Analysis

  • max time kernel
    145s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/07/2025, 05:26

General

  • Target

    52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe

  • Size

    636KB

  • MD5

    8aa0ba3629c385b6e4b521eb2a5aa836

  • SHA1

    506a869e34b3e3efa92700ad0c623caf25ae0d21

  • SHA256

    52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1

  • SHA512

    49ec0a595530ebdf9df466c87fa58f9d4feae283f97449f4d63492e0b0d53a9d61631c624647718e7686f1798c398d2675678e075ef20509a97d07ea411ebbc1

  • SSDEEP

    12288:Ip4pNfz3ymJnJ8QCFkxCaQTOlOM64ABeyJHm2iT/pWq:iEtl9mRda1WJCB

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe
    "C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1336

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-4024151881-1944119507-1574723210-1000\desktop.ini.exe

          Filesize

          636KB

          MD5

          62ed82dd4baa9969e3ea7426f3705741

          SHA1

          0fc6b153594ffc78db3dff47c628fbcd961f0831

          SHA256

          dca1c518c68899d21ffc92d1db66e06a3763e980bc462ea83e02ee955392c8e0

          SHA512

          182b8d967de6f6aecd26b7618a601039d0d1abfe671335895435f1e238a8d137192fc20f59d92b4f338ee7499f20529de74dbfe511760be601197f7d8914a07f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          da4288f2e007f4f33ae74ca440a78467

          SHA1

          59051a8f2b3e233c93db5a40fccde2a75ea1eaf8

          SHA256

          deb898591dcabab6e06a9f1f9aeec60217f56611bd2cbca932167a49771189ab

          SHA512

          848565f5621f44a636e177cba4c608ef263d19f34042e1ec92fc253396fff54c63595fce0a986f3a975af09f52b1a18a176ec9fe1641d9d12d418ed591805bb7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          77a8cfb94475be5dd7b45c576631b908

          SHA1

          5e49e24d1d4b8c409c6ff560f0e637f43a980ef9

          SHA256

          57f3a562bc568603c6eaeef414cef06360b82b7f699c4fcd5655eea7a92cc450

          SHA512

          bfc3084bec3f248cf0fa7cf106e15ac7135761bd90df326138428bcc6e172b0f2adb1c1a583c418e7171cc881b21ff49e9df6deff2a8de3105cd47ac6aa2ac95

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f7728ecf2814f9ca8971bf2d7158fe08

          SHA1

          de34c37c2be7b3829f788c8449dbc30ed2e53541

          SHA256

          63d13478d019d01dface170df7745cc58bc90275d295281737ea36021264be86

          SHA512

          21d429ea49fbc07f1e6ffe1ef5308b4ddacbef2c881f98442e11e064309f1ec2aa101d7ba0b76480634befd16db4655511832a4ac6445e51e1e296b3b2728c86

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          c29bccdda7e2536897fbf029856693b6

          SHA1

          78f1df02164622b56f66d5b9ba849968d68b1929

          SHA256

          053096fa178ec81bc436b251d8fc1e1d9490ddebc3d3b355e1b012936724241f

          SHA512

          a8bed4fa292e1acdcfadec6221f17aaecb0f3d9c6cce33cfbcd883f49297a2b33c18e9708857417409ab544eaca916817f266b99c3402c1363351b299bbe0898

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          103fdb1fd8dcd6ccdc8465d44be09dd7

          SHA1

          007d3004ee48c432062089c8870ba70025fc92fe

          SHA256

          8096c7b5c5fcc86efd97802449c9bff93259ab8423d6e2cb43c68aad1f6a8599

          SHA512

          89fc98354496a1843347b3dbe1d05debcc84e1dd670f0e9aea158ef8bc2a25cf780037c3aee3573dd8ef710b187f80b99da85f8ac83ee79ab20e0273e722b971

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          de714e90c85895d2bdf639d08fe69584

          SHA1

          ba89d1bc4d4aafb15bd215884a301b777bc8213d

          SHA256

          79a46faa16b0757b2b534dc0fb6d9bc20f0df424b59feff52427aec6add8d75a

          SHA512

          34c28ff994e0fcbec541f4833513b9b1bae35168e0471abf8a5a211cb50832301bf7e58f74cd3619ad4b63024850ae3a35e579b55895d7269101ac7083c60461

