Analysis

  • max time kernel
    145s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/07/2025, 05:26

General

  • Target

    225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe

  • Size

    2.8MB

  • MD5

    4f677cc5974ca6488ab85b641b60bd41

  • SHA1

    517a750475fac27965d73574deea392d7b681f06

  • SHA256

    225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94

  • SHA512

    05e66b34f5d23a73429a89d4265c6c9f04af9d4ee319e3267f92bd50f0ca99a342289c684d7f668ac0a7640a354cf94f2e5147b2df845004dac08a643591e99b

  • SSDEEP

    24576:iEtl9mRda1EpPa2PYJqzMtenwoZ6DcTrk3LM9RlbkwoqR8QKV60MYCByDp7RbIUP:5Es1ABrk3LM9Rlbk/fuGv

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe
    "C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2704

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3625340254-1625357543-1797847221-1000\desktop.ini.exe

          Filesize

          2.8MB

          MD5

          d8a7cc4c85fdec5d09b8910bc4981676

          SHA1

          21cbe2a74b44b85047a06075bf978336e0b80050

          SHA256

          d6a8857a0e247b6e61fb2e0337df2444631e773d7800dec8fc4685534ca87c73

          SHA512

          75c89569c9b74d5d9376187854da73d30202f073961f5da87924a5f7cd45cc8fe6ef4522df42b62a0f07165c2d019a850c103d2bf6d0ecefb1947a5765153f13

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          01f4b6dcf84def84205751d24adb2c2b

          SHA1

          e952a6e6fec577223d59178b42da4c39ad759a20

          SHA256

          bb6951ff124bf6e312f2f150f3b6716d9d9d63a34bc689f17c91139153e0a155

          SHA512

          1f7dfe5424a63862c8e1a4d493f19d0f88a9e73adf22f698dba0beb625dd4a85c95385ee2cfba7b908f76e7a6f9f59f4c50740d533c17e4ceb53bd913a3613ec

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          43aa36c6676d4d104ebc57c9ee5cccbe

          SHA1

          d2fc04dfa009a0c2c4fcce1fd8a4f561bb2f78d2

          SHA256

          a764ab043484c7d7bda91438776ecb833c517aead24431c1de2516f8f1845595

          SHA512

          3c670d51b1a5d316637ad772eba2111cd831007127378fbb1010a1c303cc95ea257371251c08435e4f1a917ee4e84e25813b83b888addde282490ec7d43e8446

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          a33993291139bd9745458d36da4b15be

          SHA1

          e52180f8a29662cbbeb5dda0609403c4b73ab00a

          SHA256

          341716fb29588165c7b2bbb9ea3ff52b9f0db4a90c5dc8a3a752717a4bb19804

          SHA512

          efe9fb405f32f09d5f9205075ffc12dba43c3e920ec4e018332db66f3ac5cb05370adcdf76266b5c0885d6e7775b3a27383b920d77256e5e9dfcd141a5305ee9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          74c0c29a9f062ce76eb5f5c8e36383be

          SHA1

          9374948e40b2eb5d7f15017daab045db56230ced

          SHA256

          0128d6478b2b8ef189cba35100ce7906b3d4eccdcda4f90af04c1dd0a598315b

          SHA512

          02e957a2e8ecff1bc958cdbe04c66d074ebdf3af654bbdd9e6bb0961be44043011af90ccde16799868ec2be338176410625756b6b2d4a6727a172001bab2741b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          152e0676f7feacbc346e3763f12273fa

          SHA1

          fb98672162b4ebcd19605e75afe9c78201454a9d

          SHA256

          516374fa52908f251de8ae8398b27ae6e16aea3f1123bce765500d29f3690114

          SHA512

          17c0590d8abbf755a2cb979e555ce26a1dac37bf2ec9027944b3383a39afe0bc9a32d5da9d0ddd228efbcd021a41f8b22af8d88c06437e9141a403a4fe3f6e9c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          1246a3f9fd4fe675e82450d001ce71c0

          SHA1

          0d8897a581cec647c46d34fc518e1f77e5385270

          SHA256

          39a511f36b7382deac2ef9d7c1acbfb1d1c6cfbb340cadaac4243ae0253eb187

          SHA512

          a52097d04b0bbc229bdbc1eb2f6bee04fdcf12f02c600b9912448db52b74843e198a6fff25ddd52bad0e7239ae6413a8c8857dd6da690dc77414299e9b34862d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b904592b162a6d6aae7cb4747ba8bd75

          SHA1

          d662d43d3df38c364d51ad9606503c310ad561f4

          SHA256

          6fb1c0a786f41be04cca7ec16b02ba7c97fa55c0ed4fdd4a7e5b9b7daccbe505

          SHA512

          a74d960b8733726ee305c8516bd4d2310a933aba81dabe73fa077fb9228dbf98d8bc5cbdcec2f1835969513e37307e13e6bb2309fae1dc13fa72cf987e43a631

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fb82af5da1cd3a1b82ce33ac76e7e5ea

          SHA1

          02bdc17f5f37c5ad59cbd514ca3ff576f205993a

          SHA256

          665fd78f38e39313d87bc33d1720d777b02d03b6459cc725c70671f44cd0d23f

          SHA512

          c95b09850bc412babf1c3a7956568422146a117ddf0a8f41699edd0391e45f1c933e6968865cbdd5772b8aadfe761e9278bb0bdce5658a3fdca0f750848cd5d7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          bb90aed9c0a36d678b9a8186dc2d44fa

          SHA1

          3478544cc56c30390c20c6e980feede6e24f3ab5

          SHA256

          cab7412d0f0f214d87a80731dccfc0a23791556a01a0ce0fd096cf0de7dd5c25

          SHA512

          30830fc51d99cd863b427b725f0394f070fd36ad9000990c864975f7fea8314cc1542298b2db4a3559ffb69ef74dad6f2a0e55d544f2861564925d360276e52d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          af9cc98ba3b8b94c16e0d2b7ff79df04

          SHA1

          e466e26250e672d3d6a990c18a8a1a7129817818

          SHA256

          747b69ef53236cf46bb9110838b8bdaa7e55a88e45538c7424ca374cc2f3151b

          SHA512

          0e7527f319c0027c9bc3d2b1db78448bee093e3c53af0b1586835282980d4285ea0c8dd9ac1a14c8b90bb81c14dcf747193a93e3df5a711f1712f7c4b67393b3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b45351a238765132ce29b9f5952a1300

          SHA1

          64e370c0b947c74b7b1dba0a3481d78d3f74fa12

          SHA256

          94295abc943850cd98d5f565b48da1fc2b1a2c89564952c907d352b38d7ecdb3

          SHA512

          c452965f9a0245cc3743d320494bb879c22a3890751f9aac4e6f0353a0783f638d43ed21eab3cca53bff67cbcb950ae123ffdcc99285c1da8b2bb7ce938d8cfd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          cacab250575e200cb3214222e0175ae9

          SHA1

          2ca6630644eeececb045c20199fe099dd312335f

          SHA256

          d2d52e31393d5cfa2f346c97e6164ffc65ceb6dbaa0231dbc947c9f3c0fd9b72

          SHA512

          a0497af4ef806516f587bfe5ff1176bf27e84021a06746ad2a424f0548e5f3e2b1a7e024f05448519223ec1c6be419ab73b9412caa52aca120fbcc670c450393

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          58344128a9347927d0e3e67156592175

          SHA1

          8e5646037b82d839250635275100e0f3fc8295bf

          SHA256

          e49f6992aaca1dfa668614792917217fb2f1fd9c8e85ab176f64ce895926db99

          SHA512

          ef6a40d5f5e2a49b71d33f0c0b293d45c2dd00508f2ff06af810cd5e4a08a35836c434f6f6c5893912b619cdce749d47b9bec53a69cb17b2f072ef21c56e3cc6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          e9ab5ad218c19c1f012e257bca5d7580

          SHA1

          ef714ccb4ee511440c81be670c7de70b051f1494

          SHA256

          bad26f113e5c0d135498c40c0b041e9e7bfdea7436add52d955ecde479d799f3

          SHA512

          b6a3f72d527c71601024e46a6dcd949479b5dcca0e3d5761dcfe7b7ca7ef2cf55d848916350b1c444a0f8aca2badd4d4a17a2e92bf1bc53c9fe7a6972900ea89

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e651897660d8ab3024ec0e4d2ab878d1

          SHA1

          73aeb9cf1a0adfa30313339c8cec14df1631e0a0

          SHA256

          eb3df3b54698eed905119e73c65cea6a4bd0f9a68e944a2fd134d7425a77359e

          SHA512

          21c2b8f6738e77f536129db92328b447210762b20f99f67b6d2531915815dbb375e0e5035515c589f610ffbf877132e97ace47840c8b2e526af27e7c8b74621c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          844ce3006350a9cf8c068d675f655457

          SHA1

          6870de46969104ae7d36b23a79134e9fbd264d6d

          SHA256

          3d5ddb4e259055fb2bada8613a18613c9a78715147cec83505bb714f5c6d8386

          SHA512

          49f80c222310f1d1ad4006dbd9118551f9ed158fa127b41a5cd9f100e9732217b445a397642d6b2e1034461290bd90c28d8df0b775d9cd8824069ab24928ff81

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          0c78f9987325f4a8c4892de63da0c597

          SHA1

          a89105b3198443200f1f846d7d2b2cdca61abbb6

          SHA256

          52c67f5e35345277fc4aef00b6571fcbdc7ae5be2c3ae64ceee573db98926d0c

          SHA512

          2ff54821f794058ef885329e0c0d215e9f816b50ee9b2ac2c76c67ee9935e7f4975eb908bd35d9b540d2c93ef4e73c870e5ff7c32b3e9358eab97d12bb7dac31

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          f8bafb643a033c7f7c1f7809dfe1a91f

          SHA1

          d920972d3560823f63aea09cc4fcf974cd8aa639

          SHA256

          e0ad03cba952d89b79c44de732fbe6a03923815a12d3141ab8086b8d91abf7c6

          SHA512

          4ecd8e1f7387e88ead2ab1deb3b3f221654242a391f4c2050fcccb3773caf554f67c45543375c2bee433e3092ac0f72c69f9c204314528710804d6c988166384

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c3832f61f1b63ae89732a8249a6f09b4

          SHA1

          998599dc35f91d537ab17a216f411c8030fac4a5

          SHA256

          89200d34a491db33b4e11590341caa39556f9756f33bc2bd09946d70ea024d0d

          SHA512

          089e4d32f8aeb4586f46505ba74cbfda281fdb3575fd6b5600b5c6dc01d67c87775b17726d2cb9a7cf35fd23c45196da229461215fff08c2d14bf06d99f995c2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          ec089c978225d1fcdb175324938e7bec

          SHA1

          ae6579425a782c3ae79e69952e0a53ae9615b00a

          SHA256

          356e1d83141431f3f91b4cfff20c5a0aacfd2254be4134b5e4ba04ba3254513e

          SHA512

          37d5185ca8b468c336f518b19a916408aeb1c8107541e8cf419a10859c0d48ce5c36e6e78b3ae63f05e86eb5da433e39b7d5fbe9cfae9953e55545c70d47f8d4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          0c21080a01d7907c1236f20d4cc6f5b2

          SHA1

          fbf616df7ca709c97ec90e1fbdcac86b51443dcc

          SHA256

          d70d9c4f92fccdd8f9e7f57545dfcbf8a6d6b17396deda05fd3aa112d06aad01

          SHA512

          a1777ea529152153be668142de3ee56e053b6d19a9df7e6743aa69212ed626b113a359e6f503bab80da3702bf0cec9b0df2a49a1f0103a2b20036b40458f40aa

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          786646ab7bf8a078a40acea6d148e009

          SHA1

          9a4db6606041c773320c3e4555f937347eb96c6f

          SHA256

          55823fe37b69c515d88c817e9c2acde1931f357590c4127f1f59d7ab933068b3

          SHA512

          d131c5b62d1a612e3caee8ea157e39215c4bd50332bae83fd8d503d118709c607c0f823cc7b8f69a136a3970ec0fc081540326a17b651890b02c49702c583e43

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          bfaf210b9c159bb9559f03358e81d518

          SHA1

          f4b368f931796ce3e23f8c162ab3a14d80eee58c

          SHA256

          61bc75310eb6db8d0f273c7589a1a93d435683d959081bde44d7a5d15c6ab4bc

          SHA512

          9c8eb3cc8ef32cc038a765e097735f41d066e88bb976bd38207d68db5a53603b5814b5e7b96dd5f441d04f0d621ec794aebab614bf94a0320506b2a29af53bd1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          c2c7bcb3bf2634753e1a992bbfa2342d

          SHA1

          48ba9dd9b1b5c2a5adbf3d1a163f47ad75f576cb

          SHA256

          9d9664d9e64a322155cea7ea33b928abeab291d19809e4f4bddb2df08af9dc49

          SHA512

          62db481e12222a5e4004f8fb581a376cbe16fb5a5060a5cd2f2138a0a9eacc665bcd63199d84e8066e1eb9fb2fcd9c8eb38d9c721614553ce9b9706342b5ebcb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          55b52642b0fbac65ff34a65ac3b526d4

          SHA1

          69a26344b675b44d3f66ba78243b45114a2b2593

          SHA256

          c6bc4bcbcb465dcfd8a7a4fc42cf11929e3a2ae3934df17812e8500e32effc9f

          SHA512

          b01f62771968837a5a751e8779ff8e2769da54322fa70cdb9d1e08b8cac5b6df594bd738bb72e192b532bb07e5b6da2d91381a180d396ba1d10edaaec406b6ac

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          1bb969c38fde01c522eaaf2d3044c89a

          SHA1

          104e3c3f7e37f9ad8a6527d2700a432e6f0b4ce6

          SHA256

          b1d10888b8bc000dfa3eaaac16011c7ad1f7322bf8d5c6a21c9cf6cff1f10ad0

          SHA512

          fc5a1f864a16bfd30db894839790bc4da275360885a60c334ef69cdc5a741ae1e94da5703d1b9b3df460d90c1654d40e4824cbad513b6d36fd0bd0636a6f3606

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          a726cebebb05a5a2ed3a9f118f2c6d43

          SHA1

          5b747aea136b44486bc88f8302419a6d39038f98

          SHA256

          82040eb27d46455c2c25db57945f018d96ff950b4fe71f944ee826f152348664

          SHA512

          7a58e9c97033b6a5e94352abc31b344c6c78f298ee325232bb3fbaffac471fb12953d8747693c4fee06710a87c4cd174226ad361359a4ddbe4f8d371803c1e3d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          ceb6aedc9019b7567a064f90158cd838

          SHA1

          5bd37397dcd2b539ab3ddb3b13f0b498a821cfe0

          SHA256

          861b6a9915007f3abf97220ea9714f9bd045f645fd33027662af28b89426d2b0

          SHA512

          8ec057cba5bc36cff1d83e1c23b1b52ee77c8d80a18a7202d52d40e5824019a0cd602aea55353c9bc69884374d2be5b7f78039af540f89f1375dc0c8cee7b90d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          9f151db7693c4e1a2bffb6a8d6260d28

          SHA1

          860ad5dcfd0282a7589a80a55dbb5f5de1d02d40

          SHA256

          da257e59a9a9c6afb2d6271e2428c94c99f6b1909a10a5107c6cc82948d205b3

          SHA512

          b12ea0aeed4f583e0f6bb928f8f6c847cc6fd9fc140f210f1a153770cd10a41dc9b77576a0aca0d97c9978242306d5517632d55b10f6d437350bf327387820f8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          c493e52f592304e6b367d293ca113578

          SHA1

          16e7929a54f5ca331dfb4049ee6bd8b51724c474

          SHA256

          91f89be505b8b2cf856501e17a48a0961333be5141e309fdaa1549ac6aa41352

          SHA512

          c60112166584309d8f3274a3e99798170a913f598cbaf44b902c9affc20240990992e7f750b15f23999c39cb97c669fe83044ce53294ffba328abd2580b12622

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          65d98764f7042ea0c36f82147e4c6124

          SHA1

          c55b1e1c368c9a17294eee43438a753529f55135

          SHA256

          e74c587c96a46ff6ffe07810589608ef5fccbf2da38d7d41b4b2f6f36f7a643b

          SHA512

          579c5b02cf71935b0320abaee94ea3fc4d33f01620eed13a1c82d42045713c912ecb17781e0c00c1f9781bb2ef4638e0486f7c2324624d1c177d3b35ab390cb2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          c4013349d312f88e72ed7549514c430f

          SHA1

          fa55f89a954ae5a445185474095c8eee15d50051

          SHA256

          eeb8bac08e20490011de25f471273c86facbb8a8043858b7dd539c9f9ff0d9a0

          SHA512

          719e1726e255f6f7d686c12b7634d7943f347b1d25ed77321a7ef06a39e9fedfc277827f5c4ba26f04aece0984bca68b2b25f5db575bf3cba586dabbf45125bb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5f76e3b4f2fbba97b4b1d68a6fa71169

          SHA1

          db0146eefa867fbf49f2a3ca6afa12d51a547fd7

          SHA256

          b8ed47e17c2490fb82c9356ea86627f3caaed7be5ed6885a955d007779582cce

          SHA512

          f8e9a570622fbaffe10ae63caba9f6f52930083a95e963f4679c975d26bc3812a7ce6b4c2b65f1cab2c2a8661d05bcf6471d311a37f67f227d85007c1c71d0da

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          35b14ce72136e92bbd83c9362b53d61a

          SHA1

          db5862b888d6617b17e426de63c0a8ba3341bc36

          SHA256

          f26f46209eb1b224e5ce25a928f97157fb3aac72570cbff519d7280626bdcf3d

          SHA512

          32107e01a67081454b82e326a57ac9c69a88e91c7aaa39bc28428d58e6089ca8976a0462e80769cda6cf795f458eb0241b0819e0956c7e46e8a0ba7d0c00e2fe

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          3315142401a31d8d9da1cc63da434147

          SHA1

          0f066ee04f923fbdb82bd2f60d98f32c27f1c460

          SHA256

          9393c131cce6bf3280a118754baffa7fc790ff4f23a7dc2aa8821245ee0687b8

          SHA512

          e66090689e03d4d7923e32a8c12afc34505c0ddc774944db5e52e68e091fea1dac36b5798a9052414de00156a5168946bf5f7395a2e059c180b7aa1f5c2734e5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          3b8926f190c7f23538c66c269cb42fd8

          SHA1

          9edcbca49533971184abc2ffbddd55f6c585d61b

          SHA256

          ee60d153a7bd6f184be3233bc18b6f0331e5d879690a2c98a80b14d64fb3f097

          SHA512

          a059f179d7e15039a49ad5f1b5c1fbc86bb8ac7263e164125090eedeeb5b3a0cb1baf21ede3ecb8032aa258825fe7031f44cb65f692d41df7cb81ff36675ae8c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e41d6f0b5fcb516ff5b51b5402ca9fcd

          SHA1

          1424be8dee9c4b791d1e56869a8097ab0f17f4a7

          SHA256

          4a4bc73cae4f92a0a89675a431a65d51c16d4fc339ede6c6a79e35e623f6e95c

          SHA512

          64e8c8197a74acf1586f50e8c14cbf92cbe16ce5c531beb47a4df16336cc3aef4740b956d07e1e8b0450ad533a3abfdecc9dcdad9259f361dfcb54de6c992c75

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          acb7c103322096521684fe4ffb5203ed

          SHA1

          1f5d7cee8560c489a580d60dc1e2768579c5c217

          SHA256

          bdda059fa913ac9cda04b893cd21a7dc58febb96e60981dadd427f260476185a

          SHA512

          c082f4c3cb709deb31a5aaa8cf376a828b8c398a4f22972f79b1ffde63e50247a82eebb7333635f387d1481bebb5d0412030c5d15456a2e63de447c3e3826140

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fc53f897ce3aecdec49637a05d8e57a1

          SHA1

          e99a7ee126c27748c14fbb0175135511e535b4fd

          SHA256

          1dc5a96ef4fa496b134dfb377df8ab2a7d1ca3df32a8eeb65ef756e9dbf3bf34

          SHA512

          753fee4fdf3afd64475153d7e2de954c9ce3c528add3fdbfd162c5e519e8e5bdfdd710025641e152a824e7a30efc7ad25259f6d936f0d50fc26793db2c65a433

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          6342aaa466c755b4aad9fec6c0825d1a

          SHA1

          72126c9056fa70b8eb87ebb636a1007c561a699d

          SHA256

          3d8fe758d252a26dced3bdf9dd77039fcf9e440eb90848a11913529b587515ca

          SHA512

          5044d17e0f42f026c9bed65449225c07a06cc2cd0c6d66b2f4e7fe3c661f14c76723b1cf83c856a4753a462613338155af8467510ea99dde3fd333ac411077be

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          3621e04e5f9ca6d6b486c83d2f11a6d6

          SHA1

          5fa1c05b6e9944d752bf5e72eb35698a5a90ddbd

          SHA256

          0ef892264c7b2c113135866a35e90fef6ee7932546789d0ddf3a0a6cd258c2b3

          SHA512

          280b91749f54925103a9bc4a2ec619af1e6fc4e5302039eb6c48331eb689a74588439041f09891e194de27442951530db5074b2f93110ee79a95c5b25be18580

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          2a78f469076827e1650fa9834eea65c5

          SHA1

          bb99eb9e37a180bf95afb34128a9efe03fb6d59c

          SHA256

          20bb26ba558488162c03b610ca443b04d138f2e35640e529a8c0f6ef83f57c0d

          SHA512

          2111a94b37943192433ed54c74be89a28c3ffe8dd397679691d673692a117dca240bbbcb46ffa1aafef92da6867ed1c2db0a8e443f8b564366c4b752685856f7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          0c437b6049867b618bda6dfb62ba3044

          SHA1

          2dc7d38a39e181793794f465a652d2a57d248eed

          SHA256

          d0f504a92039c70cc1638701f6e6a48aedb5409df96317d77f3cc7a55b94df2e

          SHA512

          4757103e4b5d83240b09c5fb6b4bd282d771edcde7437cdfb74c26b444af128163ca6e0e0be63f870d37775353d874499fac8953e33cc8c8d094e5ec748cf55d

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          541KB

          MD5

          d2a480c6b868400f6820f95246df35d3

          SHA1

          fe4df3542d779584c17e5ab5cc74e239059a6976

          SHA256

          ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03

          SHA512

          c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf

        • F:\$RECYCLE.BIN\S-1-5-21-3625340254-1625357543-1797847221-1000\desktop.ini.exe

          Filesize

          2.8MB

          MD5

          e1c88ca0c9a32844173d37d241bfe754

          SHA1

          3375c4c296cf2afbd4a4c7029d0d6ef42e81fa4c

          SHA256

          1984f3b05ebc87231bd1538d571d930165cf948a367ec3bbf73225f9765b7012

          SHA512

          3b30d2ea63ea30d75b0cdfec59e8bde24bfde6a626123a95b090f1949dce218caf0305676e7468e8788785bb922f52b5cb024186b3fb9601a81539ab14852965

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          2.8MB

          MD5

          4f677cc5974ca6488ab85b641b60bd41

          SHA1

          517a750475fac27965d73574deea392d7b681f06

          SHA256

          225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94

          SHA512

          05e66b34f5d23a73429a89d4265c6c9f04af9d4ee319e3267f92bd50f0ca99a342289c684d7f668ac0a7640a354cf94f2e5147b2df845004dac08a643591e99b

        • memory/2704-51-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/2704-6-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/4704-0-0x0000000002420000-0x0000000002421000-memory.dmp

          Filesize

          4KB

        • memory/4704-47-0x0000000002420000-0x0000000002421000-memory.dmp

          Filesize

          4KB

        • memory/4704-1-0x0000000000460000-0x0000000000461000-memory.dmp

          Filesize

          4KB