Analysis

  • max time kernel
    145s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2024, 22:07

General

  • Target

    b337b7825c832c6a31a5207d22d5f987.exe

  • Size

    970KB

  • MD5

    b337b7825c832c6a31a5207d22d5f987

  • SHA1

    a73f1613c58aeb342afa205a0a7c3fe6dc93de62

  • SHA256

    5827dc336f6100d98832279ffa07c57f93ed8f233644977f519b2ac2d687936e

  • SHA512

    98002aee61204d22bb526d3e34b11c7852f163e0671a40dda28706196296432741867a9e743e1cea45a8e6d43d597dee2e3259d16d394a89d60114b808a4deaf

  • SSDEEP

    12288:5MMpXKb0hNGh1kG0HWnAL7MMpXKb0hNGh1kG0HWnALa:5MMpXS0hN0V0H7MMpXS0hN0V0Ha

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (5573) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe
    "C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:4656

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini.exe

          Filesize

          971KB

          MD5

          aafaadbf9caf4cab1b4edeee61508fa3

          SHA1

          4ea21907f4238c3c14d1172f15965a6507b08e13

          SHA256

          ac221a367432729552877bef896c7a1ff17c8883f5feec8f8e0666d34cb32224

          SHA512

          d14edc1f400349a5ab18efa35a636e86519f356e362796cb933b75e8f45a950a85b12a24fcf4e696a2222c1b9b3eaaf45aefdc17f6573aba3bc0b7aa8d925ae4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4c1a488e1cefcb9270e31708930f70ea

          SHA1

          728feb62643b34f2c7cfba7823b4dc99bb70b084

          SHA256

          651cda403582112103441a423ce07693efd82cd96b67bb8277101f620910e3c1

          SHA512

          c45d80ad586db59418f6f095d98f055298a310cd3f73252c0f2e8f5cf7d72284d0fa032b82b51a7f171397c19a789097f6d1ac141c53804cbfe34451e0efd70c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          d898fa42c01aa9259db5e470167896cc

          SHA1

          d46e92cfb73b516891c960f1f05cf123aeea2511

          SHA256

          2a87ee0757f2cf69019b7871a2505220f277ea14d0c190e1fdafdaf6fc231e54

          SHA512

          5acc867e716eb66524091dd97c0d3e76685a4284f2e631039573862bf97911ba80f65780db488b804c25f5bb15ffe0fa59ee6ff1299017387bdad3a8b1cd2e0b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c46870a5163f6d3439e89fe31dc583a3

          SHA1

          71750d3451e02c43b2d879de275a0375e60d200f

          SHA256

          e0c4bf89fe956f4e5d9fd582c3f1c7b652c500b6a4352bf684faca1837b2f986

          SHA512

          1dab4e142d283809ada0d05ac5cdfde4a6eba8d84cc4e8076a07032d7484da3199879cab198c61dd324bfce34d430a6e89b980a6378c9aa9db570e6439a5942f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          29686d7ac2b58be59c86dd60f4458510

          SHA1

          cdbc2f3429eb9912b6267a88664287f38d7cfbac

          SHA256

          05bf28314acea9e72efc2345ce5cbc2b75b35b439ed8a66793d741171ea6e4fa

          SHA512

          c71a8616344805c99d94de4053a2256c4f4e9f4ce18d58482ec7513722b49574b75c6fb2bd27ce3acadfe275b50a359566bb2fc216f6a2f994ae11136b102afb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fb405c892b51af838d60f27fe838a6e2

          SHA1

          eaf1e93498bc98bd6b9442fb4408d1db91f4ce26

          SHA256

          02199ce7808f6a83278a8674e8dbc9e64074eb8ce72513e6093b53e0cf1d3f4f

          SHA512

          6e02e03532f78aadc647d0ca5912935d1dbdefa7a3aec82ccb407368b76490231b345aa76f8022aa590257b15224bd587d37a3a48ab69107e656e9013eddc99b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          07255bd2031a7cc31fedd30ba4c7ca23