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          7e938419c8859959271a4da1d8c629e9

          SHA1

          ecd89b3472036d2b0d87a25114b5c6dc4fa88c38

          SHA256

          7aec71e0bbe74a1938e1c570f978cb1f67b063d3228861685956eeee0c14dd8c

          SHA512

          5130ba5d61dfe563dab1d5b263fcbe26ed33da472ec9ebd93434b9abacf1a29a6c5eda2db8942eb3b83cfd6a736e07dc8de72432b070d25714aa5c223ed30fce

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          e8552f2163086d9504128c337903eef7

          SHA1

          4ab2117aeb80caec96ad3eee052c329a876a20c5

          SHA256

          ba625bac2e2cde1f8235d994625d7a9439260b2a81241077682d3a3b8cf56289

          SHA512

          ef34fd539648cff97c79df286c99f32f6991ad00d6e0451a36b1453cd2ced40839ea647c3b7d3d3d3e1b913ac37d5b853a11f827fe4569b9958a44e0f5d15def

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fb436f19de00931b99a4446fc95620ca

          SHA1

          cc6b532ae3b6713f8ba6fac6856310b9c7612c80

          SHA256

          19e1fb7771af7191116b910162845df4a984098a480ee38129c36de5fcff0268

          SHA512

          21548d423d6f43ff79d6d54655415b6535b7b3cba3c2fed55250e6f618574b6001feaac6a304bfa6f4a20feabfd4ad3525cddf7889cd4fa462af09de3515f5a9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          8e5790e4890876749ea8645fbaf3d573

          SHA1

          3ebaf0894cfb475f8eb46c7f69b1aaf39594768f

          SHA256

          5b90e3d64248d95db5f4385d9021cfa7b717bd43d27c3161ca48019f9bbb1c60

          SHA512

          df87bae57b464e2775299f0ecc393fc212b575f05a9032a3b9963fa34b6d927eaec9be430e5ccb5f6db9239fc61f347d32ed7fb46a2fdbc1e1126d162f74d38d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f01d63843d38f7e7900bbf64d2e21ab4

          SHA1

          8c9974a5200df5de2df735284376e2934a9bfd34

          SHA256

          581a9b9129066c91918a8b3a977141a8884eab0dded32537ef59479c95b0cb4e

          SHA512

          c8997a7ac3433d24e18586cc4abd9440e4a8fc4a466c9411cc439c1b2c686833729fcf929975c0122d0b060340f696c0265c88d900ec2c0b0fde62b4fe1ce524

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          e7b36dbda1c42b0d2966ad7429ec9635

          SHA1

          6b65dabebc74ddf2c16847b3951c535b599ed2a5

          SHA256

          626c4f834be8d9fd2c25932a7603fc651a046172220975a73d043ba099709e2e

          SHA512

          359dbf54452302604c34460bf6372ae2791ba616c515fdcf2b3acee151f3d9c74d6df4aeff7f9e4c8ee78933fd9226b3b62b0454f023dec4abc365b7fc995931

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          aad968668ddb4c86093ecd39e0352ecd

          SHA1

          43c112e37f8f17bda82517daf3667feaf692d62b

          SHA256

          6d570234afdbfaf38e421be522d8bc8f05f845af39c9785e338f7b2fafcd9c27

          SHA512

          6b025f7e9a62184c67c06b0c8745a82b53bdaf6dbf89cee8e48b466aae8ad5dad7e839393e661794aa1696b93e8d2cad96b2a08fe17838cab59fc81956e6d771

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          ec35087a9e7f9c0c01c2c9f9d6ce2e61

          SHA1

          d76f35448ff792a4bb928921ec9303a28e3f1bf0

          SHA256

          2cc43506e7c2a8936d21842a83d7f69be8f2868499a82b12303bd2c5e63ddf64

          SHA512

          fb90b737a8798f866cfda71f787a0069401f283373dde189611796423887e9de5cff62c55f2a566111a04039ddc02efc0b49378a6f36224ddcf79d9c2f94e28c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e8de86a5b13a8ef2e6d2cb2a1952e52d

          SHA1

          600f95787861ab4a5cca248f9036028cb7000b8d

          SHA256

          00732933348f186ea7f7f854c56f78069dfe8bb17d0e794e6259a5104ca7f606

          SHA512

          c72844d3e5de43ba61a14125aec140846a808c2644206f3da99e180602d724829e5d2893a5fa432d7e90739e31aa28d434409055738c0ae417c08c3172472684

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          60f33115949cb34ae8937fed24b252df

          SHA1

          01d53c384b1bf9bbc359f34205bcde4714e26cc3

          SHA256

          b00d58450d70b292655d2a609efcb59ccdb0fde326bb066415b2c7d773c314c1

          SHA512

          bdba4745b507dabd3b70d57d6348dc4cb71f82b47223f07e7192d34d9ad6950d94cb56cdcfecae9c368565e0d09d5fc5b55780988df897ab5ea1fcf12336c618

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          6c292f589ba6d775beb493736c8b393b

          SHA1

          1b15948c615b4e08c9479feec040320477f20912

          SHA256

          dcf7e0e73032d57ea9ce5ed4036cfe3590ab2fabe6ffd2e13521c988b327c7dd

          SHA512

          2ac6f53b47bc5296921afbc838a56ba5ca81a86a25fb3a389f0a496d696cc61a32b40f9fdc6a5f4350c7d0baba4637b848bf792aea329976277c8b3de156302b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          7936b6b7984dc92f37cd334fdb64f3aa

          SHA1

          06b18294e95c99fdb5757e6ca43a71d749a1f74f

          SHA256

          d301e617a6153a0d05603ad12214a2813c908c5c162cb720b8b1ac9f34079fa8

          SHA512

          fe8fbfb0dec113bba259755e6e6ec3e448b24313400959c6b4e9301252c73f0f87034c662460a585b6857e4469a8e7fb7891b8cf0242c49a73144422350994bf

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          d9e65daf09cf420616715b6c5f090980

          SHA1

          0798a5d0f4a90c24ae218d819e5f9857e438e671

          SHA256

          41f93038f4063c6a276027a3dcdd2e4cfd2aae75e934a1fdf1a0e8620d9905fa

          SHA512

          9fd5f6d0958495325a0d80ff10a0f4cc06829559ec0b1176d15377bdabf9cb6f850aac80d6aef27340144f3879d7f82bf5a2e381959e176c1b80ae61960538eb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          2df59c5759b4442329c9cd98eec9c431

          SHA1

          b4247428be91925e3a836360ad52ebb54d130796

          SHA256

          f1294acdaf32e9e6fec3bc2ea48309f32b4e41a1a13d0080342ad262d32995ef

          SHA512

          b492f2ccd50e177f5afc4531d6bf53aa17c863da0d93ce00a1fdbb0e63c8c12a00cf9a85a961a9a8985f690cee146d93f85d3c2ac81778f65c0fb7ded4779b82

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4c77ef75c37731c2f527e67d0644ce9f

          SHA1

          746d6deca83933136fe82a1ce7a69f14967520fc

          SHA256

          998bd3c8975b90d8637407c458e0a6061894af49b1cdcb7be219378db7298a0c

          SHA512

          b550e71565f85dd140862d1b56da4a9d11fc2e643d4223d77b5e8c2dca502ce6c5b3d7b0f7c8244f4f7732e84bcdaaf96c0410ca87ae6cd29dc660aaf48e0e78

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          90ea5a4395d0df5731ca612e47b66c5b

          SHA1

          270aabd45b3ba454e04dda14df3d5c9ca0718ad5

          SHA256

          3e93816ccdce33546d775b7fe92232d48752126ea7b40fa0b071bb8625d69e5c

          SHA512

          daeba504b75639dd932e05ca312d7d966d3365ef3ddbbcc55db58f229c630ad45cfea9978f013ac85cd76b237798636a8aa6a178299802f3bda47285369269c9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          6bda3a2412a1322b8c69e73de92a32b5

          SHA1

          402c7e53b95e978c9373677bf30ba2d9114cf4a0

          SHA256

          22d08a2a95b1e1567a1a35ad109bca6ed8591726f329cbbdba797559ace06f97

          SHA512

          31298809f769a2114f8a62b224598efb172d3aa2ff70c9a30adced70086f0698535bf6d6236f389e7a432a2728c2895caa3182aa54cb343b97bd378bd94b7356

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          dde1f3a42da536db5e2035f4bf6d9bfb

          SHA1

          68d0403abe4259f628ccc518808a934990e46797

          SHA256

          da81342c5362439d635a1036dd633419ec243074b6828f7ae5a0295b230422ee

          SHA512

          769327e7a1323a1be1549673e756e8807b66b51ce2229e407eb346ce1ea5f9f81637d9b558ee725420e478a0fbd3cdd0b30da58fe2a8e0dbd166be262553b220

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4b3b6696d52545b10aadcce7f2940b30

          SHA1

          5b10f6351af145072574d5c387db38f4b14c20dc

          SHA256

          0ec4840c953609231bcd740231cf6003ed05a7a216e607b03dd34ef253e45afe

          SHA512

          ee6032d43f733ed47433d7d10e4f59da6b718792c69919db1c38f07474c19f5bb08f1b08411d460e3edbc226841c0eb71af95781aca8acd9122a01148e7a87da

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          f7cf1d36516b4351e3d84bb7ae5a264d

          SHA1

          b17ede498fb4ee60719acfb3fb1780f2816eb309

          SHA256

          d4663b79c3931dd1aa5493eab2892e9832cf407dfc7b262ce64959c6a8b78992

          SHA512

          a80b3c5d5861eda7c324f5955b157718cef84dab6df9551c6b83f2f81400687fb27f7fa2370813863333ed43cc57abd32c31a62c0bb03796f1874318b2451122

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          deda49e67de7bfe77803ad16f41d0ffb

          SHA1

          ba0c423985f477da033e5f80d741dc3e79931153

          SHA256

          cf677f524b421f54cf5cb1d4012af5c09bba38c8749608ebc14383fb6739d2a8

          SHA512

          2bca0049d185c5e175f0e02f10e89e07b9273aa95fb7c2d6f1c12b6a439cf657af71e4339c4f720555c11f609506aec89825b26f7f97be77e9dfe27747b6770b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          f4cae9dc6901adbbc3697221dc5c7eff

          SHA1

          ac59f7e5156f0855245ad62ae171f7499ffdf316

          SHA256

          ef224cc00eb5ec153af80613f3bff284d9c3cbcf80d49728bb2570be40dc0556

          SHA512

          05ce184205f46917f4a6d82bc0ffa001d6401c05f1a4bda2e97016f18155c2bb866edae89b846bd50009486e2b62985c7cfcc2cde4bd4004f96ad9118ded7a96

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          039c8c417907972794538998e3bd7422

          SHA1

          7c5980f0237729b217f7bbfd5470bd0d6ca8fb8c

          SHA256

          79fddf47dc24b0a64eb5020058d77bcd6f302efe053aac4550cb9ab4b9a0f2d7

          SHA512

          3df8b5533d0a8bfc8ae06aa8ab38daef59df827b6668893ce6baf439463daed2c1faac36e2f091df83dd8f427b772fcf789a86966a238d936637addde50a163b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          fbaf78b5cc8173a84ef8024d9ef38509

          SHA1

          d1dc3bbfc91d74bfcbb05ef303d560f3706ec831

          SHA256

          3cacb31e82d6dff51eefa1b10f2ef76ebf63188912cdb0b3b9838ad03401e368

          SHA512

          84722b1a99aa81fa63f201f1f4bc5a7601c04fc9cddd863d589ceb48639eec7fff6c389ef541f5ad41bdbe1cd35e89cd60d458616d482d3e9fc7361a9437cec7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          a8cda9e927c2cf5bdfc9678d033ae3af

          SHA1

          6e8acdbad34bacce0e3243da838f12c57a8c7000

          SHA256

          c3474b7710e94f22da5fc152d5106cb432c55dc7a0fce53b31529a7c8fc17c03

          SHA512

          389f431dc9c7f1b03c80d530b3b49d9670e98f6bb055a7aca988f41b19edaea3987c8f78998d25f2bd7b533e51c8e009c899c06e7cce68e6a9791352e3024f4f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c0c083876c40bc1ea509d62feb6ad185

          SHA1

          7ca65757af5875f0636c0f84ae79a91a83eb60e4

          SHA256

          5f8e689ef9b7ab57c200cfa85aafa7aae88f638a76aae9331c087bdd04812c2a

          SHA512

          2fd215f5b6a30bfe128725723d9243e9fbcabdeb5d291ac9f4863424ad1e0f093f6859cb721209f989906b256ace45729df0fb8c5739ec29f19402695d8ca140

