Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2024, 06:33

General

  • Target

    b40701c5063a64941f1349a81569bb17.exe

  • Size

    845KB

  • MD5

    b40701c5063a64941f1349a81569bb17

  • SHA1

    7dc15f4095254976c893cb259d6335e26bbbb38e

  • SHA256

    c95a2621b681fd189ae9c5eb45ca5dd4ecd148f15541d053963ae79e387a1e64

  • SHA512

    e6f56a7eb214690b4b747de69e94721bd372a46960807848e54d94db015b1f0f3c1fab8fc697ff33b709cb262429bd4a0d23dfd75b05c760dda92436f7780cf1

  • SSDEEP

    12288:ZMMpXKb0hNGh1kG0HWnAOERhC1sltHlYahyxd7iixf18Hm1JH:ZMMpXS0hN0V0H6ER2IHyeE7iixWHm1JH

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (5572) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe
    "C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2640

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini.exe

          Filesize

          846KB

          MD5

          82af25016fc7cdd8f1edbd97761feb99

          SHA1

          18ff52abee6fa48011eed6c90d49ab18e3e1d044

          SHA256

          f2bd539cb9b0edf5a4abbfdabe0c35dd025faa3ece61d47da2640eb54a3cf53d

          SHA512

          6061b8c10de6fbc9940490995f365cded5adc3ae6e1e65c2239fd4d9ee05f521a431e148e81e0e23d928cf412adb78d746137a7e6da9bd3874f1bf27e1f91344

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          ad41f4f47441cef0b7e3289232dcbe27

          SHA1

          3578f10417cb562079f574e776cc46bcb3d221a3

          SHA256

          ebf5636e8f1b11ab93ccba946501b1d4fbd53117481afe81a3f2c7c2dd8822cc

          SHA512

          3416f6e6abe294c3d9af3f80de765917321d59b4632939408ede266845d312d17daca6e5a7689eb9e56a75d2133821fe67a707934fa2a2b47b028dd4f7be1a16

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          3f9f251aa83969edf0fc53c086150d8a

          SHA1

          0a742a9b7883d7255993a1f76b9f7ec579afc191

          SHA256

          3122ca4d3abf3da0ebd0a5cbfd8f15bca4062f6096a24ac666ff038fd6519469

          SHA512

          9938af12be238772c98a96e68d0e37e2bf6470f857c6ebffa6f2e301ad2e4a2613c8df9d96a093426d419f0ee75e6a46acb041a8e5e4c0f863b017ff45c0873c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          cc2d79d69e91843d4af7d2ab2e008df3

          SHA1

          1d433ef2a89bd7808042069aa73e0048184d0d58

          SHA256

          eedcae630838a0e0ec6d3a915659b7ab9e9f954350413beb6927319d9f99d0d4

          SHA512

          8686c6b332dad76dcc4b8c019022918ed57e678f7b693a02fea4b561373b6f7957f9cba3c0c31107bf986ca5b390f6be94c85adcb3d33bf0858512aab072f26c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          dddd823cccca7e8a3c0afed6cc4a5e36

          SHA1

          82ea270af46182f16d24fd47d616c11b4c0feced

          SHA256

          692a6c446e80da5e8a9694ce0ceb319b7354926b529fc7e54014427da5190a7b

          SHA512

          9fd24b7768b943e31432de754154257d352358eb0f083e00e2d67d7875095765284a4c02940d5988f93ac76636a0136a88f2ee689226ee14666f79910aaef036

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          72d7f539714578c4fd033cd4bde4a34c

          SHA1

          ceea955263fffd42b5200d945e9995be45393da6

          SHA256

          2bdf213caeca2d25cf914a821aac73845b44e0391a9b2b95c82f3132e42ecb8f

          SHA512

          a2c3b6a33b70220d66dcd494293a78a65c3bc86698dec95cca5ca2c082ac4a044e7c4c6dcf951bb3d275751ae0d3130d4de04c6a407fb1faed57cc9f81373752

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          8701dac71f8560296d4d43d477619e9c