          SHA1

          2b64def9e859e44467a30df04bf21cad38da5a86

          SHA256

          20c9e4e5a1351444823f0d0d6907f5291d2158806af8b607bffaf43ed447158c

          SHA512

          6a9855282cb66645994fe0af5be1d41011afe5ff95ee5dd7ea038e1b886b53eb97b121b445f71c18c493bf63ddbb2a264658dfad65e7f5f3ff9574bdce90348d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          42b9a2d936423504727b43c0aa8287bb

          SHA1

          368d881b10dfa02d8940cadc19a9bb9b13e885bd

          SHA256

          6b88082d0381e9ee62f4be252a39b80c50d660496960d6d587ff7630e6176057

          SHA512

          75537b6ddd90ffbde813e49aaa74302f6c389c3376ebd59ee9742ebe6307bd801364559efadd5a79d14581275430cf28a8e1bebacb420516dba2f50baa142a74

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          985f9ecfea352e29bf05a813b17c323b

          SHA1

          3256bb3011f3072caf09a981bb2725de8a3aba71

          SHA256

          c0d821dc931519cbf9676b9e2d799d12efdcbb98aa66900006e141e31b908b4c

          SHA512

          6031fe06a5d3005aa9583584fda7b0924bdd1cf182cee49cb2517140218fde96ac71953d25d6dc6231fbbc8d8aa10773c509ee5dcf23d9837a9ef7172fe2fb9c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e3b6a9ae1dfdd748585847355768dc4e

          SHA1

          ca852669f857f7e1d9d22d5f008dfea8196e0c7d

          SHA256

          a1d011bcdf53eb3d2d3430c6a448f41273353c1a51fed1c82e4ee08cc31af10d

          SHA512

          6bfa138a5ed146d733c692c11eaf11c15a2aadd0257837c886640749f0bbc209f2ea4044ece786d2353e04a7673e8bdb53cf5602eebbfb0d978b4db54b57625c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          008b0ba0ab7de825a5ee87d5b0a984ec

          SHA1

          94a3d25158cd98fb0e85ce1100a625587994c483

          SHA256

          36433197dbf8acd51c947b0839736a36074bd0784f960a5708ae67750ca33dbb

          SHA512

          a97fd3180095a50b6c9d85ba5f1ea4aceece02be5dd595e8e627f2306d02f4790f024209c85505f21179de25a73e55b94857f057cd0d90a652a05d2cda5ee085

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          41f7665bb3615f396078d6dab37e5843

          SHA1

          243a8b88cc0098ffbec4f53453baee72fc207672

          SHA256

          f546a9117e2c1e82eacd4be83a4fbe0ab009d2b65d6f7c54f9d114134aa56e65

          SHA512

          0eacbdc643d699a11743247360cc0ffdcbf5a08fb98b969efadef4e5984018bf84a133e7dd79931fadb80015154ab2d0bb4cd15fd142d5bbf347e4f7560fea65

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          e38215efa88a700751f01d068d424c3b

          SHA1

          0172dcbccde06f29f54abca86a9d34b283934e39

          SHA256

          91e1d1abde8d0518febe1b66f498ff412e4a12292e74fd94d6620ab184499401

          SHA512

          4b57e5f772f07c8828abf8e55eb33943c84d7b9ddf3e2df225ccadfb4cfe44419d4165c39af71104032b7f24de16faa96474d9b9b8e2d71d4b751c48165b3351

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          6abc4360aa0c6f6693c18ee366b9e098

          SHA1

          0340becf597e6f6cb5886e8c51d69fe4b28668ff

          SHA256

          1d133dedbb4ebb4b7e9aa406c831fba89a0f49acf6538ef7b2671e976665ca26

          SHA512

          5ea4cd107c6dfd98f8b556ebeccdf593f15c445a3a1f3ce99e9b32d5d0ff265fdd4dccf30e36bb4072393d540da1bd960a10599030a8609581ba8f6b384f4d8a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c603e7cb573a1dde5a47c0845b00edf9

          SHA1

          1ab3e18c0c897a893817deaef1f158243ccf0f00

          SHA256

          155d476ceb176af81ca4f88088509c38d12f2a02956ae1865cd0179f66f34e61

          SHA512

          e36d666de5a33f176b36565468534c8967b1951d4adeb0d0d165f656b894aa5fbd17fefcb367aec005a8b8f36815f4ab3fd9ebc47344990ab84d2ab72d41cc2a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          5726f8222f93a20cc98842ed0bb04bad

          SHA1

          f1b1a73f6fe998b613c0f83b27c8137fadf130a3

          SHA256

          b73857aaa6ddabf1d901dd833d948f9f4dc730ea2a56bf5d459287516fbbe8f9

          SHA512

          818ff1ed17fc0f4e1418ee648d2558acfe14a3ba3f89ba810002d8e589387f1be7be7592fa074b34cb3b61dba56943d5f8a0daea79037c36fdaf4e0f06ffc48f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          397755d48394e59c99579362ed79d221

          SHA1

          29a38c1266a84a3f468f7a0081a5269c176fb272

          SHA256

          ccebafa9ebe572ac89a9dd78587a83d80561d589b036b7c25336f06530e3a899

          SHA512

          3cbc28a8f678667c41e17c63c76b2ff2c770bcf0a0696f4df9f355902f070653543b6330ff14feea6cb8401100335c1ee574a0bdcedfd0a1a80726b6d4fa47fe

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          9dc4aa1b45ed1e9afa97118b2459de78

          SHA1

          f6d966bbbcd27bca3fcd201fe71c0bb14cce0cf9

          SHA256

          4c16a56a7940ee64115138db00603a6fdfdf0e2dd9286ee6e6c95efa29a1da03

          SHA512

          0fdb1e405a169d101a9ecd85925f07bcb8eea826d79ae680a52749e22282566f68524b6d52da58f6d0dbce18300574cc4ac1ca33032eaf0347017370d5fc76cd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          14cf77a26a8dda08d642313e826b3630

          SHA1

          3bd973b286c7340f7e5b8db2443a49e4728ad781

          SHA256

          41266e55a66c2255697ac860bd1dc8f59bd8ddb36a2705fe3661a41ae6b1a3ca

          SHA512

          eeefae76e07b8198c614355a4063d6f5ed14ed789845b05b203ff8193b3a519d1448e5308847aabe467d8385b23555dda74a0623fb0c284e38be9d179ee802eb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          547647f1434b7b0b5983ec5d8a634e8f

          SHA1

          3e285ff2a3ff58d25e2d40c5e36ac17708f8613e

          SHA256

          36ebd329f743768c484fbac53b425b34516885a3670d80105049a2cd7c923ece

          SHA512

          27e607aa0290af69718f7272edff13931c0a96430f8ad1a3246b75178132270260ec68036d07382cc8a2b9a6b0637805b7c5b0f442c5363dc6ca55f52be97c67

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e3fa4332d21c1f40c47d7514bcde6f5a

          SHA1

          f2e10941d57c25d035d5af8b4249d0d198b3c04e

          SHA256

          94801420d655773b11b047fd41e48e8c5d10e8b532d47fff28e1e0f4b478ccc8

          SHA512

          c626f40da1d4322b31310b8711972f123e0d1075cfcd6fae231de1f632ce8bdf852a78865abb053fc5bd0bfd1849018d697ac27f9c557054c0939f52c728da10

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          f20e22a4b0d2bb3ef9ac7f79d987f87a

          SHA1

          3de26f42bf08b8440a337b8b492f5318402238fe

          SHA256

          e5d5d12054dd5aed690c1d578f245597ed81fb965a6cddddcb42b78c9c634564

          SHA512

          c3735ae134dd20aa4b8dd019998f3716b0b1261e9b040c50fcec0a4100d734e53be71a24b2e09f51cdeec4d5515f0af5825893578ac10c067a4224f1188a3454

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          da24942e3076600ab0ad539bf16a4285

          SHA1

          16726ce7c26616c380cc0da1173a4d361b3ff28f

          SHA256

          44502679dadf14219f52d1f79b1229bdec53f11aab220d80c4f2f8dfbfdbacf7

          SHA512

          5639c408a12746510e7f2d977373df29db53f851fbfdb557c823a4294162de8bb686236806084a312bf0ffff5e3c668694e0bfd54c9705e64053406082f7023d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          94c6439f80752218a6ff2998b0ed7b2e