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          53ff30e1095a67ac781d89a7531d057e

          SHA1

          c2d3552503d886f4e243c6e19655294d74f15b76

          SHA256

          f2afbb64ea49d27ffd0bec93ad044471445ee9b227c2381f98e7e97cab810547

          SHA512

          f835a9d8abf82bdb87796162b159f10b4fddb59673340e59baa75bf18470d178f63e59969f2747b9bd7b2d77c417389f6049b811d916e2b5fda02bffc3b6938d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f381c7f2cfb49fa023efbf38875b5075

          SHA1

          2bcea7fa7efb21b061001d72a8a5d81b14b60f3e

          SHA256

          222e22821b7db96a60f17fd515128240af42414a4222060623f3ccee72ab52f8

          SHA512

          0af53e09c86aa398529850ed279a4d699a732cdf2a9ed5753efdb04279ab8a781dd60e406769ff0853a27e8dbf9fa66340f02b7021050baf337c851780dfee60

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          cb449c37c34e3804e74822c61685083d

          SHA1

          c39f9c0628382f072b3e667256bd06d8716aa418

          SHA256

          538692805a6a8b7c856123884a158098ea8f4a04b5904a97e912bd207ffed952

          SHA512

          40270766d14cf134f6a0bbe5f1f5d8b3e08c9c049d724b6f1a3bf80a9db32a270d2e41a59882b58a83482dbe1e7fa202a82d07b2945f91052bc973d74d65e813

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          83f4fd516df6bfa4a291e51ae27a467f

          SHA1

          c4c14f1c85756e4a3390b3c64e821aa7d2a65267

          SHA256

          b2f462c6dc4e2bee6f36251179be574f60c4eed6245dc26875a1f2dc0bcf6730

          SHA512

          ff2eef2f37d6fa2b36dd942f63e3fa2484531eb322a54c978b2d1ae3ab8035dde3455f74bf7fc360b6f320fa09797dd1180ee8a025f83b4146ff54150c83b855

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          a013c315d2dda39fa70ec4afd3e8e672

          SHA1

          cceed0caa19b692f447111179b54ee72f4e2c11e

          SHA256

          33bee98cdd2825547a6bd753eb298c3af8e62d7c531561e925ae6febb49ba5ee

          SHA512

          bde1b5f6bbf3c7cd22aa34100eaa6a3767898a0571654bef2653846df78d08c46b72ede93584f5b865de5f4e68d357b037fe0658153340b1acdd07481c592dbd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          9e7d08017d0cadcd1ad4d6509e2b0820

          SHA1

          ae30978f7b84f72fb68a1717414e3f84162da021

          SHA256

          2ff51ba6b86b7d15764ba99459a8849db73cec28e03e229246132d4437655623

          SHA512

          600ff618adba4bb06b1ddfc954b6df3f6d5fd1d77b310680d145b4bd2278178a9be6b56b715e950c36abf912141cf3c256215872ac94b13785e3cead21b058d5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          92e77580a3134266ae9bd32e1c0ee047

          SHA1

          3a09e2f1718267240dc289f81f44589de2876123

          SHA256

          d590b1d7fa1f6a8f29bffdfd00ffb6ac2e4651e1d976bfc77afcc16474d05274

          SHA512

          aadcec82580f2bf6d7b521365bf8385ff943c5f7a4373a191418b3c1ae1c1c85553482cdeff08865dbc36c03ae75512d282a4507dc3ba2e0fc97b5a027939c8f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          042a8501334262f37319e4d6eb26dcbd

          SHA1

          c0459b72d425385096b2a433b24e384428520b2b

          SHA256

          7584593394723517648b688afdf8097de32a0d4eb913eea58667a27cca9aa4d7

          SHA512

          edc34eda062a29851e43b6c67fcb9a1f099dc3c243f90d85b78a71833c74f5eda73f1422f472b3e1810cc744c5f67f5e5d0c70283f065d0b0cf9f6efb4e3681c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          44cf082d76fe964035cd8a4611199aaa

          SHA1

          7f06395b814dc4f1e9d608db5366d45fe6c6d8c8

          SHA256

          1b41617c4d0c63e2636e281b9173ea4eb5c9c1680a7b2cdf3e05b4c6f2126704

          SHA512

          ac6258d97a5ded18461b452d4dee330da3a3cd80770390ffa947a265436e0e355b744c1479c6c729081b135cfbae5a85fb2bb5b81cffa3cfe3a58e0d1f3f9bf7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e8fa3b74dfc857e708dbaf130782bed0

          SHA1

          eb3b90610a7c9fdc140a11ba9b20ebc1ef9c0b9a

          SHA256

          438376da90a827f552a938cf1ea7a3b6ee1bcf43acddf66fc966d7327ac5a758

          SHA512

          68b21cbd32c6f6ffc458c1e30fc21857d77168435f6ac7a4c061aad3e199b784c2b50862eb5a0a87661f8deb197dcdc462ed44d2f58e6c08283f5ad93feaf5b8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          9c47f0b82a573058d24ead7ed0b812e6

          SHA1

          94f1d18f64f62502c907fe33bc8e03dfd475d2ee

          SHA256

          9703293261fd653dfc3d3b2b6e4e7d19ea0a7962eba4d99eb48223b136e6056f

          SHA512

          e239eeb9a91646b02e241b6f305bbcc3c614aa8c712886fbfa90f4554982c4c39f2c02d75165e7de835bd9350d48ce456f9e026fb6926bc7c4b38add6af2a8d8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5dffb8c869bde6cdbc54db8fd85fb648

          SHA1

          ef604ec73c54049f3748e55eac33f7b65e91a68e

          SHA256

          6fdcb179422daf5e32f2e05b489cf9527148f08395c6dd0bbb2dc8a73c96bf4a

          SHA512

          e6ed0f996d017e50bbeaf63c1ed1f25277bce1cbbd3576a6d4eb607a0027dc6e1c295e451524a55ff783d1eb574d3969555abf0e7ca358b5ff84355498a08512

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          050a089dfd4a5fa9dfe5f68ae8eeea95

          SHA1

          8d6d206608ca9ce25eff2910d68da3182c79c39f

          SHA256

          7f6b77f18430fa17806667d7d7f7a3793b458016aec3f6717d30d0ee4e745c8f

          SHA512

          c60a6e6ccdf76a79f57ea76fbb2c5eb720b009e3b946f191c0f190b2af8193a5cf82c94f434762b8c77697054e640384e881bfef9a177e1474a1d85c86428095

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          bd47f9b5cf9a2720fc7d6ddf8790fa85

          SHA1

          9cdfef62ca9257b49c0c99d0a2229914f3af2336

          SHA256

          43c6b589048885206f669445925f4faebe91c322bc1cb1c30e18805f0706c2fb

          SHA512

          ba3e07c8001dd026a9c36db1d16d0aadf5a8cd7304ee490b753cd45ba2c7d62f63a717b418cf0c364e5dc118ce398cd75f4798d9f451ad63dbe0749e655db124

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          7931e4a438061d3aeba4617365b1d21e

          SHA1

          dabf3a50497759b1eb4137e52b91ed7223446094

          SHA256

          3fcd57823e54d3668414e406cb214eda34c2d6a72a5eab1604c6d35311ce0fb2

          SHA512

          6eba0c048912b5cc387658cd7f788d4e9a55ab16e867315dfabb9341c15455b68c787bb7d016f564c50664a949291f146c6159bc4a8afdfe225ad4b601505896

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          a54e319632d49ad6f66e771fd4cd5c47

          SHA1

          aa607ea41e67d9966aa76e2a5ae56543e64a6dc8

          SHA256

          e3700cad6b28960c97ea0a53080f047be022d73713c93fa78b2c014283e80296

          SHA512

          d75394b681882f4a274fbf9e677d65b4a8061e93c0d5df17d857e5d5213c110ecac1d6fa84abd9cd6638d462f4ee2310d29b0557ac9baa148e4d2d1e7e32789b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          92f2d1dc6ca668724c46b619c315a83f

          SHA1

          800ef9593844bfeb86a6fa2c7879cb32b4779771

          SHA256

          ae24df48ead33d0e7ce91dddcd12a28a815db41c3c43681753553e3fa0bcea6c

          SHA512

          a4e75cfc1f5e6686243b9a6b62ef3a95ce8a7def232084f126803a41e1aac32b69d76eab7943825372c0a88de5e1c2e274d77f4e10cdc6b547a1f4c44c83cbfa

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f1c3a34369921bb20dfa7c117dcc226b

          SHA1

          dd0486624b938a354b003b14c0a4ef473cfe53a8

          SHA256

          79ccd0b37ef2b353275678bd60416b6da11b51c924aff419634118b31bdae535

          SHA512

          245d9fa31373a9788e973277d596b9a1f3bcf7d8cec7092c390a2d4da3bf516ee373c6002284b6002204cb661e6b69e1f9a8b95adfc762410017dbb858a55817

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          c969de7513d21b4e3ae558b34d1d91e7

          SHA1

          4a41a53f521d5c91a2311fd484393ea5f9be4447

          SHA256

          73f9349ce397c524cc5034fb11a2a2780c54840cd8b308ad48a9ed0ceefd7c28

          SHA512

          afe2955ae628fb8b3e34d46fc180e8bec05361e8c1775369b81754ab6328678a44ca0936e349f5ac1e101e075bf55b4d11a2c6076b05388897c32a3353c6aaf3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          68217f574f2a9fe5a39cbdc88b48baa6

          SHA1

          abef1fc4ea919ecf6758f87cf49c109ac3f9a666

          SHA256

          ca30461c7ec5d5d3aa4a81996cac8e4e54de258a8469941496dd55ae760646e2

          SHA512

          187d4f1d2008b5cdcb7f8540b49fe171100aeaaa2f5fb85d09b7cd83527d39049ebc13a787b5f817d294a66a4ee2c0da0e47462382815690912bad6d10957d43

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          63ed7a5cfe879482667445cf2c50ed35

          SHA1

          7cb6403251e1277322d0fb1b36aa55b71b425754

          SHA256

          3583597a8c051403b22770c20dc1238e5c5672347e97488c9422848f9bf48f74

          SHA512

          5ecce142f86686a76f07332def5675c07e9d72248b4b43170f76edb7fbd98ff46993bcd272b1f6d4885e864c94409ab4bd9de450ac3527f2d1bd5934aff9e371

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          f1d757bc5637bd81022a402d6bfe96e6

          SHA1

          ed6fd6229752b2581f774dd2e15f8a85cf534d74

          SHA256

          dbfb24c4e767a6255a3b26a3db6e706066c6523f24180adbfef2bb04aead1ca3

          SHA512

          30b8f81a114f0503c520bc67c43353acd1d24410b9a38a1e590fb1c20075f45644a325895c6b757119269954ecdcecc8fe782372d285e2953f3e3d3239b40eb6

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          541KB

          MD5

          d2a480c6b868400f6820f95246df35d3

          SHA1

          fe4df3542d779584c17e5ab5cc74e239059a6976

          SHA256

          ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03

          SHA512

          c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf

        • F:\$RECYCLE.BIN\S-1-5-21-4024151881-1944119507-1574723210-1000\desktop.ini.exe

          Filesize

          636KB

          MD5

          42458ea80baebebef08861a67d2d7fe8

          SHA1

          efa5a2f5f1d1ae5b9c9cd95935944ea9d96867da

          SHA256

          e2f04421ad8bf222b8830c038c828bc05460cad21940d4965a151ad9635fe0ef

          SHA512

          ceb7950fec826e6feeee4ddd9d80b579c09e38b2fda1a13982159808e0f3ea0ed2c061bfe94a5552d4ca307c20061dc5251e75a7b9cb9b0f230a4c31ee4c668d

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          636KB

          MD5

          8aa0ba3629c385b6e4b521eb2a5aa836

          SHA1

          506a869e34b3e3efa92700ad0c623caf25ae0d21

          SHA256

          52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1

          SHA512

          49ec0a595530ebdf9df466c87fa58f9d4feae283f97449f4d63492e0b0d53a9d61631c624647718e7686f1798c398d2675678e075ef20509a97d07ea411ebbc1

        • memory/1336-54-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/1336-6-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/4484-49-0x0000000002420000-0x0000000002421000-memory.dmp

          Filesize

          4KB

        • memory/4484-0-0x0000000002420000-0x0000000002421000-memory.dmp

          Filesize

          4KB

        • memory/4484-1-0x0000000000460000-0x0000000000461000-memory.dmp

          Filesize

          4KB