          SHA1

          0ab9e90fa6d88f93aa2643e8287080711e0cc6a9

          SHA256

          992a2565920b25d2fa42e5a9875f6a92a71417a901e2de09a87a1fa86cc9742b

          SHA512

          cff73e1df72a15b8170b97e9c2257a3896a739c32d208c3fdb5450d92a1e263e25ddb2bb2c1a17dba91fc44dc18704248cac727998fe5faacc0aa28dda7e3f2b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          e1ab08f413384cc2b4ab56b4cefb76b2

          SHA1

          bc011121f605b56dfcc6672550f00825a195154a

          SHA256

          969119d4ff2bc5d10d74ed92e0598d89b25e1b31019a691d085f919f53c6ef82

          SHA512

          1975aea7cc25f8353160b3e27e7f8a4fb3702f1574826ec677a924e672b90da1b6c55f2899f05b7747721fc652ff0c6b7bc72e85b793305077d5ea23bad642a1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          d88a5110059ee3e880deb038947af92e

          SHA1

          db789972ccd2c488379a4f8ca728860a22187b54

          SHA256

          555ddbc65652b832d1f59fa0264700f1f7f303ec96cae13917df589580836669

          SHA512

          855099ccafffb28a51d3634eae8ff2eabc3c85ef49ab883a7fded6f4271b51f3d052343a76a07595c2f5a0e40ae9f8b938b9f2ad61b68a42187d59fa4eb57413

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          d1a56175c96a05ce20926d89c3d2f6c4

          SHA1

          d1f15b5821f9811b7408bbb3ca26d8b5666fef40

          SHA256

          e388b3d013d9ce185507e5f022bb44c012624a00fbc02b8c301be590ec128d64

          SHA512

          fdc539180e759fbc20d3d657914a9e8633c0efd06042dd0c551455097ada8a489ead75c16378b298a0f7b05f9f0501d6445ae5b0e40c8439e14b4f31bd78f816

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          d404f83ad0537c49dee2e12aeef4f615

          SHA1

          0078cf4477a47513ae215d61a1f20f409dd67275

          SHA256

          5d0691465c21514401e366f01478bfa3cead501625b0faef4d8b980e303528a8

          SHA512

          c2f8d8320a8e157747b2ce0ca4bfc76f3bd831956ef0eeeb2c353a9b3fcf989113ff1281765c3cbf2cd49316a2b46a7606b6a3adcb14aace3c6ec7971040f135

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          23218a78322dc0c981ef521b52c79e33

          SHA1

          92049119c46a7595179839626a250846732378da

          SHA256

          c1c48c6688cc071e647cd2e86aafc9779222c239fba1cb3cfb3485f4b983902a

          SHA512

          7cc97c4f092ff0223a52c15f6e8ec49293b679e762c0cb116ffab13d3f4a15586c4f69dd6e533ed682c4d36ad0bb86ac8dd156d2b30906004e34b8d2553418b9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          99558a373569bd966f9bb35ec42277b6

          SHA1

          34015ca0d005ec7ae1f910ff3957ce161cc23f05

          SHA256

          968e00475072bcc6f28e4c3227fb0cf735529a63fb804a3c50aafd11fe743112

          SHA512

          5f9e8dc76bca65ee49fd800d7989c984482daa275bbdc9061f0ddbd5eb4aa231b2c8c56a193dbf225de68c3db1e7bb5a1f7aae9d98e50245f238fa32f156a9d8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e4f99ce141630a928c7c3ecff80f2434

          SHA1

          c43304c73ef641d1a2c311a000d714ad7a3236ae

          SHA256

          4163a9c5d35ec5dc12fd3e7b02df587a704d524866aa3d0fb9ed5805b0ad634f

          SHA512

          d8d4ec0d16d2af660b2d446588c3839a2cb0fa75878e8c3b9fc77c7687756791790d73d0202d69332698a2e5ae9c4e79b827083e3e698c7db73a71d692ff7d0f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          50dfe0cc2765ec593cab48a7972a3395

          SHA1

          9331a578753b3af654f4fbea90890f6b44e5a3e0

          SHA256

          fa54faed9ee99ddf8f4ceb3dd0888ceb868f8ce0a19e746f9e4a10b228a41930

          SHA512

          7e3dcbede0926f2b6e91903e5008d75b16bff952b109f68a0cb6e22346116cd6380398e1999acf7bdc3546b4ac9680134ad3d7f24356cf61fbc96ef8eb9ba1aa