          SHA1

          3786cd0113707d95438460a60315d8a36767e793

          SHA256

          93da1fc8e13bac44ce13f2c215ba78f40febc2d80f3578ae7b1664b1c5e73f10

          SHA512

          d463131031f0418e9f3b15fe9ba9bf9d46698d3c8f11fb1f4b7745a9e2fe0281e8fee3327bfb35791c3ec7aa32e857fafd702bf43f2880cf774e7f11b1a06f7e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5118b87aef168821db691fff33781ddf

          SHA1

          684dae81cf65e3ab2ca2b7beee25ca3dac783f84

          SHA256

          f3aea10a3a67193ebc05c3c5b4bab9a14a89e6cb09eceef758d53eed7e6124ed

          SHA512

          afa032aaf68a4d80793ee81c5f9094625e7f980e0f54781faf23cb1801f91a2af8091d08b964ecba5d2c6f9d50ce69bf7a6823e40adc7bb17da3205181af64ba

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          03acc876d80dd9989722189ef688f5f2

          SHA1

          a3a164d1ece7de2ac899853b4ad5ce288474dccc

          SHA256

          fc51d53fb712c061e54f5e5793c1a9015f356a48752769ed7cf93e58403a9a76

          SHA512

          d4a5e520246f867ce60e515d5b4afb8d7a1676d497a23c5c35144cd654f13efb4b0ee47ed2c8105204930d04b28ccd466c3d67fad2b0c0a250fe1e030f410369

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          a014913e603bd5571140ecc7e0a64232

          SHA1

          0dddbadc2468559a4daa0d1e54c0771eaf18e102

          SHA256

          809a0796d731b3437b28dca8f2a66a0fdbe4fc349b8b765b696e97312abc1a84

          SHA512

          ce11b7c438636d772d247d5b9a848cc73720e9769647e2ffbf4c05ca4ed417d13098bf3ebe09651b4bce236184cd9faf60f9d6bce494e14a5981826ab7ffacec

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          1347e66e5b89268750acdaa281775856

          SHA1

          70cdf2f2bda6de067c15f56c96d0208e8750d125

          SHA256

          72031dc5c9b75afde6ba2210158d4723e53352d4ad9e7475867977900312ad1b

          SHA512

          75521aa7b28031b42b6fbbb882c891f57a2f303182735970ad0179da44a24de7cfe6ad780a9f28f7cf531d48b36f5802788c4c6852f45c4bd1bdc4fa7d679cea

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b52403717384b365f30a94154b448458

          SHA1

          eb5564ed86cbc2203d673ca342c214c6db16744d

          SHA256

          31a1d50124266cc346769b1541344ce8cd86411e7b9c9addc1fd79a3d7223955

          SHA512

          2b9c6b23375d2d41aa66a03eb40d7461dbf8f7c8e4eb091938937ac966c97d42f4453b1050f6c67ef4e1f2d5fa90aec762bd3d8ffc03cb9e497cbda98edf3fe8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          e5927064e3c3e63a3c69a88ebcb94dc3

          SHA1

          3ca7c8929c4aa7d77ca84be4b88d7b144f7fa34b

          SHA256

          711e9bf15358af7351bd3868e66d5f22f16c1c63f14be14ed796a184aca950c2

          SHA512

          9731c227952204e7c0ce530319dd776073951575a02d1d9c5c405f1902f1e8fea596566e20e623aa6666ed3f921abf29d73887bf0da53efd5280bc5761aca1c2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          626071a9d0bd8fd488b176b6e643d156

          SHA1

          bd3b29e6086fe1b65cc64a22eea276e46b50c3eb

          SHA256

          350d1bbacbf10e6ac6d8030041b5ef834821ff939a24631892301cc6e0c10e4c

          SHA512

          a4ab075ef3dcb3d8d252b4e04ef6e21e75b7e3cd570ea6c1d96e5aeb308e60257d72367e25bd13b097b61af5e8345caaf3b4719125391ddd30db0dfe5b2938d9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          09c4fc622f21dc4f56282b4a180e2c01

