Analysis

  • max time kernel
    145s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2024, 21:49

General

  • Target

    b32f8e38b6835b37ce52f3aca570ef8a.exe

  • Size

    1.1MB

  • MD5

    b32f8e38b6835b37ce52f3aca570ef8a

  • SHA1

    bb15c07e0bf974d09e45954556de0592c4b57d08

  • SHA256

    dd776f08b03b1ef85c1eaf1b3d6b945f003a04d8ca1570de6276ca73de37e814

  • SHA512

    dd2833c1efe50cb5f220bf28bf1ef57394db8aad34b34499352c68306ed6b753efc0afb7038daef388380cb4a34eecf0ea85a099e4ce5eb3efe024c311e18b73

  • SSDEEP

    12288:5MMpXKb0hNGh1kG0HWnALbLw+VsLkjrVlQB9FbDTF53nlNFRpO50w9XCfyGjN1PS:5MMpXS0hN0V0HvwkSGr

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (5581) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe
    "C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:3016

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f13f668731b11a59529145afe7d4a15c

          SHA1

          71bdee3c279e9e08836d8bd6553c568e273bb21e

          SHA256

          87bfda6f82044d3ae6816ba058d7c9305ea77e6534b01c35b182404b18b9d44d

          SHA512

          b9a97335920a2db2ad9a35f9a91dcb1f7b6bea8805dbde96332b142e08b3b5e687419c301a27d7052856930ebd38814c8a5edc5a867c06f07ae8484ebeb596e0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          3d9529ba59221e571ec852428e16cce0

          SHA1

          64cebaefc300e2cb43a4776ab4e86bea419c61d3

          SHA256

          e8620e4e171087ea6fb5fd73f25f33286347553322fade62879a1d3dc6c1191a

          SHA512

          1c1a67973902ec48c02986071658cec0d3f5c547da3a7e445a942aa6fc1caa14b384174d253f4c7b45d14e8016576b96d77064d4de23ec2b6bc83c95f046826c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f36eda83253e7d19c4b9f45bcd16b550

          SHA1

          be9942636ba60f0a14263d88d6251faacf8dfcde

          SHA256

          1183c1b3b74e0165a67bd99ac74b0e17707b980b16ec3c7e154cacc989b4306e

          SHA512

          50fdfc74ebc3be0fa2a67998dcc107103b58f8dc0361db02c2e6925a87b61deff4f74923f9917c71158939aae483927aa8acbafe70d04866e1cb47ba97c63cca

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          663f1f77602e91955d5c9a78f0c02a9b

          SHA1

          a43a9ecebc9fb82bb800a1551876d6ce6869e5ce

          SHA256

          d603ccb32c3620509456abad4222070da613acfc58c50daf041a7d6557dbbd14

          SHA512

          e5d43d295359610dc426f050edd8f0506184ed423f1387e1b822379b25226a9ca986369682d2963da18703acc4650407257b8775c409379e91b4fa8fe84748c2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          fd67caaa8e66d34a7aa59d544ef59701

          SHA1

          267ccc8d4dc76ca2db6a0c7b991a145852512ed5

          SHA256

          0dc8210aad31ac295c6fd7ac1d2b7e67e085befe6637d44fcfc7b5e287caba02

          SHA512

          0f7fa56e790d54f86eb328f0ed7fee55fe17a0b739a64c348ea3c5d6bff82f454060532295bea12824ecff2d46ff2a068f4c29bf1b9260b7ab9054639e7c8e5e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          01ae624e39706347adf4920fbdd069b9

          SHA1

          b8795d6cf09ddc1c9927b9c25e6807dcb09e47b7

          SHA256

          702bd0288c600e910820ad000c3f1739508a1ffefae4abafb35452d4ade239c9

          SHA512

          ba3785e97472e48665ec8932d9176327b463546c80a4392142a9e0f510d176d5d4f9b7e5d3458257d3ae8dadd70ddd70584f077f31c5e46d3d516a97baac7ad0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          c1c495dd73fb7d87638661314b9052b0

          SHA1

          2d5578028968637132d8392a8d88261821f3c0bc

          SHA256

          532bc1ad3061b843a2bc8a8623f84d0bb4dcc6e774fd57fb3eba89f8d974e5ac

          SHA512

          782489ffb32072209e115d57000399e3a946fc8305c195ee903c1219c24a66bc0a6f62cb8c736d82b05d02250dbd4073940d3524168e5639475bc54c627eb9e0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c1e6bf5288986f1337605d354671f902

          SHA1

          fc8dea0f53c8ed5b219313357cd4fc42123eafc2

          SHA256

          9b9f104ffff065147a664dc7771a41b8363fc2ca94c8336cfc1a2531cf82854c

          SHA512

          55c92f5038ef1f97340274fc258914a07a9ffb3a5ffd1f1b69c4e86fcb0856d7078bc92ee21033d2fcb1e63133aada04aa5d33d700db4a6e87f694ca2535f828

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          91bd9c01316d22f0c938a0476a08be58

          SHA1

          b38ae60869248bfec91af63c76c32433993dc8fb

          SHA256

          e97976c8b2839247089cd21201d62a3e5252a6c721337ca675ec7e2624c49cb6

          SHA512

          1ece698ca15c41d3b14e5f00626ac7f7abff4a239227f9202b477b716ba1544e1eca7ac848d53be68b7c9b725eb625247c79869db7eba10c1db35c6b714bed61

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          88e293d24e2554fc5cdfaaa0422fa364

          SHA1

          b7167d98ee96b06859cd08dfdb2fb742e4e4a3be

          SHA256

          eef7cd37eae20510f64c5045adde945795a1f43977c7673b4591e210e8aaafc6

          SHA512

          f3d11ec40bd33bfab0e6d12016b423d11f749c79d41282ac85107ea3788be1389e4e80791fcfa0be6322928a843474b3adefac2b180cf51ac0330c073fe6b6bd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          792355b58ddf21d74a5e5cf7c426c5c0

          SHA1

          d6c48fc86538ae0260362ac554a30402c7ffd838

          SHA256

          cedfd2325c30d2087c6fa30b2f783077e8deb98deccbdd244cc0103e3c54f2d6

          SHA512

          ddcf09e5d85a02344f1669e8de6a20a4fb8be28c9089d190a520af46e57ce8c5d5e9b99d28f86c169691413d9f90de209570427ac77012d487c8f3fd534e44b0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          a6cbbb6d50c767998b3ba0d04edc687a

          SHA1

          e4344f74808f948482e1c54b9cc202e4b5884f6d

          SHA256

          4e661ab6dfe62e04a59449898a7ce5ec02ee0a3e7dd46851057d4a8472b0867c

          SHA512

          6ea07b9a08b103aa859b1f13cda0c572c2db0982d883e068d73c035fd2e52f441d31741f5e794f2963272ce6dea045675179297704d0c28f39aeb565aaa7948f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          31b1e7d065fd5a176bf3ba32c0e9bfca

          SHA1

          9b69e987ec438f027479b6dd9d853b32ffe9e522

          SHA256

          cdf4dc6a2e9ea0ecb0f2422fb3d902a8116fc7fbb1a3fa8dffb009f43404ce85

          SHA512

          39a0c7e2736ea48c37cbbbf9a26876adb446a5a0b70c38e84923c6804f97d7376405a9cf473466ed723d90c187238d937d9f417d057e77858db278e7cd36fc9b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          2a624bbe5b88955483190947cd3427bf

          SHA1

          bd4b3565ec65a2b5b3920c4c48e59311e6bbdbd1

          SHA256

          c0a227f2413d59f45792c2712af683da4b140f0f07829212c9b960bc3be37da4

          SHA512

          6fa11d64e40f23591430bcdc1ac4d70ae38cebffe37a8a82b2d5f9e2a7844a350935eaa43da1078684c340a3ed37c0b74887714ed8827cf385e10e60f2d6f464

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          e7fcfdb7ce41d9bfcf53fe69a698dc20

          SHA1

          2f88d8c57119bb75075e22b7281e0dfeee0fd5e5

          SHA256

          283c8470d280cf74818077467b5bcd603513f2310dcb017dc5d0df8cd47d1e9c

          SHA512

          21b8bdb5533ed978a6cbe0f0f6a9f8c2f935d5154875eb06070c2d9c86c7e253a524dc193b7329925cf087360f118e169e8b48d4fbee500e9d8ccc62ebb93a4e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          d1f6e33db27942836145fe91086930c7

          SHA1

          b4c01e7e4aef712ec5df417d6c0196fdf0d91a6f

          SHA256

          b9229e65a94734e3901caee9f6f76f1a33099025f0d5e82b355655de54cc1466

          SHA512

          76638bf5c66eed51a5e044750ad721d915f80cc1501a43ef7c03c4a85a96b4532ae0c2b6315c608c6592528caadb1b66a374a7612e9acbc8d73eca11920a18c8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          1144ad6da357fb48ac8c7ec34c673ca5

          SHA1

          e63c400a3243ae6e30f5e2d7cc8c670f98ac7387

          SHA256

          b9c79a0d16dacee39c5d1987d910440f6c91d2a43ce4579250264023998895d4

          SHA512

          709c2b090b859ad43cca73637bddc2a91fc085ff6a90516f8736c22f05f6f93006878c6ab55cf2d1128a6bd4496113904c4f73afdb24ba0a535130203e17e7ab

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          8fd2fac4ecbbd17bf9b13d0d4e20de5e

          SHA1

          64805096d7d85319710f5ef53bdc4b65055dac6c

          SHA256

          24317eff882d8709ad4ddbfa2951a4ae7b167fafe2aa8605dda1c28339ef189f

          SHA512

          e2d5ea4a2afaf54f80899c05f058f96988ddf2069d7594913f5687097da7d92cafbb46b3a8d984136d4f70747d3a1a0e09958ba5f678756d8cfdf246442a4092

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          7194cbdf4db1735b3d535eceff9130b8

          SHA1

          bf454d70f7bce4b72160217e75898c6a752e8835

          SHA256

          e203b956c0d277dc16f867497ab9bdb014d01de1429b4c3ee6fb31adecaa7a7a

          SHA512

          1fe18a0c46cdcdb9604c4f65a5515918ac27b80445ab2c288039abca23463e337cb2d145ffb8d2ab1d9b4651c245f0f947e9e9d6c5832b9312f2ae4772bd74a8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f1104c7de25d20f058be4b503a09bf5c

          SHA1

          6e75b7a8d9a417192c70b8b4f2b50995076e3618

          SHA256

          9e6364270284b9a6b11d20e6550fe732c5fa445e5e0ef9af8aa3293772318522

          SHA512

          9277dcf52ab38221e5f4ce983f3fab3c9f445585dfc6640845bf4d653428a12628f5e64dd1244c01dfa1db819d1f9e5fbff46e5a4a83beb5ce268963c16e4cbe

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          3ef25d802695e5b68220bbcdfcfb847f

          SHA1

          124d54c6ab39b30e6339b4d3bf3d4476b18f8497

          SHA256

          72b72fa2a8873b03086861b8711f0162e0a48f6d46d33a933b051e02973d8df8

          SHA512

          04fb527ec275f50a23cbff1623cba564c0268302fc33e5d6ddf55a1b1a1cef54d0cddfb173a135dd06f3222145bbcf0ded30adde99458393eb79bdf0a5034123

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f759d7d8e70ab1af861c601648e8447a

          SHA1

          824ee13c5f6323ffd7d1dcc3f4912c3d6c39ae21

          SHA256

          8031f8f2e54894be5b8651840d8abdf2df205aa6e8b11ed909e06e529a60933e

          SHA512

          e1337a6b1570a617bb94763e3793bfb05c2cc22f5039656ff739d1d6ac24d47127a87e9f36b86f1fbfb900b36bc07633b9313e11a5518858e529f8443705961e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          9c2978ebc726214f17c9e91b966c7e66

          SHA1

          f467ac56295002d1174b436c02173e068100f2b1

          SHA256

          051be0efcb2cec0f5bfcef76da6b2355df9396c56532fd9ab3d34be2472492b2

          SHA512

          de37ad35f30eb0c7310ba53973f03caf1b82531f103cd3f7932e9ba4cf1e48ba3fe135b9e5216bcce89dd3fdd1e85e69c2a431c64c381e906e26d36d1f399390

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          cb628f8b2940c90e0795b6c2f830c42e

          SHA1

          aeec43b8f3781ce64ae0907a6fc6a6d8ff5895ad

          SHA256

          a79e386eade8428cf5876cab5e6d94f125cdd5d27676e7af0a092303dd47d428

          SHA512

          1a47d0f9b207b23c5b5bd16137883cd552e82d793e8534bf66188bdc0e6f1d897ea645b6471cb7d31fbbc4359713a7a4e2d2b363e61ded1c914cc197d4b6f1b9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          04ebb89335dc73e7c4c46613a849b672

          SHA1

          7e0da7e76443e81b6c304dad590f7e59db0ccd12

          SHA256

          ae22e4e24012f94c0b462fd3072c1d8f1f450c359b1ef41294ce44da3ba0386a

          SHA512

          c75d843b0249b05b6d0551dcfeeec53d0ce0a1fa893e580259b816b3ea1fded93f1e72729b7758f1198153f152a5e7d047945dfa85275d89fd7004e09ef67bf4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fc8db328bb0ac0384cfdbd3b2decd06b

          SHA1

          21d5d580198045d9e379aa5dc6cea5d579890c0b

          SHA256

          ad92d8e4cf7be8326477c0e35d752cb8211f792ea2ac0b5e74ebaab7dc6e87ae

          SHA512

          177f7ec39ed8fa86810f65bbd60085c35707cfb06cdef663aeb4608358c332e443673c1d88ee088026eb853c3d802214f4752a243e2c9e404144532c2c5a786c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          207c682717a7b91102fbb49d359a6433

          SHA1

          37b57d384e2e504c642ff68e384b8902d617a34e

          SHA256

          2bfc8069de79132a59caf4b921f80159114e06fbb40377cf7665dc161e0a5888

          SHA512

          16f2c203856144efafdc043da3311ea8db2f8812ffedaa6a74e46b57a64008ee856824ec63002367ca5d88a7337eb9b182074658cd649743045d306b32b568f7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          619a1f1e84b20eefef5bb2b5527916cb

          SHA1

          69f2c429940a71c2be8ea2ec6fe70fce6250bb71

          SHA256

          6fbcbb2c4cccd14b2851258578dee213f8f6605c5fea6fabddc1661e4046e4aa

          SHA512

          fd9e07d8771e3ef711de189e05e1b764c62efde767da0f3dd35b593bbab92cc9c3115ba489016396710b7fe2c66f60440673a347d9e1a066a5bc8093c7c6074d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e60e1de36d94f54c1fda4ffce801f8c3

          SHA1

          09c35b261fc6c076c3e748d3077f47c8d43ef890

          SHA256

          d92537cdfcd4d70eebe28df07541354b72b9a579435f8f7971cc9dee9f7eb5a0

          SHA512

          4a6af54c7129057d45dca2d086186eb4c9800203f31169ead3430037575b1bc8ef8e39b96c72558b0b6ecb02c2130147a716d1b0cc5bddb6102afdf2ce4978b4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e92ceac24676559e5fe71e3e04240f28

          SHA1

          d4e53259e8b5679870b31049fd663d8114f1ba29

          SHA256

          df7fc244e9f19de7c387e37a112f84381bcdf2b56876035ce3c71766e4ef2ff9

          SHA512

          7b3d7a0872c56ac04a79feb5a7150184a15a87f8826d04d369e49f94b96f0a6a25d48ab087c51d435ada8ae4d8fd930ad6c411dded589cdd331be880395389d3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          02d5e995c91fe06d6f24514ab869cd76

          SHA1

          0b1eac534ba271d15930920c313fc5c5d2d6417d

          SHA256

          18f7e80865dc09d696eb50dc3949499ab6e9621ebf111a5bcf3709f9d1c61f26

          SHA512

          d4f6660b6725f7a6203fe45521169e1128e84dce6a6772ee1190bcfcfd1762e75fd943f253d8f7885b8728482cd8453de4fcf5a8e75c975815509ac164f4e2eb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          7c0c931b8aebdb73fcc692635b51cf9f

          SHA1

          8c0b7bb1bbe4439c0ab06765d53288169e427bb6

          SHA256

          c7a655f0b25612d0e5ae0abcce857245eafde3a4418200e74052c6d14549f2d4

          SHA512

          c130baf51f4e7e3d246d29a69e0ab32be68d7062162eb4610f27d5a4f20a56aa7cc89e549af2d8b52176d02c444fb35d76a1105df2cbc4d652c35e479ca745db

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          bf880465d40e10fada758eb3a88e3a28

          SHA1

          ff713945fca6719bb18cac147a8316e0ed02818d

          SHA256

          9e81e6f3a861e7087f9e4f805d58ddef0cc57b3a548b60098b4b1091731bd5a2

          SHA512

          3e3e0f72168d24e92a178ad4f15a272089f5de8d3037e72881a6373a887585144c90dbd05df639b6b9b787c918e63cb7f36f820b87f290de31933dd4de61b005

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          ba6343e8a6e0adc7949fc8805768aed3

          SHA1

          57b787bb48ecec6d4f25e198281012fd0fdcb65f

          SHA256

          0a801be84b660556bfcc8e9e535bdee03ad9baa94bef05621ee5ef29a1c765c0

          SHA512

          5c5f129799f872e7a9902a76ec33a599b2b192335fd267ae38e5f822a237197198c8dce0897ebe01a3248d9be9f62e44273c37afbcd54a6132cb33897f742132

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          09d0212a03d3a24fedf5ee2e319ddebf

          SHA1

          456de2a09d6c67fd08e6bb4aeaf2b4eac66f76bc

          SHA256

          9d520319bd6f47ce7edf95ac3d6eb3c5df7bbd7990adb93084f4679ab2e1c318

          SHA512

          9f3920dcd96d8d9005ff526bd5dde8c00702387511b4373ee077f8827c0867103a575b61ba97adc227799e396e6b02269834accc309e5fa7face9d04e823907e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c5c6d19859738741278b8ec251933d2b

          SHA1

          14851f72666a910e5088e63bcb30091cdf0203da

          SHA256

          5c7cef378a7b70ae7489be4502c0e1b877a242c2725424567b09a5187b0ceeae

          SHA512

          09e0145791cf901f1fe2303e9285b136183d01f1f6fb1faa14a1e02bb5755f5842c66fba7511f81fd11a8f9fb871bac7f60424fa481551146364e84520cdb42d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          cfbccf9d2876aaa3a12a7ae935f88fff

          SHA1

          319a665a0871334c916ba6ce3d3d2323004a5f25

          SHA256

          3746b99b636faa1c9486c160837cc3140d68a886f4e762b3fc12de139b5aab3c

          SHA512

          e30374a119ff6a79c248648001afdaf047c0b9fe5c267416999d5e45644e60332d58147b54a24585dc5fe5447046f2ea592dab24c14bf2386d051f780839e40a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          77cc8ac85d06baff31e078eb9b8c9ec0

          SHA1

          5876af1056f03248b890e142cb5156d26a2bffbf

          SHA256

          49c2d0ce4710bd7a0904a9897bdfd2149b809f45114e03f28986bcfce52fd11f

          SHA512

          4652f41dd0b63827e536b75624c9497a504bcf1beb5ef68a2f85fff67beef9f034725721b44ca3bcbe594197ad8f66cd969b630bfb5ba7e149eefe71242fa648

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          5676b872c879d6c479ec311bf30c62ac

          SHA1

          bc4c04f315435c74865cafc6ce04963335150714

          SHA256

          47a31d0815b2703dc343fd196c0d91b16034a91c392f98023473744f1937f094

          SHA512

          99ea7714ad9cc1a324a3af9753bcd7430dfd5b6def2611f67d95cc5fcf6435d950a138a750001884bba7b0b64f7b908151201fbd1ffbfa63862ef42b49bdee2f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f82332bf6c9b2d5a398a1c00621da578

          SHA1

          8a499cf7b96d73ded17d97b067f8c472fcd06dd1

          SHA256

          e4e9bc312974c3b7695bbfb9331970d4a5dbb379cde609df753204541ca02dbe

          SHA512

          4f4fe12d1eaa72978e3b87af6e47c5dc99cbb41d5849683e11011df62792053f6507ac886c741ee2ea1ec4e63f89b0bdec2b4853cf70ef26e951ba905a52fc75

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          5e42a019aa7798a31c4d8aad2c35899b

          SHA1

          d971b170c15b4cd5bc54f25dbf85e1e58f4c9a3e

          SHA256

          69c59d16d825e0876322f563d1c195471045e118bba91c7d74a01d7221b5ba5a

          SHA512

          50d91d248e3a04850a46e04b1f4b170167ed250730427ef333d6768434ee5e5c44be7a6192fa8866f21fdab77beb81d46ae065904d37fa8adebd5d9b7a3e3e90

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          d1893acbc152cf9b7e584537e0da12fb

          SHA1

          7b73a313e557f3914b5048628d8e124a4283099f

          SHA256

          52d6cb15753bd642c3d1d62e2565257cf9591b87fc477fa35791e21fc4d42d8d

          SHA512

          b0d4254036babb85fb8a1f4836d3863c7504c127f818c2f531f010ea12a2c943d7fca52b54a60036185e3630e7385955e53e0f76beae8e869c69221c4a5f33d3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          8cd6d68d66af10d916378bf942338e54

          SHA1

          ab76d9ec1ee9f6102fc33ad6cd50034acfe7bb5e

          SHA256

          cc5a356204a9ff71d16feee3dadb0f3c4658a7b0793a69827925f2ca86a4c319

          SHA512

          7962eecfdea475c671835900261496b04f050562898c2e886d987ed2d78b2a9f2e9d2b657f737f8db91dffdbb60037b5dd17c3f1d396a5a87966f5453619546b

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          137KB

          MD5

          098a7ef48df51eb2b742b0570bbea24a

          SHA1

          7a16b5b07ad2966ba39cde6f5a6cba0c1b56d4d3

          SHA256

          4f8f094cdfd61ec7fd6ee7170e7387001880dc2a8e195ac7a1126e8ea61d4e27

          SHA512

          122481e51605b8f4245f3a9025b954e059a73c86ee70bf261deb6649dbecaa59c309d966465ef30963f1703b08dac6947903739c8203f5a0cac8c2da789a3402

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          64KB

          MD5

          0d6358510d98974a3c246ccfed1cd661

          SHA1

          9b146e69099e9822d77a9ebf77abf2f53c3347b7

          SHA256

          fd91f32e28fcab74d0a905ff6c133f804407a6a978bd1f7ce2f7b63d8008e960

          SHA512

          ad71c6bc398f7fdb3b77af6bf46b9c1f94241a9ba8aca2ad0eb5192db4c2d51e19113cfaa515ad2dcedb53cb09476be07b7aa1b09f11a88f3a0e641e5f5b153f

        • F:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\desktop.ini.exe

          Filesize

          1.1MB

          MD5

          e1043b00affe390785e539f4d1e94ae0

          SHA1

          40e0028d41643ed528ae11f388f2845128126aaa

          SHA256

          2bf97364c7a2140b23b10107cff9890de7b69bf53ffcb47f54113e5592d96c40

          SHA512

          d3500b5edf7ea6be29feced200141f898d4d70dff2e41a3cb79bb275566cfa86363824a18105ca8e12c0cb91c2b456f5e066ba23f228adfa80f28b2c90698327

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          1.1MB

          MD5

          b32f8e38b6835b37ce52f3aca570ef8a

          SHA1

          bb15c07e0bf974d09e45954556de0592c4b57d08

          SHA256

          dd776f08b03b1ef85c1eaf1b3d6b945f003a04d8ca1570de6276ca73de37e814

          SHA512

          dd2833c1efe50cb5f220bf28bf1ef57394db8aad34b34499352c68306ed6b753efc0afb7038daef388380cb4a34eecf0ea85a099e4ce5eb3efe024c311e18b73

        • memory/2972-5597-0x0000000000540000-0x0000000000541000-memory.dmp

          Filesize

          4KB

        • memory/2972-0-0x0000000000540000-0x0000000000541000-memory.dmp

          Filesize

          4KB

        • memory/3016-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

          Filesize

          4KB