Analysis

  • max time kernel
    145s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:26

General

  • Target

    225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe

  • Size

    2.8MB

  • MD5

    4f677cc5974ca6488ab85b641b60bd41

  • SHA1

    517a750475fac27965d73574deea392d7b681f06

  • SHA256

    225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94

  • SHA512

    05e66b34f5d23a73429a89d4265c6c9f04af9d4ee319e3267f92bd50f0ca99a342289c684d7f668ac0a7640a354cf94f2e5147b2df845004dac08a643591e99b

  • SSDEEP

    24576:iEtl9mRda1EpPa2PYJqzMtenwoZ6DcTrk3LM9RlbkwoqR8QKV60MYCByDp7RbIUP:5Es1ABrk3LM9Rlbk/fuGv

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe
    "C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:3048

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3001560346-2020497773-4190896137-1000\desktop.ini.exe

          Filesize

          2.8MB

          MD5

          c8d2e2e5afeec34e176f304c21852463

          SHA1

          465bf6faf11c82cf9a233e61cc12b4f0e3e9fc25

          SHA256

          8d9487a46a264713e03331e8b632f615bc2c3ae9f2f56f91e0d8607fd4df38ae

          SHA512

          eb5808acccbe4fae15300c1292e20887758514392bd3198bbff00188874189f5b9a96defcbc6f31024f55d9e705728ce9a171864af6c253f1314ac4f866f3a9f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fbe531db67453108ba4a56a27935d115

          SHA1

          b2934a5ae30c6e4cec89531b651962bd087fd769

          SHA256

          247b331d70802340c1019f4dd3a9deb83d38477a780f318e3b4f0fbc3f29d723

          SHA512

          6533b7696495f2d425e0bc24c8fd465d33a77ef9be511e9f2f6cda6e4a7f5f0408a2f3571e41cf8e1346af86b03c1eaa7fe3f329e3585c9d36890f5f91f14d13

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          65adc86ab4ea28bb2a7915c96cd5e2af

          SHA1

          e00d8c43e777d696a6f84ffd349a6bccf2f69929

          SHA256

          39a6549e7a438af94ca9b164205447bbb11440151d99c747f27404a7bea7a040

          SHA512

          4f35e6e015ff86663580e477bbba6a1d0cb6f6330f5dd39af3904c79af6e5daf5ac8b7adfad204c99a0f8810b6641796d8c117fdec32c66920521ad206d0154e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          6c310021e19a0c1404e4f53563437efc

          SHA1

          da43146674ec05e4853de1162c5da3d41f4e8fc5

          SHA256

          ec27b7cb9b18cca4201f1cb0e4b787754aa109589366df753fef0226596b7a67

          SHA512

          7ac5b95413db1c5300c81bffab7f3f8ea35df29456a3e8683794a1473e91bd32caaccba50acde8a18778c6561728340a47104fc5b617ba1551593c1acb29ebb1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          f159e006b08181cba80724eec6139345

          SHA1

          10b8f2951396b73d0bab1f0375146dd139c4f5ba

          SHA256

          8d9e71543b46d6a0a0f22bf7d7c15b4bf7ef14d70377170e8c93e2ded0b03b59

          SHA512

          20d37f6a19e053d34323f6187c831d0411f98257a47633aaa743df17e39f6cc4c8e6a47118eb18803336b8909a682e732fb3a31c07fd67eb9c5f5086b481e993

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          ec7bf557843d4c9332a1e8d712daae14

          SHA1

          9ed4bfe7c4fd5312bf7f9712c1cc06b29ec0ee11

          SHA256

          b84833b4fea52ed0fa56b3803bc1cb239a3eacbdfcfbbee054075e642c35fc3e

          SHA512

          bc57d2c7903e9626b65bda82f1dda2c0fb4742cfcac8c1d03d71335f06f8987507a805994994c0e812f811b99f68f87dff34527d63fe19e20ebc6f5cf58f98a5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          bd94401cd6457f534723eea3699624f9

