40a1a72192bbd18ae25f

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          475KB

          MD5

          0ad94d1d5e36331067b4d0b470e21d6a

          SHA1

          02b345a4b2bceb1aac5663bae61d13f692514a2d

          SHA256

          d6f25f47371f29fecab67a4f9538aa92612029c6094c8102bbda6832f0a9f023

          SHA512

          49b470761affab9bd04b87b43ffbc71c9ea98063daa18668aebf99383982be66d1e142d5e0f804094d1047225cb0399963767ff9e69da0ff26000c296dccfd46

        • F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini.exe

          Filesize

          477KB

          MD5

          12ddaee6587c142145565aeb9edcf1ac

          SHA1

          0e709ef44f5f77c8b45b6fd5f088c0bec22df95d

          SHA256

          73bd7232fad8f368c48276a9c2a705f6366e0f607eb67cdc77386b62c068f298

          SHA512

          a4bcc56e06bc92a2f1cbbe045640a0ebc9af99e2618c7ba8b0be882019aeb6c0f641dbbd39c084fec85e48cab9575af0dc4182a2bdcf2bb0c879e55c0acef36b

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          477KB

          MD5

          ad8a053573f17bcef0da88f613a5aa87

          SHA1

          9a4ae2a8670bd1a80662f55974491033613a8523

          SHA256

          a33402764a864c799f950d109bc8b176c56216d4fdb0cf09bcc281e02724f005

          SHA512

          b0a92d633a3520a9a94ea580180293f07673b19fcf0f6b187dda6954c3d9d0dc70c7c38bdd67ca96de966659494762f7457fe2adc59ff93f7f4c67725f7a87d2

        • memory/3272-0-0x0000000002220000-0x0000000002221000-memory.dmp

          Filesize

          4KB

        • memory/3924-5-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

          Filesize

          4KB