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          66eb14d9f4fef86bdf450f04b6e3b0c3

          SHA1

          a9a545b15f1f189465564382d47b387da38a71f2

          SHA256

          c83193844329c6d636a746d8fbb14eb47fa1f949c0bdb8d580ea97f0f5f8a30a

          SHA512

          282599e727bf0cbf3804fab2ae13209e6ea2d871280d0931adfc521ea41d523f69e3ef0abd5d06d0a0d5c1abbb6548a01da01178fee4790c4cdf76b4620cdbcd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          2b428886b5b29d99ba40a4c14cbfea3f

          SHA1

          b66047f418da43e59af8270e5339ca1281d6e9a4

          SHA256

          e5ffec641af2e9ea9399ae125006df541d8cd6d1995460e68ffc60d285760b64

          SHA512

          bf88a1b4f6593b1e1118bf29ec113dabc7da3fe013418e8663351114b64bfae5f4152c82035eeafd318fa2ceba8c29036bd9317ba9b212bdbda61a962593ebab

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          ed75560cb09bdcf83c383a39be2b3075

          SHA1

          0b12e15cbc8c8848b513fa287672fe59b5a996f0

          SHA256

          999a8d88cf8a1a6202cc2c68f8ae6b2e2b8f77549f7f43b47f3303e5da5679a5

          SHA512

          d6a730a50f471efde2e93ac2e3d137f48d6b26800bc68ca07080ec5a178f74896c0df11161ca429cb2bb3cfa69e1c832507d02e3273b547abda6713f94b577b1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          bf2bcd5a97ebe559a47b99c3025c8081

          SHA1

          d4b589d760d972df283014d57c99ad046bb2307a

          SHA256

          a6a5822147029f145ef45fd0bdda3053287b5f1598561c76a62102063fec68e1

          SHA512

          dc9738b8aed5a20bbb1bdeb9e0777d9f443e5d9b965e688f0228887ec3380724d651c834a1230307da9cc52db886e63de128ef8669ff9c28d2f436af1181ac17

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          784ce874ab246117619fa66055b33ac7

          SHA1

          c27105de8f983e28552e625790701268088c05f5

          SHA256

          069963e94b9b2f5e7b5ea26e9aa6e667a70be910ffe54daea60d60f87d45c3c6

          SHA512

          4085fe5c13e262ccd661c71ba564d60e9ddd2de8a6c73b699ca396e572a98c39de7d9888c60af15055e3fc6bc2feee77d2bb36515fd2dd9d80e38ff692f5669f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          eb67565b39b9cedfcb72c3537c26e5f4

          SHA1

          69b20d548c2f25b7e96e058b4bd1cd7be7b3ab48

          SHA256

          2cf0e59d03efc9ce8d244673f7087b6c6de809dd2fabe8200dce9a715cc74a0a

          SHA512

          7d743c91e56a054069138c718c044ae8652d32cc70797fb423b1406880a2f78a03aad2f07b616bf6737034763155a30eb510faf7c27e6435811d46040d00b3c2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          2346dbc4d60304387556cc47e25c3b91

          SHA1

          392bc6510a0fa0150c39b965e9c3d9654fcf139d

          SHA256

          9c08b3b9c0ce8ebc2a2b7887ccfee295e2d701e7bc06c19db3819b0c914fed99

          SHA512

          98ad1230ca7645526f1a1d89813f7bbc4b36ebaafd8835f3a11fa1592580cec4beb453631acff97765679b9c9a3d3f4250d7cc81c308ec9f786d9ab106490e17

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c89182eb0084fa184cb00c9442d9b0e7

          SHA1

          bf859a7f83834e36b1b191da7ddc63cfaf481835

          SHA256

          b502df37c5a1648c1fc4dc8202ad0dc401d390915313e40fd0160eb5d4a26fe5

          SHA512

          fc84310f49b1c163b5d32f3c1ebae9c1cde6fcece9de0b5423d9f32cb38fd8e63ec73177b8fb77841dfb1e16fcedb6e836daf7b359151b2c56b5e1c6ac40070b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          8fe15db690802464b6bcc4da6d71dd6f

          SHA1

          e55cbfdd5fdec699402b792758f91bef8cfadce1

          SHA256

          c4b4008cbe14f6f82cb16a7374f6bd2a1e986f75d6ccc249ecd70e419fb2f491

          SHA512

          5d710a792e4dbeae678baccb996de88bef44acd5f76c02fc28cdac790cfc944d55139cd6ba3475dc2a8b6473d876551a196bf5fae3be05b2c3ee5414f2bd7051

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          f870aa6f46a77c388897b955ae453e15

          SHA1

          82eb077dfe19c25bf21e5ce2252d7c0d0d2008f6

          SHA256

          4ef7cdc52da5762b214ce7f445d64fef4b9936665650deab0679358a95997fd2

          SHA512

          d0ce56163a87aee6378f5d2f65c5b3e51935a896d6dada697f8b91d8c07b464b53e81c19d0eddc3ee9ed992809fe81d644a04fef958255519e4d25533ea4929a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          2c8472f44c2bba5aaeba09494dba028b

          SHA1

          833c7d57f2df9f6db40473f1de089a8a66012ed2

          SHA256

          1d79ca03f39eef1f975fbbfdf15674cc3839bd174a5625bf84ffe5bcf799820d

          SHA512

          5613e85a23bffbe8df3a5429f3f9e7a4e8a5fc0b9240234245f181cdf5385d6908bd101075631b84859daaa6ed1d2571fce9594bedb8deb5f589a51d57e43108

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          8c6e395db9c9034fc95642af8f1f31bf

          SHA1

          d0df5f6fc6e7681c9380e4845ebb72f9158e8368

          SHA256

          36f8a0a61bb46e320812007b5ddb507f34b1270734a03a7d7a1291340f5e1412

          SHA512

          c7370763df93f6bd365b894794ca84e397edb59ce075cd3519ab994be0a10ecf5ffcd4735283cc1620327abf36c9efaba1f14694cf4de9ef67b2e862dfc75e31

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fb0e52191e628cd7265d68c2ea22b1e9

          SHA1

          e88526d9ae5e1e726dd84aa3091378a3a1f5dd41

          SHA256

          5f8dacd812ef81d91b29ad43da8ddbe8ee3b1ff09b249928deb2a1b468f0a837

          SHA512

          b363add56243259d1e6dccf90898c6a02d95b9efb018bf4e023dbb5328e0bca6269e0adbc992d3994160c0f490faccc39e931cae7ded6e0d5c4011a00a43061c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          e70611b374be5b20787c8b91549efb5f

          SHA1

          4ff5f5166d3638222fe6d239acd852053bfed7fe

          SHA256

          18b41980e5e0712b78550db8a0dfa58a4fe0fccfd019aea3cf6d6bc6868cf236

          SHA512

          7113d19fde46693917f6e4778d60bcc69af29aa478516fd391beca594c2d78f2c12d186a485579cfd3690aa6bdb9d0e95aff0a224ee6b8e7be7ecebefcf744ce

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          34c1b20abcd6ba1d074ec68de320efb1

          SHA1

          83696b806b63b573b7098eedfd1e68ffb4988ed1

          SHA256

          3c6e0891c10670508984be280bc0069bd118a6681d2635eaf59f9b1b39c21daf

          SHA512

          af4a0c4aabfcd190c671de0b9114ec5a52ce34db8dcd2366e2f9bef18a6c7275e3e793fcacdfd6d2bdec2b560b1944bcf30e9f740f3b13ecdcf721420545038b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          eb8a7adb7c97e99b94d4ce33b4349826

          SHA1

          e1505ece6ddc71e313bb46a0f9a69b0e8412e5bc

          SHA256

          d7ea47bf52df1d355672db57477993f07c116e12d96f695dfd681010a1cbb272

          SHA512

          d11d284566dd4ed495694b7da79f1ca7d4bff2faf3abf38a4fa0f5f00a9d728c46c95defb87906aad551aa6dd33eaf26e52f58b04843411759d823bbfb4c60d9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          aa3d9760524b30130072aefc67d9b5b0