          SHA1

          03c5ef7cc0b18c47efb8abde65a31f47a86a2bef

          SHA256

          362d3329bcd0221a96e193b883553834cc5a9da08dbcfaad668353037460bfa2

          SHA512

          0bcc822f772c611924dc513846616923ab77466806d212fe841eb8f9541e1d411dc0d89a3d6a4a83e062620d8368ee5f9fa440d8611df0bfe891b02770190727

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          24f5d6dc467065e5b963232b1c3312ef

          SHA1

          a307be0fd9a30229c8e77d0e3cd1209c695df679

          SHA256

          0e84d091acf68261392bd96fb5ee37aef9476449c44958916b5db30023df8184

          SHA512

          7507663ff27be9412fb94f77d8b609c1e0d57e2ba457c1ea4d1a6702676e30fcaf34d1033caea977e1a0deefb59a0b149ffc37e6fcbc991fe246761e57683567

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5f52b755bd305908c96ca3db957c6f19

          SHA1

          86cb06a74284ca2e6864a6fd99aa86c6e54f7478

          SHA256

          c24ce47c6a6226fecc65758a101d0b675c13c17ce2c49b07e81077c4701c62c3

          SHA512

          7ac7813d5a831b7efc3680f988cbb8af48deda3ba6f5c152e278feda6d0c7bedff10908eafa7226cf0a356477c02300dfe969e6bd7aed75b67ed32ae9e7c1f02

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          b7a6a241e1603c9beae53bbb6d69cb85

          SHA1

          482b8a127a21f4339111bb55ec89fc45bcc60f0c

          SHA256

          eea39b9974edef1a9f66fdf9c877a21baeae6810a620bff1954d966e37dafb00

          SHA512

          d76f1646219ffe8e90c0badc36357abc2ce57629c128a7a4c463043c8d581a4060f298d94687a956758bb739ed5e1692bdeaffec3e32b8d993f0113500d51322

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          3908c167702d0081baa428c69c4660e5

          SHA1

          453f749cbb486f25b0fe572ca6fa26b24dcc475c

          SHA256

          d07fad92f50858e3cad92b37c5a047702096cc8ac114b13cfe991d6d7578c74e

          SHA512

          da9558b6408c6a5c4aa1d6802baca9dd01a9822e8f14289c2852416ccd1157f7a239e9700efb7a8216dc1a9040dbad12de166b4fef65097d19766422a0110361

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          464056090043882e7f8eb6915ba2b77e

          SHA1

          1a9c5c40edc1f6d5927a6614ba30a9c23ed521b6

          SHA256

          8dd2a95448b675846a39e77b0985dc92e20c66fa15f22cec3bd925d92ae2ddf0

          SHA512

          c5e228da3a6c7551f5ece7d9a50d20562d347346ec6fed3de6a581c80b39df748aaf4af5fdfb098d87f274b4a8b407e2d182c9448eb5cc1f50c590c3a82fdc3f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          ce741fd945f15e5f25b1786baa8928b2

          SHA1

          9f1d8830348f9b6e0cd0d389efbb7c55f40ad61a

          SHA256

          b3ff754c9da39d1e523e4362b854327ba107285636a2d54c7c4929040a137a7a

          SHA512

          13c68bdba800088bc6372b228954d110ba03f9ef17130b4db12a55b9abf8730b65ad2f98f5dfb684308b80c4416eae13ada060a3cc92ec4c06267c0c3085f14b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          d2a6e8d5abf1fe26d48265e8bcd33481

          SHA1

          40ecaa3f28664e34c3be53ecd0af7ebd54fbe3c3

          SHA256

          05b35dad2192df8b5377bfe6117446a229ed457c726e8463f35998aa3d552cd6

          SHA512

          cddc7c2fb897eddfdbf1f7f4c3d6f8efa89edbbcd6be2bdb1e8eebb55d38291f84953ee79a66d546b1e763de8025893bcbff244c57e08166d4ba9c27c51502d8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          3ff697c64ae8187e64726c566046f8e3

          SHA1

          f20c2a4ef4c8498a907e6c345e7cb8cb61fc02b7

          SHA256

          e03f7b3b426a4ee285b61e5b6de7ad2a346001bd9c690c29ac865a740c9e3a2d

          SHA512

          999336baf3f6fdb9bbe6f1fce08d564e0bbe3b5263e1461b3b9a0fdfea72bea4bd1659e7c19e60d57cbab1782dde69b118f3043a80a55939434c015273f384aa

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          12b6b54bf8bb692e8e4f2545a9902e94

          SHA1

          49bf6cf323fb800130c70b78b421d6b472e750b0

          SHA256

          d6067ca1b2b3914b6c7489df8c9a2efd98009a1a701b7d6ce7970e918a3be0cb

          SHA512

          bcd4c5e84500a4ff96232cc5cfe6876db95c167ca43471a02bb27ef27af03c97870b051197fe519382703ac4d2188a9b990a42fe879584e369eb1099cf216f90

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          71f7bed9644626644af227b785102600

          SHA1

          1fbe494ccd4a39470e5f8b19fe6f57b6f0a7369a

          SHA256

          4d593d7d0befd93ce5bed7da4b336122c24ea35e84ca7af574717c26bc426609

          SHA512

          31898e1a9fdda148a17f44ffb12028f664cfadce949343a35ba73e185a45b461fd0e31cbe87dab45e15dac6ce95ca6da922c4158c6c51ce6e065dac6b46992a7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          d86c759b5f0243eb8999b5220702bec8

          SHA1

          3fb7a89ea3c8f7d909b005f551db6c90d1e4b31a

          SHA256

          c72de5995597148b64ca0f96b67baacade4b53567f3ec89568ba0bb2eef00145

          SHA512

          cfce2aa0746708122f718b4a52667b8acfc0f03c5595abbe12f2605a6c62ae089d643bd84baa7836aca5775534ba7da79129179cf658a129abd56c4519a3f294

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b026dc65c17e8bc31725fd50991d4f02

          SHA1

          961522da79822598ca1250ea9b6d625bf77cda34

          SHA256

          5a47a875b80ef5c321a7dc6e6a5b7f8b8dec07e9bf4bc9f435419284917661a8

          SHA512

          ade9acaf151f9f9dd9953893efc878dcf53a83821997d3cd0164d563e64218e2aab2cb084f417674064f4adad3c44ef8722797b61cd6745613feaf5797ad05ed

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          86109e2e0868a5322489320219fcf70d

          SHA1

          531059f69812a3f1f9cf31ab8c1ccc425de269c3

          SHA256

          f8487d86d4fe8df805d879ebc6004ca90f7b98c14699cdab5869af43c5ca24b2

          SHA512

          ce443a35b18aead2b0bd32cb5afd581a47de76e112325ad5c381a4fe3c12bffcaf7870c2280f82705b084d7ee135b5fa0302a3c38dafd97b54211bd606a6bb0c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fb99247b6920509fb55742303b814260

          SHA1

          d65542bf574020b9b34c6445e924f04c2c0a2465

          SHA256

          18109a50f7d03d2a401e7e7a6b6e5ff7d0f3991378a17e8a2b9c2b79b72676e8

          SHA512

          edccec36c1564ef1c2f25e4667b7d425207f495f9e39a1b65bd1ec36d95f6999f7130a83a5277841d6e892491ed348727ed6b31987c54794f6839611dc5cf857

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          2572f96c8e54619249e7884ceabe6e60

          SHA1

          bc9c56a63a6ca3d29bb79e6f6847f35d8a8d403a

          SHA256

          101f2378b8b70cd8e2ec92a834dd667a4ff8027669333d95fad6e4bd018e3969

          SHA512

          409ec5b799e408971122a6be3c38857fa311789f15d265bd80a0b1435e00d984ae186d7f3c03d26abb2fa6b2310b52c636bd6280081d284895edaabcb93e8295

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          7e490d6bbf27cf18700be7d69110bc0e

          SHA1

          4abcd8c0c11438e72ab7e1e7229694038933efda

          SHA256

          fb27ca7a30c44bdbb862e78de7f77597129942cba5fb4b9c1b31ac0a3d1a8f55

          SHA512

          2f80839b8dfb7db1d8e38b7d670fc65730d803ac30e71c71fb08da6d5683fcf2c7b27e8fc1681cce2ce18208c4bf9659b8e943ecaf02804005f95fb7db39b909

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          8b67aacae1c9e40fad38f93865ed4f04

          SHA1

          f869b7b79e7cd2a69e936134f09eaf64b5e8fb2c

          SHA256

          db0d4743902eaea3633c4c7f93c5abb0b98b1af63d91061a74b8869c6950d6b5

          SHA512

          66ea359155f14153e50e7d410234e8e056bdd7385c32a8d63817acdfe42a297c6136d785081011e350715ea57667095d90373c84ac3279e84f7dc0305a86b375

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4234207b7d04b3cf2f34c6cc320a736a

          SHA1

          22651e2c701bc68aba2fb83d199c7e4687a8cb3b

          SHA256

          8fc8dfa393c508dee1c369e3a48f383c9465c05a2d78641fd1a4c2905c539519

          SHA512

          2c2dc6f17c55eba84f175055843251b297f7ced87d7af514599bae8938ee62b144eed66660672e7f99d4455288968545a4c3e9eaee4a53c5e070d7f4955e3970

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          03baf25d7c0cfcb3f44afadfc9b0bd5e

          SHA1

          bba58dd3576f05a56bb31eea9f9a14ff9f782a68

          SHA256

          af21ea6c745a2bdbec5ddc4bc07121960bf34153011d573e1bf0f018c3b8af98

          SHA512

          6b0e5a1d804c3c98ef872803e87332e62f337149de129bea98da36dd4f013c169646535f295654b4d8347f088e59b1d9bd0bdd0e5b2a4665182d91d69ff03993

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          776632c98a33e40be2cfeed505282c42

          SHA1

          5409d19ae8855b87d1ca7c98a8e398b8143d0521

          SHA256

          a90fbc049b96ed042d676a40772d067834973bfe31f78291c725022879fa4313

          SHA512

          547312c4d01779ff06f5dc99ae00428a45909d54142b7256b41ff7495888a47c7f1ec18b4c439317215576499ae62ab33821fb683b75b4423da43d945b97b031

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          0323e0975d477bc02027336ccd8090c5

          SHA1

          c69b6c14568a9c4822ad6b896de0a243bc7ce7c9

          SHA256

          7fac76dbc4f6aae8c222f70e89c9d3741723c4ff2f5bddde7af386e897958fd0

          SHA512

          99f851969cbd70ad867d571618e90b34df5881bada2712373d064ec0a17ba1dfad9247a76831267db20567e525a5748d0f0951f3a35f882f0bbb44ddf3025eea

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4ff45ca248e9e340d9db42f45f7eb01e

          SHA1

          cb753def2f6698c3328f9d8fb90c8dbfe9ff832a

          SHA256

          8819e33d600b3a66caa763567ddb32fd1f64ac334e72e503bffdfb9285e3ec57

          SHA512

          a7defd44bedc483c359194570a05b34bd3b7c55600bcc2663f0fe669faf58092b6808e8a9651723883cf7f3753601c328469f231284c3e57a6155c1f814beff0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          cc0bd8db1c9521155e2397c4666d0d97

          SHA1

          eedd7e2e77fea152b11d7a78ac30e13a0642341a

          SHA256

          a1c8044e5de71122789074b05d0869a18cae01631fe187a4eef6d0a686350de0

          SHA512

          033661ce903486b997fdf3ba5b254070a6f8f097ce0e1bceb6a3e09e68c0aa584955aed4fab0ab45ca90ea376733d0642cfe07beb2a6f460535b8ed7ddf7b52a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          696994ab1f323d8e69a2c49885dc1013

          SHA1

          1ef6ff244fe049c3c15338caf7c90024fbdf85b6

          SHA256

          7e076088802a06c9926a361dddc885305c6d716b58feb2c98f2685c262f62258

          SHA512

          6e5a4ca758c457077aeb67fa122ad143aa02c2cb11e01f261875c4367a772bcd60fa76def33f4b7be4df6a83b2e8f85e08f4819cfaecd768e8f30ca682597dce

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          c6c900f299d08cff4af372ed71068680

          SHA1

          1926d4404edeed3fa8b889e42582dc2d746c14bc

          SHA256

          bc0b6d938e142c63216ad36d7a1b5564c71feb9eff2c56032fa99de72c1beaeb

          SHA512

          246aef23548473cce5a96384e4e9dcd7a60d5c40f93db10ad8a18acfeb780e4f6ed08f4ec9637568cfab9c70b03a2415188c44b175308ced099cd1a1e72cffdb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          d2efcc12e4801f8232d0a7cc0d45e9af

          SHA1

          fe8ebc66d4f167b7e1fed5f0ea4d9bcf6a3c94fb

          SHA256

          8988b8082ef9fd0d210a20b294e0b6d556f2433fcedfcdd7068ad9a234e3284a

          SHA512

          e4393a99574b258afa44d55e1caf05d5a87453a8c14418c9ee13d66e92736e57c52aeae1f0b00b237e6f529a59fa926a9cb0c5afe60baf176c8e694facde79ee

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          497fad329d3d7b377f2ea570dfcd2354

          SHA1

          7944b2016ef9c9885bbda88fc957915f7d2bd75d

          SHA256

          e6797f25866307a0b3aad643fb351692f691ef2f89598f8286a2bda2601cbfcf

          SHA512

          e734748eb02ec397b74ba9affa842da7a7c4ffae89d947ea45cd6646976edaa741e42e0fa687121fb32cce67171eee6af07f36b7daf70b374f134a08006b64a1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          96a70a5a2ce5033ff63e2a1392d044c1

          SHA1

          6f84a37c8a8bf9aa7f668e37a6abb91ef0141680

          SHA256

          2e6bb264c58a82bd73d269292b959b1953bdf9db8613e0b6ff37789a556eafca

          SHA512

          52d11e582509f434c498409f87b6005ef7d0c8e42f5eec060a068bf5996f5064749904c2a41a035c543797f7aa7ae05d32bbcd25e0c7cfcddb45140226d742d1

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          541KB

          MD5

          d2a480c6b868400f6820f95246df35d3

          SHA1

          fe4df3542d779584c17e5ab5cc74e239059a6976

          SHA256

          ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03

          SHA512

          c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf

        • F:\$RECYCLE.BIN\S-1-5-21-3001560346-2020497773-4190896137-1000\desktop.ini.exe

          Filesize

          2.8MB

          MD5

          8431b25c5822aa17e16de08106384714

          SHA1

          89e60fe6ad59b6391867b8c072cffa27fa38ddab

          SHA256

          e80ca696dce311fb3a45a75ecc1aacda77d1b2488b9692726fb3f6a69a688a3c

          SHA512

          fff3595ab3ddef2b0985c285797186ad4adfe5f69f294845295199be16bef8f725e384051b5b56c17948797f939f5f17329534dbfec4d1e067eb0cdb6d8cd77d

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          2.8MB

          MD5

          4f677cc5974ca6488ab85b641b60bd41

          SHA1

          517a750475fac27965d73574deea392d7b681f06

          SHA256

          225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94

          SHA512

          05e66b34f5d23a73429a89d4265c6c9f04af9d4ee319e3267f92bd50f0ca99a342289c684d7f668ac0a7640a354cf94f2e5147b2df845004dac08a643591e99b

        • memory/3048-52-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/3048-6-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/4052-0-0x0000000000660000-0x0000000000661000-memory.dmp

          Filesize

          4KB

        • memory/4052-47-0x0000000000660000-0x0000000000661000-memory.dmp

          Filesize

          4KB

        • memory/4052-1-0x0000000000460000-0x0000000000461000-memory.dmp

          Filesize

          4KB