          SHA1

          3da9cfa7e3c347e6c420528462551500521ebf52

          SHA256

          d83e54d7e52624ccc50b5ed4fe0bf3fdda9765c34a78bf0375a7ba73f118d8fc

          SHA512

          c465c88d9924a9171e33b617ae9df2a0ff29896038eee8b4e8bd38625e55fc53019e28d92f781930c195ac9d86fbd18d6e036a48c52bab6e574dcbf9172ad59f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          7c2845e65b01cb7265c0828572db6ff8

          SHA1

          785e48be804672106bed15f36489a21c5a5302b8

          SHA256

          5a2ed5fa4db27d2b452180763417b8ac63a9f634f8bcda8ca94a16610b1b6d58

          SHA512

          538745f9ac636d9c2663a4c2dcc65d996f095bcf4aa50c4f5ef72b0b1cffb6903b919234d085ac40de88e1aedfc9334da1de3c2c7c461f65c3fc2069377ac7b3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          a5b67f58e462b77537e6622b79e10fae

          SHA1

          b929f8c6f55d4ed7ac786fabd0d0c768083e1246

          SHA256

          edc9ceb55f241fefb85d818b20588b223548ed46668661d60fe4f315bbda7c27

          SHA512

          e01d04ff968d52cdeb06089363cf8f686e22032b5289aed8dda832902c21e486f5d0f3a24562dd86d41fad157a68ba4667ddcd02146c717d8f36d30783ac6541

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          32e0118bea4a360c6b6d4f4f7e764e30

          SHA1

          bb10bebcf04e8cc11dd15375305b200f4f992b25

          SHA256

          75fcfe1d30c136921efbff4053f8fdea49654786b657af53e9e755aba938f1ea

          SHA512

          d2be6ea32af9c3823f47f647f7d62831956996feea36f6d88584597569f182ec34c70adbd6dd10b182f8cc364ea0ce07978740d918324f7b334a6912a5aa01c4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          c1ddb744d057c2a873946bd6e527cbe6

          SHA1

          52865eb76e06510851ec66dccc742bf7ada12c0e

          SHA256

          c1735ee19a4eca239c901b31049fd57204f69d49f2ce2bdf3f8e41cce8e55a85

          SHA512

          732361aa18a60acf444da2ced2842f6be79c6d73b761b9b537e47341262eb3d5d03a3c7e50362bd751883cdec565ea9ba2c27557fdd37e0b7cadc0b5c0d97980

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          0342b6fba6c77569421bbb901dc48070

          SHA1

          41c7116d4570e562afb8ddf2e28f31279c8f5f5a

          SHA256

          b0b8a860dca8432e4feb03ecf77dbebba29af841cec891b0fea8f1484bd22cae

          SHA512

          b80fbe9b6a454d4fe2a014577402e74d129997d171736ba7f5c5cfa0e08cff6b82284fd5ac1821605d028b62bcb9598e5cecad62c4d5e34311cbb5a62d0af944

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          b4d817cb54dec94e786b49d7bd61da7c

          SHA1

          a5989cbfaa1e0cb19080029098c98618efa4b94b

          SHA256

          ddbbbbb1a918879ed4db7f8e3bb2a80cd99768195f329f2fff6aea910b62c60a

          SHA512

          75414fbd66e853609fe58f168c3bc132f260eba15b89de2ac1f776adc20e07f5a6bdf9e621b7b222b5b96e8195e912282b0b7a6369a5880a89869ca41608899a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e70903ed68550a3bd902e40e5a1c6a3f

          SHA1

          0d2c88e437dc8bdc138682c5ae3282c1242c9080

          SHA256

          8177834624d74bdc4264cfaf15cbe2f78e503e7d91d37f2ace799997cb6260d1

          SHA512

          49f4f8a60fd98062372b8ff46d3d0bc501806d56f367955b1675a85aa5ec24260ce7e920eb8338e66249f77dcd515fba1086b5835be79e53795596ace24663a9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          9a18fcb612dbf6bfb259feefda8be4c7

          SHA1

          340019daf4c46d17ea726024db572ebf9ada9fe4

          SHA256

          8b7ac1edefeccf8c298a468e086c03c5f808091b8d962cd0113a35e93024f4d0

          SHA512

          d08f5e427060e38e923a53378d5947a812f49dd09f8665e7e69626570c4c56961bb6f109be801b1dc8e64d3e4321e45b1c1189ffc889fa75f1770c1913e6f7f8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          71b7e2915294455d29aee50dfdb76b02

          SHA1

          ebe953bb5064c9500aec0060cb7edd09b7b4e25d

          SHA256

          99de76cfeb493b71a605fda1601576d43564894513e62aa8e9b809bc1beed604

          SHA512

          aea47e818cab4252d2c9a1bb749b07ba4d94e85ca5431851e516d0aa7d1d4ab1ba4c325928a43d794e4c32df7aa5aecd9878358815639025a317c190301d7f29

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          d85bf880b286ff04bc63b3f65d8d6dc4

          SHA1

          b5ded3b552c3c63f778e9051dd8f574966b76677

          SHA256

          e5a0c2fabbf1cdebb52e029b13f526ed936e2da2a1dac9ab35bebe98e973a9e8

          SHA512

          d4031268ae0d757e2655a93187c005510484081cce635eaf2e46c499b642ad807ef24ef36aadd0d4bc4a080002174208f0f66ec77bab3d856a1a7d67308f3b73

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          612885d5d8dad539edbba49067ba1bba

          SHA1

          070c39ffd7f4e81fc7571f095b26c1923b80de87

          SHA256

          c1a860ef20132628d890c1aa0566267ecbc9a0286f337a2bb6e87fb0fef74d06

          SHA512

          2c55941d2f92970d75046c99d172442556e2305663893d04f49d7f9e22ae37277003271c110e0925c95f3939bdbdb2b2b601c19bf44fb4104a2321dafa2395f7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          295738e1d64e194b62f4941979b7f278

          SHA1

          0c1b7953122efffd8b18b812fe4ddef5f0925ba6

          SHA256

          54ea661544d79e86ff2936afc29beaecf71b2cbf21037e0fc8a27df8a4019ac9

          SHA512

          4a62e110fd2da8e78c11cb00f7739b66217a73bc286da3d7668afc4b4250b2abdb59467575b7fd53dcbf2a7128214ef990037a4d65ed4bd3a86ac320804259c3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          0bf1f5a9200094aa50a12cc8abc7dc72

          SHA1

          350105e5f7030530fab135faea1d18529702c672

          SHA256

          3004dcbb730ca219b0cb8256ef8b6bdaa4f334a399f7100880d814a3d7891fe9

          SHA512

          ec9376bf4ffadcc76ea38c310e568b30f7e9b22687513d087ff0f1132cca034b3d80889921d7ee18e6f4d160e56babefee28626b3b2c0f52a80fa3600ace8598

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          30f6ac85008809988dcef19965857a0c

          SHA1

          f6343ecab331c806f37da8134cde82aa6b0cfdb1

          SHA256

          eff18d6250c6c8812bd8ed2a8624216eb70c96e9ef661614f55b60ed1a29ffda

          SHA512

          f1a16e0ff1ad3c179d0bc65646f71440c5947bac49b0df6b1a9691eec399fb456bd16ca9b5603a56c6c01034653820bbd298816ffabf37ea5ad7c8435fd47c07

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fee43c2662550de878886f7f2b491b2a

          SHA1

          f3580d84d98ec10b3bf26092c835079f4147a72c

          SHA256

          183063c39b2f747d75f3822fddbab975c0fec4b592c66d1de17b29be8191f2ef

          SHA512

          e13987961c5005cbaaa1785f4b5689be643f3cca726098c8c3c35fb56389e4f1c5d740f074e10df1dda06e8570f0bfa6005643e7c0f039ec76a573981b0b8c75

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          c2e09aa69403c7621f6f8241e2f05409

          SHA1

          9ffb2e000c7a3bc743242d354ce6376619a466f9

          SHA256

          19d1c67007cb38f4c671847f02afe7e9bfbdfed12c439c04293056d09f4b325f

          SHA512

          8f16fe98dbe86c21f268748de102051f2c0708f0798dc82c26ef42d914e9386e5f1174b9f2d7ff1e7cc4f4a30700dd0976d294c4dd55ab97510503868690dd2b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fb658faa566ed9e33dcb8b0ae5eff83e

          SHA1

          4b4aedccebe35659ef1d44775f05b25d7c23f100

          SHA256

          1b650fc36388255b6e23e2baa58e37936de9d1a940e8c60576e03664c58e38cf

          SHA512

          42c0c12bc9484b8f00767231091b4e5938bd456647a218631beb37e93ab8171e4eaf9baf7049f18946c0db0287c4ff17f88d8974add58e799bbab092d73d3146

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          61278af18f7ab24cdfbf2a7e02fa4ba0

          SHA1

          0397d025572051788c11b6c17150e47a7fbf6f84

          SHA256

          e6be627ea6095c64de946ceff6422ffa45d585f32cbefbd85ce38b15ba88bdef

          SHA512

          3a675c6aba014f16f145d2e4838b84514e11629b990d92f744c6a7a8dce33f0068306de6f7330932e2585ac33ea5590e17255a0da9a1c3bff4f22ec27daf55d7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          8eae84b758084c922722f94bf8d3f298

          SHA1

          a7ba1ddde6e3800f2cd8ee49936ef5636fc23107

          SHA256

          73dd21851ca262038c4b0d461002f669e99c9b91ff68ff00505816c6bbe40b12

          SHA512

          c1fc82277c321e788f121af93f408b79705280eca9c3552ca1f9c94a8e4567929a68e907986d24177aa899937ec7e11867ae0f6dbb5ad5a510935933f24d1e23

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c48a89d67a717b35d2ba0235f78a5346

          SHA1

          e95ecccb869036a1595b16066986c22027253cea

          SHA256

          73c11dfd481589b553104596a438883c302ce8de797e18fa0c87534c1d3d0170

          SHA512

          14e5faf13254176bb55e306d48616e055a16fec29d79b860e1bb65d6338a204caa425edd7427195fd42757fb3b91bb36b68eba4646f3af7d5afd24d03976e092

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          a7f231105ad693ad37dc25ad0681553d

          SHA1

          3b72d3d4c9f8ac4454a21823ea363fc9e157f6fb

          SHA256

          14d9761503171174becf9250d463d7731931043f121139b334ba31f4473ef615

          SHA512

          577179e3c0bfe43399e035138723f0107a7f0b676e2295ac99e5ac2bffbe7aef9add6fe7a87796ba9749e161da07d43cf817fa8949eb84067c55d07511b5d59b

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          969KB

          MD5

          06a18d8092bd6c922d07922d3292f2e2

          SHA1

          76689f623991f89f5be7df73cd7058994c773a20

          SHA256

          a6d1e72ed010811b4694ab1f262d4ed4eb16f710eb9d14ac4d05f4796da90133

          SHA512

          5605c3e3a7ccad8c893bb39e1f34887b814011abe48681a1c3a32b3b31fc39137818ed83a950f535d80be16df59aff28f58f9a7f5477f776146f6949d96623f5

        • F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini.exe

          Filesize

          971KB

          MD5

          5408c43fd561c4d49e6d516656dc568f

          SHA1

          414ffdc2cb035e243593bba3d3963969a7829909

          SHA256

          e38f2aa2211404360f58cf695079e1d58a57fd6daac2f8a05ee756e42695f840

          SHA512

          bd512a6c07edf3535102b21601863c90bcfb9943817590718032fce462e7484c9d8c748c0670a4d20e6acc1ec9e6fa36c2c9dacdb81053df8636258093354cd9

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          970KB

          MD5

          b337b7825c832c6a31a5207d22d5f987

          SHA1

          a73f1613c58aeb342afa205a0a7c3fe6dc93de62

          SHA256

          5827dc336f6100d98832279ffa07c57f93ed8f233644977f519b2ac2d687936e

          SHA512

          98002aee61204d22bb526d3e34b11c7852f163e0671a40dda28706196296432741867a9e743e1cea45a8e6d43d597dee2e3259d16d394a89d60114b808a4deaf

        • memory/3404-7846-0x00000000020D0000-0x00000000020D1000-memory.dmp

          Filesize

          4KB

        • memory/3404-0-0x00000000020D0000-0x00000000020D1000-memory.dmp

          Filesize

          4KB

        • memory/4656-5-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

          Filesize

          4KB