          SHA1

          b3e97de374c52c47e54c5f92b5f0edd8fdd10a95

          SHA256

          dccb94c630e61bdf8a7d7df932cd918c4d220fb199b2b194489a02ecfc7debfd

          SHA512

          59617eeef70fb6b8264e22db3ca8230ace9599e792f7fd00d3ec05dc568fb3d7b6881a64b76e1321ab5c95d33a9988aabd36c2e5f30005fe4816d313e85aac17

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          af6526cddf36caf84037e904eb318f1c

          SHA1

          a6f8e4bb89251a46a0299e5881169bd401022fc0

          SHA256

          e2f81adc88770042e36548c74413afdba46e337596b8fa62769d2410a0f420f2

          SHA512

          a90ec52dce9184e2840cb05dc9344a2bacb9cb89954ae3ee307cd54c522a29aa762434d55f13c7e864cba7865d077c08ba82cc306be31f16bca02cea7f382a72

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          06303ab5d9bc3a5d3ece772bf9058601

          SHA1

          ae272c919d246f6069d1feb06dcc1c6976207a88

          SHA256

          229e191dffd4ee2b3f879b6c50a1484a2171a0ebc7f2e30d469c9385e9c284a2

          SHA512

          9b8076b47a181a8d1a0d44b1ebc1ad4d5155962a47d28dde2ac2605d9fa5a752141b0012858dd37f5c8b5263fec02fdc43852b7e9ebe06404fd93c0ff299092d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          02af19b68fe3300a919ac73eb6a48b22

          SHA1

          5f479d474e34a401b059448101d09c9ca045e9f8

          SHA256

          13796c74cb79d59692a4edf6d1f82895b1659e7c1ee6cd5222fbabd08c96be58

          SHA512

          1327eb4dda3dabae1546aa1a0738d0223e6ba4afcc7fbcbaf3d5107652cd7116a0acb315329518f224b0b803a6d4fc73e436c83537d12972be16a173b8952fc6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          f6c2391f6621801adf09b9c02ee0f5d5

          SHA1

          3e86d4627ebb27100f909c25a4626cc67486dd5f

          SHA256

          def3089ae148939915524e5d07668dd382014537f57556c90ebc312a67d3569c

          SHA512

          a9afc62291d2f87f17e53fd2d837002ac63e7d9e701f636be45e69f108b7341e4c52c9ffa3976b549c40264d9d7f5390a85c1339439bc57418f91caa6642de79

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          baa0e3805c7ee956bb4ef5836ed11a0c

          SHA1

          a77cadd38b763ac40dd1f50f3d07db3f9152a5c6

          SHA256

          12eea6d28f809dbbe39cdf4e97a0e58480e3001ffc204473541bfa41c83dbdf4

          SHA512

          d6758598ed889bf97e84a29d9cf376077dd7863919e2f45eea8f90b00b392d838e2121160db4bc4e37e9e0bc6bd02eb07f665d6d388f855743c6eb202ebdc435

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          8262cdf4bf7a9a8b872ee41c3eb609e7

          SHA1

          b217cab4c193b9fd69a1d9a22bc5240e3eab0205

          SHA256

          a8c6e896d3cf304b44b64aea306118996efa2f182d1ee56c517db0cb854871bd

          SHA512

          43a38edf5b3292f274ca9532241fdea34dc9bff00f4d06ef630fa9b554555a18ab3e1159a63e05f69992064c42548d50d0dbc355edae49214ecfec03cfa08dd4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          60caae8ff0d4c25d16a22267b191caf2

          SHA1

          498c88debf2c06e3b8e4a23b715aeba293a7a333

          SHA256

          2018fa6e888dec30a0b4a87f831fa4eecbb48a0d4198d153d01820b4d6bd21dc

          SHA512

          93c99d5df706730a3a8476585398e4d4f168734aa86f3f5efcb2a2d94775fa7afdf79e1233aaaad989fa8c48225e1e75216735e1fd87f7a10f723fafb4075b13

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          331805108624a6e32b12f8a41007390a

          SHA1

          d8d6d5d66b8541a16bc39d84784516ea05d40ba8

          SHA256

          b2b382c3ef10424cdf3497e102019e1c8fe6deb3eef394bc9562a5430e485113

          SHA512

          dd2dcfc39719ac5d746f514cfaba2621e8b1d670a2d234413103ed74815087ed26fb281512769eebd91a44a353779b781270a6e0fcbc80ad4e6fdd75158ac631

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          a7ed6fd6ae245cb7a2be382658cea2d9

          SHA1

          fc0df5e7a456c1d75d03fd16f3226883da1a786f

          SHA256

          b3452e7f0ecf88866c417ef7b54b8f73ea149589e614274a0e16269860b8df00

          SHA512

          4ce584d43b0b7afdbe806511e7ccc6988c93910043fc1174d3d58c997719879525fd52560a62f7b0baf029c44c6d400ab4720dfface7938e24797b15eee93bdd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          7dc6822f0e2eeda03e8951885fdc42c4

          SHA1

          087d9b58d44f7e4cf76adc0a8467180bbf4ab6a6

          SHA256

          04d0386410bf52bf4c0b3f0401ec153785aa166958810bd5201df2fa24fd5867

          SHA512

          79f8aecd7b6477bc3831dc68479144310118e9f9e674941e695fa89bc7f0ed0ffaccadd110cc8bc1250497ff0a66536a823d4bfb97cb880513377043584dc0a6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c299aca268383dfc1a46abdca1257c9d

          SHA1

          29fe49b5be6b7d4e8aa5ec445cb3a8c1f6cd152d

          SHA256

          c2395a35cbc7b83d294dc31bb4b96e37c4142d2a2b5991341f7e00699ed8738d

          SHA512

          b4063c5a0a3ed93eb0b6d1600b76d96bee39bc40427fd610c6dec70d3e6d97d18955b92a374222c7f1dd1c2f2b9b67a61edfd3746f577612a7815e18cd0a17e1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          03e3c725a7efff651d6efff0e00661d8

          SHA1

          0442220c4d30298c8778362ca416c306af1e5eb0

          SHA256

          437cc4953f68801edeafaa859b7c727c96a456077541609cde731f1c52b44247

          SHA512

          afd2a3690a3ad522df39960a8ab6cefed61502f88abfa651f7eef38d593725c4af6aae433b5b130090c4801e51763601837322c97135e7d705f6f7b3e511757f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          3e6045d2ef716ef9e84a3df64608e202

          SHA1

          32d5e851a9c248bbe90a23ffe818707d6faf5d69

          SHA256

          9db75dd71ab84da1e90f9ef2172e7ff83cb6d54f6de7833d2effb579d8e1349f

          SHA512

          6548c270e0aa2266b6554372dde17a7d028d47c904451741d8bd0f8e1833dcf263b570dfea6b71588c600e96a0cb0d9a5b77d5f7d7629255d176363f4aa781d8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          fe560a8d018cf3e7ad85c37b29adca9a

          SHA1

          488f5eb97edec4065fd36f4f794a56959bb86736

          SHA256

          7cf3e2390dcc20b2f874f052c8b743b31f1b02481edfafec138ec4e088a1cf2e

          SHA512

          4acde6b025f6cfafe7d4834db1b98bdb1df01bb91c928c875c8297fa5731028f9da4d5115bf4f183ee1d0d3691c54705f1bd04a7026d21aa5ec401d7f073d0a9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          15c816df747a1f0524cc655847a47ce4

          SHA1

          8a569398948eaeeaaa039c98e05b37abaf20579c

          SHA256

          96bd9a8c5170d4152d5736ac30424f89b5d6db9c1cf378ff03b6ef430d80d7c0

          SHA512

          3b5cb52f6df6e4c9385d7d019e53afc84c6ae27d20ad74dc866b8658be2e7e97d00e5803c1facca2adee8977b665529c9966e7c9f135ab277172362a5e639e76

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          0f71fedff418ca73d1731daea22a70ce

          SHA1

          92c60b0a2c4539b3c55b1836be142f6c140e1e52

          SHA256

          6b94f042e3957b77a8d605cf117f92c07fce785f10ce28c7ee888a0ef37a7d51

          SHA512

          8c25d70a30a7c787f0820d439d9c03a2b0fe374e109c4198628137d5b050c822de3e597f4544bcc830fd646df004a9469a027eaf71893d66804d9978e5740206

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          b624563c00c3c094f56c6d8fc12f1882

          SHA1

          a68da67a555be4bb578767178a2300637cd91de6

          SHA256

          0d0954b0b70ed9008bc7f3282cd6d8de7b4934f0d8240ed64614ba8fd1c1ffd0

          SHA512

          4775dd6dde6bf8d7bad6fd10d74e0ee3baee915fbe8f7ef1a86d08d84e0cc984825669bfcaca1fb94c5c7568ab5e1635e650a7a21637e8b00642931fcd79be26

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          50defa8432880952d118dcf48895af66

          SHA1

          e6d9726740bc4222306c4c63e30a3d5be6fc65a4

          SHA256

          520c13855ea496c508bfdd3a8aecc1c70ed9bc8ff2aff0e8f8af0839fe2d7647

          SHA512

          1a02e9a2191145249545670b424b44135b228b544e5a7696faffaa683d6d1be9e9dee0f977d5ecb02077c7594d0b31dea5aa525dd0967b7e89024b35135e8236

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          a613c789f59d20c47ad894f4ee7a3d67

          SHA1

          2142e5f67c60d70cdf9a8de30509176f7d57bd3d

          SHA256

          607edd6b4bb4cdf96fb45bbe1ccfd71f2153693afff5a80e6daeffbfff9d5721

          SHA512

          fa27f739f016888f73e01dd2ed6ddfa427f4802dc839a04ce407560fad2ca8a398fb0292942cec00b0f50917e4034e23a30d45219978fe61a1c6a730135e6f44

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          603KB

          MD5

          03f9d2d8776db4795a9b4dba18236af0

          SHA1

          45e1c5e793d0eba7e98f0c6c82d61a20d6a3bfb8

          SHA256

          f1a08ae7bcca488a543da40e985fa9e9c2507c4f9f4253627fc4cc9742635d40

          SHA512

          e41ac99a68ac216f6c497e5bd6585cdbc5d82116e4d4f5696bb49c4deb3cfda393e8e3e06ed944db6fc93193b973fcaa6e4d1b4d5e28c233c01429ba57d83c83

        • F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini.exe

          Filesize

          846KB

          MD5

          f586c3feed45d9c7804314c16c12d131

          SHA1

          083353d9da2caac1aba148ce07bafa4717e50b8b

          SHA256

          2c0162129249e5525dd4ec34e0bc21a578cd6b9ec8db5be522c95005c83e4e95

          SHA512

          622da193d85d5b8220a38bca69c94c57a87a79d07342066d3cd8bc84eb7d46b6ee4953582b5116f601240082d2ef10cb01cb7d45485ae13d6f2921352b824258

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          845KB

          MD5

          b40701c5063a64941f1349a81569bb17

          SHA1

          7dc15f4095254976c893cb259d6335e26bbbb38e

          SHA256

          c95a2621b681fd189ae9c5eb45ca5dd4ecd148f15541d053963ae79e387a1e64

          SHA512

          e6f56a7eb214690b4b747de69e94721bd372a46960807848e54d94db015b1f0f3c1fab8fc697ff33b709cb262429bd4a0d23dfd75b05c760dda92436f7780cf1

        • memory/2400-3342-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-1371-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-6512-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-0-0x0000000000680000-0x0000000000681000-memory.dmp

          Filesize

          4KB

        • memory/2400-10834-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-4729-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-11874-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-7796-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-9591-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-494-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-2500-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-11866-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-11846-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-8945-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2400-1418-0x0000000000680000-0x0000000000681000-memory.dmp

          Filesize

          4KB

        • memory/2400-11856-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-6525-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-11867-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-1417-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-11857-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-11847-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-757-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-1807-0x00000000020B0000-0x00000000020B1000-memory.dmp

          Filesize

          4KB

        • memory/2640-8946-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-2510-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-7797-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-11183-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-3343-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-11875-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-4765-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

        • memory/2640-5-0x00000000020B0000-0x00000000020B1000-memory.dmp

          Filesize

          4KB

        • memory/2640-10174-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB