Analysis

  • max time kernel
    145s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/07/2025, 05:28

General

  • Target

    0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe

  • Size

    526KB

  • MD5

    3eb372432fa3d18d86217b14c6c463f0

  • SHA1

    9ac67ab22d637898e7312b776d1b39da04d61cc0

  • SHA256

    0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545

  • SHA512

    365c95924d3c01ab9f5c4ae014f176b022ac15a76a0f184d43aabf9e11f4058e258350ef98dfcbf2462d225e104e855dbb811aa7eca979dbc4fc8bc4dbbcf072

  • SSDEEP

    6144:O82p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBwML:Ip4pNfz3ymJnJ8QCFkxCaQTOlOM64f

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe
    "C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:5908

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-4024151881-1944119507-1574723210-1000\desktop.ini.exe

          Filesize

          527KB

          MD5

          0b4903954b82b6becd136d57265dd635

          SHA1

          49a8f4ac32e7572d2cedf301a39a944fb3af570d

          SHA256

          41a77394b15659f7c95d43f62b93295f20d6b8e415db9aa4bf320252e85f71af

          SHA512

          736e0a1b314da93d8ed78157cd098988100c12deb32a0ec1fafde05f814a7c3886d6e250aa77fe7eb8013518676a5813975578b4be68ac843690dea39df7a7c7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          b8de3d94fae272a8d7c8e938316edc7c

          SHA1

          795183d9baeac96fe6748ced50c12fe937df59e3

          SHA256

          4b8da11643c6fe0bd6292df7f9644b44ce828c5dc74a701fe5867139f7bf33f6

          SHA512

          681aba1863f92d24975cf3acd2de73215194d9315ba86d61651ffd4ce318d7f9a753d198c45be116b6c1cbab56b4cb830af6ee741a57db3c1e264fe52956ac80

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          85fb1243dec5e61f62cfbc9ef38ffd84

          SHA1

          4abf87f4e5235cadf4fade76489ea94f58c83b99

          SHA256

          4f6f4fb9c210818158f4e9865679ce960b8004c59db093b6df71ab4bca888de0

          SHA512

          0c604b26bc8e7be66690dda3ee5c14fcef70c863efbd257abe2ba168b4a1dc285135fa40332a5f086abe2772ce184ee49c3362753620376b7a30eff8b0ae84bb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          764fcb18192e163b8e21fd90e0d8336c

          SHA1

          c1e281103d728258761117051219fa127cb2b217

          SHA256

          a3624ea76bb010b1fdee484cee6f33d7f6cf2c4d57e5231a0bce30ab60c0c5e4

          SHA512

          9cfb3f1171306021b0ae44d4270ddc8508a9e5358037061ceea5faceac32432729a6c277f16a043abdaf7ae3687b74da98ebd7664c9cc11cbc3488f9a9956368

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          e68c3043554e6822481e0d24149f948a

          SHA1

          c1ffbe34628254da7984aab60fd3b41e8fbc08a7

          SHA256

          98cff96b8ad9ec8d9c62769d997b1c3dabe42670c2bf71ad68fd9b3a91818ecf

          SHA512

          a27f0c759769f1a6f9a283c1c819587139130f52441a274cff8968eda915ed2fae1a917da20be354c857f98eae5b205caf9aea0c2b5993c54bf2638cb93ec6cb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          7005a66568cc5d2ef590fdd0e9046cc0

          SHA1

          1076f9230e84d60a56fa726e1692ed6d2660e324

          SHA256

          e311b1bc6701a7b08aa9e83c72d82e82bbddf1dfbb61c800c762380d319d203b

          SHA512

          cecd4ed5d275945644ede9a771fc86fe8e70452f897c20bda6e6cb3b05158fcea63f758a6a2e4e85647f7b5f6dc0624e95c19455f6fa53b45e7ed14c35e02dfa

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          efe826d30c53fa48014d7c25431dcdd4

          SHA1

          bddb9ceb98cc9b194672808baf234b28c27725eb

          SHA256

          8ef567213876282a580a30e769346057b496e8f0d77c6fe234b46976bce64561

          SHA512

          f3d708d0e8b6f283c8c4939ad57bb4e0a5db1515d5d218e5bd5bbe1befab2a0b607a62c24e7c79e359bc030a3764edda55ada06e6304afd368f764dadd901591

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          933d1fc7fab5a351906441841eb2da7f

          SHA1

          1eb6286b52ed3840a1b86afcae7cbb3231421efb

          SHA256

          bec5f72dba1f82a7e25c1c9756d106184b0366d647ae3df0b20d6f5937efb9f0

          SHA512

          692633e041b5c60f61008945cbfc3462685b8cccbeb106037bf38773a09b8af21c61cd4506690f36fcc2d03b23ab613655ab092eb208287215b9baaaf44fc007

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          ccc4ded965dec68b3112db169f4bf1d2

          SHA1

          90d56ee3268bd0d9440c4af21908ef2ff628120e

          SHA256

          5b00627de79963bf4655e776ee036560c9ca28d9317805084793de180c343bfb

          SHA512

          f72488c7afaa7b9065a500f6235932d7caeb2a71b53fa22bb14e43cf6c0adb60a777173e2f33764cfc7f786802d2fcf8a82b0053f9268a7cd9138706f338511c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          bde2f4138fe931e0e89aa9ecc95a4632

          SHA1

          6b0405f320b2862a655708cdb34e368f98f6fccb

          SHA256

          1c39104480c845e19faefd4775677b85bbbfb556d39575e3151843ed737fc827

          SHA512

          2d1e1b5e3d3488a332e7b817e05bb7250c25499329f6c27f0bb613ed2a5cb1f488b849e1cd5bec7d033f21c3b03b4fb78caae3a3fd0f977df06fb85363f378d2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          92f073aaca6248b3690629d1fc592003

          SHA1

          8c15072b056a20e47cf9890ef54243ead6917565

          SHA256

          bc1d5c79afc822ee0960db5d100ecbb2ee522a576b8824eb6c4e610d1d38fd19

          SHA512

          9f670e0cf993d14e7b060cf52d20d4bb19dfe50a52669f36e8d891cd42a7b45c95b624be44a05465a33994d0e1b301fecb498e4a4825eaa0a822eb4991492d09

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          da7426a6a7bf9316989e119c71593d4e

          SHA1

          ff89af526e1054e6bf2827108167a7c957ae6c60

          SHA256

          f3d5cda177eca030c0dbc7bdaee3f22e0c582013d0aa618a745f59ffabefe65e

          SHA512

          b7228677ba4bd56f70fb7297ce0eda95e9ac7da4ea58739994c558ee87317972c4cda2db007b45a6876cfb18a494b9670541aa34b800f78e79c8feb49c02e179

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          cbcdf63ecdd324d9dc1f3d71fe92418b

          SHA1

          f7a647dd4f8660deab9865d8f2d9eff6790f5d68

          SHA256

          46c802a9732ea344bcf6f0d5a207fabad8020aa2eb1089470173c0acb4955ad7

          SHA512

          f13935a4a6582b297aec2d623345a1b58355f9810c6ea6b39cdd5e8a0e37dc9239602b8abfa63c191dcec0dfd0f25db5b1dfc84e38df0dd7803f41ec6d7bf164

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          443acb523804d96f361fbf297fe31cb1

          SHA1

          1bcd4a3795884cccf5db3c873e9bcd1aaf37c2f2

          SHA256

          69051af464bded116b3de5383304a851c8a762d6da955311634b0fa5a63a846f

          SHA512

          e61f9edada5f8dcd5ba304cc58a7cc480b4ce85deb2cecab10743159c29db8a6e55b8155641a5b5357b24064199208afa6f260d3b204eac8739bc90948a34e29

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5781e43983a03728e058cbab0e584af7

          SHA1

          70a341c0e6c6f60cbba1f8fb85c1def96fbb95ff

          SHA256

          c49610d5a61b1f770a74c3a72c4d9d41892553d8cd987cb3a36a4b5f0336c5ad

          SHA512

          95769780e4f4d2e77cdad3209a95c6211e1186d9842a09d7b32508ff476662eec3567f44215220db93484f05040298701fe037596341e6a81db23722ee8fbc91

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          d04f26870d08f15efda8fbf0518da41d

          SHA1

          d5ec6b2748ce0f23824c4448e03ade1b8eb15d07

          SHA256

          7ec0522ac53a7fe6348d71da034f32a7a2a7856e9a7f7e5106b6c37570b63214

          SHA512

          4970af85cade98139ac6cf265ba0db2df0fa6b009b098d5a0a6e397b2e206818683db2e0eebb0c50e33b089bf6ca9d987ba6bd95b24553ba668fc3d7107b3a2f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          8866f0849b93e9aa7e4a33db9348e06a

          SHA1

          9cf20814121ff94eb6897f14cc787059cd0e9406

          SHA256

          3f6ee5f1a264472a35bf3b105f8988e4af066de01fd56341ad65716651270b25

          SHA512

          c6d78b0d44b3424359d4effeead6a36134b88e6874ae55595621cb9f03c83c6a01fde1dfb718bbc53c700d8ba27cce052ca61923a829de01a5d0030c0c649377

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          6b701fd554ff639e71ff728f175f5372

          SHA1

          7c2fe2edf21e193a38d74e88644da45f08812b18

          SHA256

          1a06e3505630ab050c8bc0d71b00f37556f6511bd5509d9a6aa919c2b59d4e90

          SHA512

          5a30b31108998281c5e6f3bdc663956ef30addfb467afb3cf084cb21fe8983b4ca2dde8caf3672ae22200e38ca3be86cacb2e07d1995edc8534168dd709c7069

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          37bcfc69c2f3f2722e214b8344b9249f

          SHA1

          9a47a52c6a5ac0cac8ffd578f427945ad6b33475

          SHA256

          f29f1995ff645afd757d6b4551291709e4b4490a5e6a4e714c342adb74d230da

          SHA512

          0f698279703c6d65b2acc6c79c7c3892b6c3b5939c4b9da777024e56899cc67c0c70f87b0e46de93d8845c1560a48c0a60adce8bb20db68f32077766a5fb76c9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          1ab932ec129dcdc19e3b0b43d0a2cdd8

          SHA1

          4e5b5b42414593286a990649bfc6dcc9a28ef847

          SHA256

          63091da367aabdb66c54e65bcdbf69f54d19fb8d56a010bed79ae47f2d15e44b

          SHA512

          d8840c3320f02c3326dcc4c4405ed8def4cf17172b8b722ece513cb98abb50aa16f2fc1a12d684cd6f89eaebce089ec65b5334ccb1a58a4285d0d4560efe530d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          8ab76d54d5fc8a8341d11c0e9a3e9249

          SHA1

          1f775faa875f3aacf182d4f47ec81718f6c293c4

          SHA256

          ff775023d0f5bfd2e4ee209be394277f6a832008b10866d70a75e9dfcc1cf42f

          SHA512

          aa2bb88fd69280d8dce9e216224d5721d9b87e8b138bb8785f316b23e0a62a0b02191f0194dd2def90453be73a12f043a29c82822146b770e238e67c1b00b916

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          a0582f58a9844a55e47dee5eec63167d

          SHA1

          351d2396dac981b138335040f5cf63fbcb4aa0ab

          SHA256

          d417edc069fa0e0933b8542ab629550b801093ffc7487784240b9b130b3ea6ba

          SHA512

          7c3dc18f4f2c62a8e8fb2b5aa9c87c04c99b551fa84f19d768bac28bc44eae81e417171c2656361d404eec9a23b42559d207bc364aaa688b90ede374713b3aaa

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          cdec7a4b19ed7d0ca952351bf86e1e0f

          SHA1

          2d90cfc089da4cf4ca9a8ff0423c906801577a72

          SHA256

          e694e4403bdf1fd08a74d46bc940ab656f1553588b41ae0f9dff53aaeaec1d5d

          SHA512

          c81c2c246bd2d1df1eeca32ec33c52bd40e19e941a62bd5a54e69b20ae42bea14aec23cf3facebb9d10852a15c2b635058f81d035ae680a689a09e3c2cf4b0d1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          9d445ff8dbdab32dfb264dd3a0f2c3a7

          SHA1

          f8d42ed8b6d256da6fa75f9b7664b41d9f6d629d

          SHA256

          251f1d15b8c71258a9e58a3fc8b201b4dbf68b12adaf41aaf072be0b32e1b39b

          SHA512

          810783049f0fc67436d50a60e09414d02317e633b977cd67ee45d5ec3a4f2bad742e3f9b3cba535b82295e510611ff1ec56d969786569cf0b082a81c1f799a71

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5a1dbf58a7d3b1a870c29c262cb76db7

          SHA1

          625539fdcae562bdf3ef43d898a2e48bfd77b40e

          SHA256

          2b63b0dbc390fe434970584cd25ff030c5daf84c93fdbe9eef7b33e698b412d0

          SHA512

          5687f0f88a85b01899464616ffcb1e341053be0bfa8052b6b8de8c4835075b630e1c82e898e193276749dd517ae2189af25310a3b170f48f08a818d16ca7c0c8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          08c9cd6a59243feb3ae77220f28ec158

          SHA1

          89440a1289f23d33664f8c66497a90df04a9294c

          SHA256

          4d3938655384570ba77ac92ac3d710e8509f7ad4a655e95685b4dd5843738830

          SHA512

          081c96d3f2c7a84542c17817faeb88f9a14ee2fe1a4394fd01f7b8870788c94b55e2648f40afe7586bdeebafe7a58d77c98919b83a9e65985aa3361838b5ec0c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5382b48ec237285d6ee7447cd5298451

          SHA1

          9b8e29d445abb95e2c365e27378db8680f3f9464

          SHA256

          222ab0668ac882f0530ddb22238877b89fc186d35bcc64f236f5757668b33905

          SHA512

          c1519b82f826a08b85991736ec8cf00d77c3b452a6443c5dab2d87b7e9ea7f3b9378e27f72a19a4ad77cde3515cf632bec0c4b928ff78a20c80a779e273e7b2a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          82a4ef1460e1d44320e91edbcedee57e

          SHA1

          eda85a3c712848705ac568743b5ab936db171f67

          SHA256

          cacf3c5981ba8f731f530ee264085b1ec58403f5bf960f719911cd6ba8c26077

          SHA512

          ffbedec1ca6047d8092ca3e6f8595cbde729d12d548efb404b98e893cd04c7dd8fb958395e94e632ded7bde112a360ff757143af48001d01c52fe1659251c844

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c28acc230e5782cdb77fc5bccfab483a

          SHA1

          4814d785ea5b2e5023683d1bc927169652adde41

          SHA256

          653dfc892db3cc355be6f807d9edace3ee0e3fa41038a6fa08e773140aca4fec

          SHA512

          62af62d6669f3ba1ff2bf6e68d99bf2dcc341827ed71ffd8d0ce01855dbf0db130335457bcce9a1fc5a6147195a0d771b13f299a7cf0d2363601ece39b24ea62

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          ac2e5495800f143f0fb65fc935b200a2

          SHA1

          7e70e0a2d21fa42e53e50ab2b649ff21add3e9ee

          SHA256

          9fa85e92de2dd1a6693d93c6b9bc339b4bf58dedaf7dc973e8fcc65b164611d4

          SHA512

          701530fdc068fd13bfd4675b5ed03e625dfac99e68d124e74b8f36638e1f55f24f985d9e78f925622bcbeb204ea31874a795eb88259e5b78ac5ef1d8f3a4c121

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          acc77ac7ffd85e36fd75f961c18ff91b

          SHA1

          e69f81a97a5c40cf108e41ee2a90ccb4385a604c

          SHA256

          5fe3edf3078c10caf514f2160d48df2d3ec918fc37df921068dbeb9d805c36fb

          SHA512

          eff7ef6139d47c5fcc41a2c04dbb1d0f1963097430970a02e9a8fd245d1eb708b463a7df0325fe3b767b0391d17c002c3cc6af67e5b1ec156a3f100655ff25e8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          44e22b285645a5bbaa6eeb3c0a76288f

          SHA1

          752f15470dec6369797c300f89aaa7db02208e9f

          SHA256

          bfe6ed1fd3b5a92eee2517c169a462238b82239a2e72147fa9caadd316db9ca3

          SHA512

          80038ecb55f06d68951d8399a89c663f632ac8881cfa0f0373cfa47ee3eb1a9c967195d3709927ed851babd5f012dbb85f2c3d4a3cb994a78acef9802f49912f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          8e987be20276f836b5bc0fff62f7c2c5

          SHA1

          57d5a892353e1bdf7e4007dd39b0d7b76bad6788

          SHA256

          392e11c687f8a1196e592a0f7a425f610ee5907ef3f1c47c41572ab22385bd6b

          SHA512

          974186222da1aa61064ac1835acc1b07426e770298eff269ba4241e70559708c6f3d0168fb474052a1ebac1021d3b916adb8afc30d24a04e9dc2b7701b5fe88f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          dd05716617cb6b2d0abdb56dd6726086

          SHA1

          98532d961418a3a954fb09c8b84fb293c3703e0b

          SHA256

          23188f2afcaf1aab76395d4f90b390fd18a69547ca674754be4393ad64d8c066

          SHA512

          dd8655d74d3ecca885eba2a1ee6edf00a4192800be3019de9eb1cb8b914aaf69ca67cdd9292e014b466af2a01a4b30a68a93fc99383219aa926a4a6b19f7e83c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f8ef67714429e025c9f07a5127b8848f

          SHA1

          e9c660b8dd68f582c402893eee96f05a99fa3ef6

          SHA256

          8a73217a6ae0583f7a46cff22bf644bc4f34c6de067f32192093d53fa8c0e1b2

          SHA512

          ec2d3abeb0ca7994145591cdce4b14d13993c52b1d5bb620517ea68cc3fef44de2ba5254533ea87bfc797190d1e537b68e91ec44828f37083fbabe9457ad16f0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          be9eae6ec9a789eea13817c6c87496b2

          SHA1

          3c10302fa2a86c4b98cf859bf44a9b6990af7f1e

          SHA256

          a4ca0e365c4f5b5a2f740f0e49653c6fcfff11c8ad0011f4413f55bfa5c295f2

          SHA512

          5b611c3e5f771f29be958d1b62dfb4d8ab182122bb930443c93862fe248a5fc7682c2fd9f18e3be22131161d282cf11c3672673f011277f25c5d119ed5c89619

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          dabf95accb3b3f950953649fa252d7ac

          SHA1

          b8b4fc5676d092afbfda9bc5c6f6dfd36bf02dbc

          SHA256

          ffae0fb4dbcdfa6db10541a73fd20018d840b1dd6ed2c17123c7ee0a76818b3a

          SHA512

          08aeb4ec3f5ab186285f728773c103b3d4e5117d6711c2ca740e54cc83831be6cdc290b9558ecae10877b9fbbe69a9257aaaa6f336b7208b8e82b74162cb0a05

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          98d564927c359870254c470c4de794d6

          SHA1

          cee213ea092b4ed8a0d1216d5f147154b2fb57ef

          SHA256

          a8cb87cad0719218ec80a4c688300d9cc3b73346d421f43f6e5e105e21ecc7a6

          SHA512

          e0b5486c057f0ef66a4631c68bb09c27a5c6323a362d070cff4822ffca3a1fe49826dcca295ed00ead0eb5a92f693fa7ab9424df1893ce9b43457d0f7216547a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b0d322c3e082d46787f1908737923e12

          SHA1

          e093c12a5dbf7f0f2e1a7620707416d4bc3d8916

          SHA256

          272416c7b7d7a1b9cbf7b9d2d89850a8fee491bafc557edc145a11647ca788bd

          SHA512

          7e1cb80da6bfeee26cdc92d567ba32de600fb328fdcd9a0dd7ea7d2dc128f8cc27c7445f3981eb1c26305299643415bd42fc0b75e77fe29427b650c95d02a70b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          f08002d711c27160a95f5f04efa53b8f

          SHA1

          8d4953d6fca449748754ed2a0eb0e46c618c8856

          SHA256

          eed841fbaedc5af755868dc24977274bb90a7b2bf2589f09179fd45041d3d9d7

          SHA512

          16debe377aa7f64ac5be9186a3c203190ba032a629b6d15eed6621c9ed5bd9f95e1bb9c50820fe9dead1291049097dd90905abc41256e376000740a99aaaa696

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          7b83162661540c283dacff1dc8afc031

          SHA1

          490e5f9c5ca159bace4937b58b0ca7500be58239

          SHA256

          8c7f4375e7a8efc9fd093f58e72b44767fbf29e4c4fd19e54886680dad870274

          SHA512

          6b59a08ae390e414d340e540c8dbb9c7ffb5ec6d7e264b6026b0959d48b6e75a7eb3426cd5f1f5a335d7925e29a843923370089dbfc0959d42017a0c54ee7f56

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4a2ac50480c63e84afba35dbac48dfcb

          SHA1

          d6adf8c6fd9202f96e7f7f7ed0b149a9776ad038

          SHA256

          0f52df2f521a349c2b29912b25a61b991e4360a53630f4eace65e9ae0c18c72a

          SHA512

          fcc3ad8c98e628c6316142cacc624ef979700cce8c8d38ab9cc398b1d4484ec73f38509eba2b56cbb96554846072d8069808c77fdd19f7c1fac005dd42ca4a30

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          801dcbbe54b52e04f1c8229783cfe5fe

          SHA1

          95f0619d18ea4bff5e0b3850f7dfc04c78a24281

          SHA256

          f1fb78db0bd45bc1d8136f2777e7520fbe56039cca927af458531dc253dbb520

          SHA512

          8c22dadfbd47a29083e01122d4189d18e90f52f633bb30d5abba1121ad4fa768a91e1ebe2fbdc297287fe631951e8a586ce6c9a72fa8bcb1cda8a28813e100bd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          1a1f299244c6be6dfcb9c2990beae5eb

          SHA1

          4c4fe47dd47d9bd8bd429bbb06c905492f1d1b7d

          SHA256

          4a4c1b689805f5342c753da6772c7d099240555652dc73cf42a26b6df2f10e68

          SHA512

          582fd5d98117843e3c340227263064be7c7bee6290d9672bab15fe12c6fdff9a0b13dc8c257718655c5eb0a219f2c75d4aaa359f2792d5455223e6c7621ab708

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          df7e451ba103cde846fda8947c5a5381

          SHA1

          f848fbfa532a77903534120a0df3340096a7ee57

          SHA256

          fb5640dd075129fa5a28d74e7c1e461acbba07f6a6e77f4c4d2238bd414dbdd1

          SHA512

          3c8bed0969d96d6a7afc48eff18704c36ca9370603a32aa95f94bb881a95ef36624d2eb13c0158bbacf244925ec2de2ffb76795e8e83f76d464d527ba326bcba

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b08466f8032160dc1e5f55411858f7b2

          SHA1

          6ba108e5c511859b563d834f3fac8dabdd79feac

          SHA256

          9b286f7b81221928915d943934c08fb26f9d07fcb4fd18c47a5433c333ac784d

          SHA512

          b4685b4799fd7a0c06ff19cf4625a8cacba8a7c68e4c1f7643977ba57511e4b1e513038e4c80835efdea9f3120d3e02dfebb96ab100bc7f4a13f2661dcba3592

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          6e9c32571c25c32fc58e82653d307ce6

          SHA1

          368cb6c8ed3887a396274348037fe25d24bb854c

          SHA256

          2ed568b475725402e22eef155c35d85be7f91033dc8fa332eefdcab95294a0c2

          SHA512

          010992909f9fc792482096090ec3f0d4b41010bd8029cd45761fc398516fee5686beb69f7a4b7b27e46e1f62853a1a98ef4a0ddc03bb1a7fa5184709965fa969

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5dbbd7749f5e6bb72e064797e67c2675

          SHA1

          6ed3065f6e6353b0b2f674826e7410234d6c2f51

          SHA256

          cc8aa1750a4372a0c9c834a2b43d7b6ce795c39c6c8161fadf08e9407216e916

          SHA512

          49061ae016d1d0dd961efa5363c6b4ed80a2b75f91e2bd7e7a9d9456afa6da18e051a5dde5e1c90899c402d9ac7a64ca6a9e2b6bb042c26e38ee66db517456a2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          3dc2537b9b7e9b788d1bae338fc9b12a

          SHA1

          953294b5ecee1eedfc316fe06be2e4ebbee15049

          SHA256

          5ede4331003fb00c75b8c3b94bdcb3e13c24429d96f918514c0d99b3a7492ef1

          SHA512

          1dfb99a24f2c6956a9c8693798ec6046ceb04adb171ed92409af0554aa4fdee937d0bf3adc328d5a0b987a1bb66d07100ab47d85eebb75fb4bfba77b099b7c45

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          56957cacbd5cea9700922c99e7685224

          SHA1

          62470c8a460319fd4c349ad962c94de9da8c842a

          SHA256

          1e958d1d84431c7cc0fa72da7effceb126e88d4b87cf1858d34a5cfe04b6878e

          SHA512

          0ab5bbc68bf6436bf8a5bd99f169b861793e8def8f03509ea9cec98c94bcdb568cfac96f94c02a0305a5a5f2dbb108f6a71418a6726f1ba435fd2630f0adeb51

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          829450d71a4eee323726c3290a072949

          SHA1

          85c55cb2db9dc09935e7fcc9a13534e3d3da19e2

          SHA256

          feee86554d4f2f1e6f8ff589491d117a44504de15f014d424efe25abf07a6a91

          SHA512

          f86e017d979e7ba6cfa44cd39fbdf9b0f82296abba69b2a1711f8af8771852a786984568a562022fc9c4fd7f5b9f3becc2ad49183c74fc6b2127bc410b2ceed2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          7835ec3d72d1ab2951b5a7f6b99ba299

          SHA1

          7f4bea2f7b103a312b10836418f39c74197d1e1f

          SHA256

          0d3473ace8c6c47a7737e8f84c6ae8c3e8e0a0a6d4c254c8d1d2fdc6249181b7

          SHA512

          dceae443959aee712e60aa30a13aca11bc2e58a9fe5b1fecbe085cbea006bdd4adad850386694bfb681aaf4a919f3315ae9377a2600259a2762d032038ada131

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          d2ab10f09937fc9415dc26baf5c73d74

          SHA1

          1a9263a4214c0581723c6a6e15b032d05ce4fd0c

          SHA256

          fefb1d7fa74cc969b892d16c407881425737bcb999cd779e71d76b6b0093bdba

          SHA512

          0e782d12713f349018880ded607a373fec6b9219ab6bd98191011d78b4bb1bc2ea75f7e8603f7836fe54d9675588f6daedcb785a86966b0fd3758de1067edf0c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          1bc8e1da098010968a1848ee8a4cfe03

          SHA1

          5be4b62442b8dae0b367ad6a7ea3778217ad93b2

          SHA256

          7f0835cffa2e504f493fb6a0bbba032fe61f8b17d532bfdee8afa3b566fc2e73

          SHA512

          a8d4570cd6ad08247456c7985bcfe7b65c605c0a6e9163d4e26dfe11fc8445eb9af0db6636292943c2b8287b4a006af74efe1f2ff2947c8a9596aff1baa71d6d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          57e2d9d51bf3c16037f8b90cb730e4df

          SHA1

          450b5a36dfb24ec04a34629fc3c70ef7e5d148e6

          SHA256

          a264f5280118197a6b8cc28954b374493eac2bc15a286428b9f6c3b90db3122a

          SHA512

          b4479ed4be76e68d21dd4a86680541a800738683a4ff4bfa2558da88bec43729a312b4529d73562c78dbc51fdce2684530a9e2ac7a357dbb55ddbe2a4fac4aff

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          526KB

          MD5

          7b6b61e185a72804573ba5f5c4925851

          SHA1

          1b86f6e6d9531922018477d4ebe75380153e0241

          SHA256

          5407b882f4201dc3ad119eaf93e83269b8274f7142cd5996eb8f94992228939f

          SHA512

          050d2e85371780acd10ebf5c71cb0003bcaacded927aea0ce8fffe37e9ea23ee4fb6d68a13aa4d08b357d41081e1c2abb2b569773759ab3f60754541e74a6dd3

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          526KB

          MD5

          3eb372432fa3d18d86217b14c6c463f0

          SHA1

          9ac67ab22d637898e7312b776d1b39da04d61cc0

          SHA256

          0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545

          SHA512

          365c95924d3c01ab9f5c4ae014f176b022ac15a76a0f184d43aabf9e11f4058e258350ef98dfcbf2462d225e104e855dbb811aa7eca979dbc4fc8bc4dbbcf072

        • memory/3364-0-0x0000000002310000-0x0000000002311000-memory.dmp

          Filesize

          4KB

        • memory/3364-1-0x0000000000460000-0x0000000000461000-memory.dmp

          Filesize

          4KB

        • memory/3364-50-0x0000000002310000-0x0000000002311000-memory.dmp

          Filesize

          4KB

        • memory/5908-6-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/5908-55-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB