Analysis

  • max time kernel
    145s
  • max time network
    42s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250610-en
  • resource tags

    arch:x64arch:x86image:win11-20250610-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/07/2025, 05:26

General

  • Target

    a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe

  • Size

    1.5MB

  • MD5

    eafbe162e08d83059547aca5b50c3143

  • SHA1

    502409915c2d68f34a66d7d10388e69ce10ecfcf

  • SHA256

    a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943

  • SHA512

    1b5351450276dcc863049a7439ab1602a3de35ae57eaf41d1d9567294f90bb25595124633a109243f2859b966fd1b23e45c485a08108055dc02e9a23ac490b76

  • SSDEEP

    24576:iEtl9mRda1d+5KK+Sg8/DXXavJ1IDGM8eEew:5Es1IYSg8/DaB1IDGM8eXw

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe
    "C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:5808

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-903960561-1545645218-4290906778-1000\desktop.ini.exe

          Filesize

          1.5MB

          MD5

          1c4a01b5bfe3ce236ac4616820d734f7

          SHA1

          288a0e21fd15d63aae83c6a98979653f287388e9

          SHA256

          8e3bd7240b1e22599e3d19754c7cde6a130eca16bca42f520b9e19da6c99bea9

          SHA512

          f78fc678344b3da7e3e4a25f44d34cc185632c686b536b41751c15c607092af0b011d3d0c3cc845e3e795a3d5cb700f97dcfdaebf0bf5c6b96437da64f126482

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          dac37b935bc3a1e74f61bef7593388b9

          SHA1

          1853bfb63780d363f62b2643dc70d5845543f7a7

          SHA256

          8a546570c051e689f8ecb2567841e5a83638ffee1922ff5b0a74079644ecd138

          SHA512

          1dbaeafaa319ec5a5577fbca93f9733f67efcf138b4fb39f2ab88139b24c85b0dd3a8f69820cb0dd0b8ea828090735001694e323e765fe4bb4180682d9977cfe

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          ce365144391db9c3691259c6ece7bbdf

          SHA1

          29778d751d7ad50fd0b052bdbb77751420463640

          SHA256

          b399daf57db61c62bedc6daa0d7d68e755d9a96d32bf0373d29beeca03b0db68

          SHA512

          89a3a40c75f039c618ea4cc7f1cd74bd36993953a51dafe7ce8aa95eea4afb0184e9d89f8cbb497b3aec09e3e3d6f0f24d5c93b8bec0f8c047130aa62da0f321

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          e5d4d01e2198dbee991ddce5f2551f03

          SHA1

          1fd37be762573c490c5a70cb490be63094bec54d

          SHA256

          a2f51f2e88d6615785a6f63fc183647a7e5d3698658a8683bad486da92be3e8b

          SHA512

          1d22b3cd2c21b8a3c1cf6c3b1cf4e08a1522f633359af312fa3d788f8bfbb4c7f013bba19a2a972d359b2e37a31ca6573281891d3b9a3519fa481679e675e469

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          0b208f6bbf4ac42e6fa5e2734ff69cf4

          SHA1

          b4d0f8d38626b471435590590be68b6914bf5f35

          SHA256

          d75fa9c667654ac2f298a348c9c564619e9f1b853686b980d2eb33783372f61e

          SHA512

          ae2c4aedfbe73b75a33acecaeac2aad690c3979b20b7b41d5d9bfb1e7d414c42df3dfc61ebf6551821b81eca10928f7948a20975177552f03e0a989574642415

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          650944c63e6f7dc02c43d49af7842df8

          SHA1

          9b0c4bb5a23b656d688d7e1eedcd4bacad660d60

          SHA256

          8df0c44760e4cd59dda75f2e677b02eca1dae033f23cb1a7e452eec5aa482192

          SHA512

          d0a02a0662c500f4069c7263427e7a66f8b08136a72900ab08a8096e7593ebb7fc7a04a84eac59e2909e8a1c80a08d045267f6d48e63cd9fe4f99bdba8195e04

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          1499807f5faf5f15c48d5febdc4179ff

          SHA1

          832630c0a8d76cf3d4235cfe5be1cfcd85dc600b

          SHA256

          d6d99bc419a8ba97bf935204a47b185f662b3df6492dfacced647f5f28a757e3

          SHA512

          b87d0a8cda495bf5223086651292f67702b7b79fd622c8ba81eae28a054d9dfad75a8b3a0d493dcc5cd2e10aef1c228539abb7032762805b5b7ba0cc7f35a11e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          2c20a83d5fd7f334ed8fa36f062d3b1a

          SHA1

          939a33de2aaa98f65f3117568028b2f7f6a715ae

          SHA256

          0e62432bc86f156531a6e2ebe7889139af5b39557d7dd89a9bc5cedcdb312f07

          SHA512

          b32bdda17a68179b223ca984d6b28fd5f5c4a27e6b10da8754560aa0d977634673bc62006d520ff2597e9982ae2f2b3fea5772afae34e7befc3ae0d0362037ec

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          bd3f20a868cc2e49ce516ddb347a5081

          SHA1

          5c028358718a47a290e1a0a3b71dc46997dfe845

          SHA256

          2c390375169c5473a6f31476d044ae628d6993e1b307be6aae3a12077da07427

          SHA512

          b16d192c866b7e3391ab0efbc077e95c675097ace735632c73e21784b9e82fb748071ac1c83c0f5bab4fdc39260b248edb87e9e38702594c1372645af8b6f4d7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          61d8f37600ba19795cf91dc8cd9d0582

          SHA1

          1965dca07888b95b8acbeb6d1b1448b7ca7b0a16

          SHA256

          9c5946c477147df720c264b15302f7892bee2f404b103195e120bbec116410f0

          SHA512

          c1b60acff5a5e42d76db223f2e707a697a84c17092dad649dbf78b994f6dee4d0e718be904c245d9e083e8dfc06e3263b29a08e9c48567cc9b0100eaa00077be

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          05134ea81fcc47dcb11dde8026065fdc

          SHA1

          8e9699120f47ec654d8de47d803722980642e716

          SHA256

          805aae84ff92b129968c5dfd0d02f17bee7b9d20885a85e46699410351c0e280

          SHA512

          99d59d0123dbb5bf4aef2f530b8a7b755a68afcf04bb0353d87cf643a4e6302c5f2a6ecf812511ff6692b097ecaf89ec171cba5f6aeeae3e6a1404138536d12d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          cc64429e9d695720670670953665d48a

          SHA1

          c9028fe2baaada72372f0c986afa81c0e1cb1d0a

          SHA256

          acce70d1d804fa21f64abdaa2b9cd03a6c6ffdeee1ef9f6f75df41c7572eb9a0

          SHA512

          a5cd6d435230dea97f1fb713bbd301b457eb09857b52d642fc2d1c42a117df090782ac327a63251beb292f4d0bed9e552df7b718afcd23df6bb19543f62cf572

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          baf84898d87218b5df2726e3eef2f0db

          SHA1

          7b3398166a2447ae4fa7e4288d8c4adc507b25af

          SHA256

          836070f6943a0a28195867a8764f9d91eee2f383b07cbce3fd56c31ee44e8cd5

          SHA512

          4763cb54ebf520db6b0db79dabdf2237eacc23e96685726e3b124ae1e208c04a8561b0a74e7e4e07b321c028d6278f7dbea65ccc229e402f53d2d2d853e02db2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          ff097807c5feec55e09155077cfd2b8b

          SHA1

          ae7adb303361c64871ef73a33e2301bff8b64e46

          SHA256

          80912bc0ab165fd38f88daffb48221b50827379185c33a9d3f92a0910dfd669e

          SHA512

          aa4daa4981f6b7f541d4a1dc165a2e01eb8272537f0507c27f73af72717451d699aefdc6f0f7a8de3ed04fdf3c5494eef0753837c937eba64c2dbb416902096f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          aff456b15d0a78fe6a49b3125f413800

          SHA1

          0919b9fa63cff90d793bccebf07b76463155702c

          SHA256

          4fa5bb9257f0d8576c445788f0ea10e36ee187c7452c17f29418f630b3d174be

          SHA512

          16ac6f5a19387fc3f24843f98a4ecdd345ab762deff63105f63245192e8fe3c44e4c475a99aa6508831308550811c9e004414a48f8dce8256adba3d1b4cb7803

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          cd0295e7b3f8f6bf40983feb75f89e7a

          SHA1

          014f1858baefecf577583d81286d51e48f959980

          SHA256

          bf47498e15e0d5a522f9532aef1f0e53e1d7f2e20e18231de148b25afddefd2c

          SHA512

          dfaa0638eb911f82f4a286128c93d4adda076a39acc31525f0cbc17ffc60c5c6bd8b0bf288fdf1a675d96247ba28872d8c57762b77f59996db6051d59c595a35

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          ed60151a1d68d277b2a7d88f430ac037

          SHA1

          9ddb6ae0da551becfcb8fb6a7363ffb02fc9750c

          SHA256

          80163c29656bd016e61a3b277d001fb1aeb02b49231814d4e1dac340428b0ef9

          SHA512

          de632801fbf3b29c559a3e1c1d2253964bcb2873900d4d2666733744d9caa89f35617454a8c7ecb71cab354e479d35369e96f3bb85f51f3d217bea4f73157c52

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          2b8f8e75dd835a95cec2ffe30e482912

          SHA1

          8d26def3b4eb1bb97360f5a5502802f086feac20

          SHA256

          ebf5c0de8b4cce0350edefa1189c0bb69ec29981eb80a69e950d55164f10cc11

          SHA512

          c9499686923a13845f3c56958bc32f93a012da87c75f7652299e7ce5fdf1d289be9b6b3e828af6219dc153404163f3ed195024bd979faccc7b2e36c1ef563f41

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          1e0a4f23534e48e71d2315f709916265

          SHA1

          784074128504f7c065c777b62a805d10bb7e7d37

          SHA256

          4b4efc9d6e0672c638712b85f644fe6282a755ef9f20808391893c0f33986d41

          SHA512

          8c757a089c5b3a4b16b3c17d12dc87a18fd593885b73ae827ba55dca2f446b36aa6156d1c3ec61b7da56eb06b2d65f22a581e97ab482bf10ee69bd41e0a9bfd3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          dc96269738db1185aebafe920e49d4b6

          SHA1

          53cfe22a679228d85ccd403c0a38b03aca746c32

          SHA256

          51215bb0fb0b0a68623efd157b7f9702e108688c82bf746ff95d1ab066486baa

          SHA512

          d4bffb478a4ffdfea4d60b493c7a44f597902cf6699cbbceecc7787eaa5b9d18f37a2dae33eb3d140c03c9e9ed8223baa0c660c62f9a4d22ff90dfba0f056429

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          1b59ebbc03bdad3bce1f5e436c94129a

          SHA1

          e9903e32fa865d6cf2df66da48a07dcd0d2d67b2

          SHA256

          b28703ec84287d8b199d26bfde6d5802dd82138dec2de0ba3ed91439c5bb7a2f

          SHA512

          38c6e28c97f644bd88fa56c0d77df7c0b0212aa1f49d8e608344676fb48e36cc273e991a46b4168cea141dca4aa5e241c851e5b5702dea4b8f38ad33101b3bdc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          8cbeaa146edbe82afdb54e0a250fe444

          SHA1

          ec903e79900993d3d254c16a95c54b3c18f8ff62

          SHA256

          e854716e4bc2bea0838259beed922948273d9de62bd969a9cf0efb04c1608193

          SHA512

          6c21fe920649e8ba4ccf9bf2e6922050640f71a3eac0e9a174af181d911636ab02f3b4b73f8f17966ed7a9c48f316ccd46fe0d307414818871d1cebfdedccf9b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          624a0d813196c2234ff27ec6f34bf2f3

          SHA1

          d75255ce54861637b3bfa915a209f961b4783735

          SHA256

          619f5821489a16779c351392a8ceea3a5f0102e4bec482f8cb2f6bd8c3a15ace

          SHA512

          01be162755bd644f3e1d13c21ae58dfeb65e4059a960a2b147baa18f9881d7613675069839cf0efac050f5969103c6a008b7fa1b25e5ff546ef116acbe899632

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          143f90a94e74593be9a6a5f2f1dd7f46

          SHA1

          a95717415d42de142cb51777926c7940c376f570

          SHA256

          36c025bc9d254f86dc46cbbe2687eb115cbadfa21b6f876ea3a95fabc6f8af08

          SHA512

          d99affb8e06044158c51ecdb5ee98ad7f23701aca27aa7dc2cb54587d9b725f57f5491e3e121fb39043bed458089dd78a25ec8baed6799ed1e10df417f101c20

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          6ff4a2851fc7388b9bdc7591d7101c8a

          SHA1

          b8294bc55901b572372cad14b3447b25b0ca07ae

          SHA256

          24d213fc2d83e6612b7ecf8907afa12f13d776f64aa038581b65b2480fb4deec

          SHA512

          1f05fa24ec3e39711bed697b2c3a92924b84caa910f34b34d0f1ec0d3325582c57009f4f82d39d346d644aef7cbfbef82de8c800011201c90e0d0346c2420c9a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          627474fd52b2cbae4942ad234ec3f43a

          SHA1

          464fe328d5d5eca1ad86fde7cd44dc97554d0143

          SHA256

          9b38ffee14a5806a677c379ec7e488ad5eb7fca931286f85451376d53ae3169d

          SHA512

          c7ea4050a32335faacd228659a83e72545ddb3838fcf030799c188374657a972e74ecd81ca1d5f03df83f43035967f726b7f570686ff0467897048f4254b6056

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5b37fd09123a7b425776d532151c9adb

          SHA1

          987b0a3b39d884eff104daab68da609f41075cbe

          SHA256

          90e51d3ecf06fc10163cabbbd5beb8cf3a7c366b0db600f7f2899c10750d1e1a

          SHA512

          9cc87c470fcf22186cb093864f2c42f1c8eb7a1bbf977cab25dcb6065586672d8598c1bbfc949e96228435545595d7fe4f07e87e74885fcedc8fad8b21627b0f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          fefec218072cea07d732e6402a1fc6e7

          SHA1

          4890e1ec311a9bfbc8500de20069e79609bb2773

          SHA256

          a73d256c9f4ecc3ea3555e1d2bdc566713c13601cc1895e5f360c7df93d469da

          SHA512

          e520b6023787d703d8ea2406f40a5c4fdf5a11a22ba7f5e542ee2ddc0f7d8036db57e3a40f81c5cf83ed193a8248452a1e184f602b990a06c9df09916f05d5bf

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          759784413e712ace9411f9f4659bfd29

          SHA1

          6e701c55e510a65ff94433494dead7364931a33e

          SHA256

          aab80c4ab3413c75e5a8ed3f102dbffcff8ea25bf6927013a2fd8db0d419f576

          SHA512

          de2032900220ba6ba43238f1b493baec6793db20e565ca146c2d33da9d4f3ece2f7463e52fea60f48b7b0b7cfe88a07514009f9ab3d703ebbc56e31b001c6789

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          4ebbd3d7ac698c4bcd61f7dc2300d405

          SHA1

          d89a9a11cda54fb47a2ffbe2ae167e1f71ce5c61

          SHA256

          cc91506057152fd57df6416a994eec6c2cc02dfa1fcf6635fe91465a068004e4

          SHA512

          4b75eac8595094a3c2aa433e7ff50769e5a0028a9e4088924135b5283f9ff34c2fa1480de7da2f57f30a47ad5b3e20014c6d18b4ce876b79ec87bc31d476580c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          62545df7c68aaa1139da3b5afc80de90

          SHA1

          4cd50193fd39f17aa975938148307ba1b3627527

          SHA256

          9ec9addf1f082b7851de95c33dd6e1878db99607d998b191a57532762c67964d

          SHA512

          99fb7c00d8cbf2d60a7923fd65e7daa1623c0fe9e9094a617566d17bfec2824bc8ac180f4416a0205b0f3f3eeef5ab0648bf4fd3336f43af328d347fb597a9f1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          a9209f53621ecc638d5b8fb39eaab8e5

          SHA1

          6facd082755b26e379e852046e3c56e2229a0f57

          SHA256

          cf8429a07b50a59daf2c5102fe40d65a9c091f52372505faf7b7177337eb099f

          SHA512

          e9cc0a182696836c03336c3fc24f28bed743300b347097ca0c8e25856f023ea1461e4edb6d2397eaace26f59815565428029ad3aea44d27f003c158c6541c034

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          bf9e77a41d81d708355bffa710baae28

          SHA1

          e663d61a2da7da767177b64332be81a9eb7fbdd4

          SHA256

          6c016f8066044ad885fece2d903f6a67d1ccbc9f83d75be08d2bc12c212a7763

          SHA512

          772f796ee72b9468c1e5de5f2534278dacda1a422190f20de74aece7e52c14cfca051f038f13cc05ea7bb20caf5ffddb841aa477f453660a1b29c0cb83db9cb3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          bc6b6c8e3e8fe0b8a4dbc8eb6773edbe

          SHA1

          5cedadca50171e5ca69294bddee26a4110980919

          SHA256

          fab7bd683dc0ec9c3ce077e5ca563ab32c203c9329573a51f5d6c218a3de8efa

          SHA512

          3a8ebf12292f5ea089ed38f2be221f4bb269bfc8d90522badf2b9aece03082e83a7e61be46eb1592ae76d998aa9a8165f6263b6e2f9173140bcb7f926b5bddd2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          6c94142c9b5efe1344a649aeec916114

          SHA1

          ebf39ab605d1f8a1d1ed79457967d60cc4b15f8c

          SHA256

          9b9214a6aff13a9abdcb13cc908f4b1d6d832f4b0b238763cdcf9b3bd8656e93

          SHA512

          6a0fd189173dde707faa9808817a84be5a9308323cba5fb1e88a6931c7167f7cf227b0ce1e917d24784b6fb39fc091a952a7c0cf97f8a79f721e4be6d3acda63

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c5237dd3622a27a3bb7d8767e2e4a3e6

          SHA1

          dbbbbd74d432e885ed2cb95287760f22e3b3ff5b

          SHA256

          75ee10a7c3b37cb89d8ba6f3ffa06ea686e5d330d26b6d2dd680dd8393e52e5e

          SHA512

          ee3d5746a85f20a5c2d5934641c8e97c09ed46dc1f8983c9becc7a83f57d361ca3dc3b44de953c93c4fddc373b135ea40f66b3865bb352bf5a8f5aec7484154b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          03759b02f4c8dfc49723737c92541cd2

          SHA1

          6928947ccde6c795c8356bca5db9d2ab220706f2

          SHA256

          3fad5255c6eea5458d70639df981030a5057b022e17c68f432f694bb2db37332

          SHA512

          327b949d1f7367d44375747182d5c8a07d323800ada66ee4b0c4871d9418964110fb5816ae73f240a36f23e54e9a1c5c7dc6a02ca8220c8e4b5f1163a3c66f70

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          14bca4c41bb48c34c74d031cc42ba99a

          SHA1

          18db706f3b28b6f23082b23d39d5599eb5286509

          SHA256

          496629e8600786a1ff01e9a4a08af1bc6251f82aace8251e75c4c1ce2d4a00d9

          SHA512

          6aa73cad295b0c51b6d2eb2b6747e57622fc28991b474de282025577c4a1e32c25920cc1772e50a16ceb8da5999a8e1a2a231acf5c01a341b782971247a20ce7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          468490d3669bba5841c1c19c1142a018

          SHA1

          1af4f5fad15d7cfc9a337626bdc95432c8a88f16

          SHA256

          57e79738759683339ff6b7a221bb8b8718043904383c4a9f091def4d4c798b85

          SHA512

          3acbd782f588716101996bcf751e71caa3087cf47ecb16a0446252e2907886cb061cc4d3fa33e2b020c942e7d84e3edfb204b3a23205dcaf1ac05c31c162b1ba

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          fc582c6a5f94e574cbeed096e0f9f7e1

          SHA1

          3d220937167de196a413d7082b1ef3750bf93659

          SHA256

          5921ef6707c94433181c1cf9ee0eb0d46a2250ae6a29f6c08dc2b02da149f6e3

          SHA512

          174e3751f442838d232a23dd1e6b2bd79d556cc50ea20a22dcc53a8e74c72a33377ec3cf30921c449aa9d82cc5ed3a5561bb61c50488bba29420e49de0553fc7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5479d585506a91cf95480d06a5acebc7

          SHA1

          e79c7f7a6b2033f30f27f08ad9a09310b86b2eb1

          SHA256

          1712a6f8b24ff35d193659b9679680517959dd46ff388ed1338ad10a0503cd74

          SHA512

          293692849ee21430fdfab5d20ae420c0fb6b58cba775a0764a30f46b0b181bd17a6c5cb2fa012c235f4eb2b6dfa632e166d5ccd1c6556a72e338b2e927eecd13

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          06dc77fbbf20d524de9fecff366c4df6

          SHA1

          fd9afc69a8d78fac74f0a968fb248ebd93495ea4

          SHA256

          08f2edb59c25b96ccc8a7b2725b4ca08038789a05fc51e4848ca9c07fe49812c

          SHA512

          30d56ca065ca321c7fd96d6f5605e20c32770b3b51482187219e3b2e08aa588e3596b78d32c40b4cbc4cb7856371380012ff9c6cca98e43993b78929d673e299

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          24b5a380f75753b1499230031c6dacd7

          SHA1

          63802034513357f2acb954c06fe33fe05239bc8b

          SHA256

          a0a39c1ed1a6b9193db1d172a282d0e53aad6131e7c0525c5877a60b6bacbf44

          SHA512

          0d62c08666c953a869e53b3c97425c4a4f714b6e297e0d002e7b1b664e6b60b2938b3e9f98c4ef84ec82a381b7c3767d2fc73af9ae76695119a979c494c807cb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          1b4beab6075708e0d246a89acdf0bb3a

          SHA1

          c50d9c4714f2618084425c4bb173d766285fecbc

          SHA256

          5a4b2c742c03f94548d50db1e0e0d721c816dfc34e97cc2aed552dc3c3e4b301

          SHA512

          347772a8029c0ef7c7697d59ceaf54a7cf53304d943099c0e2c4cd4cb558be2aa2941499369e96a2669314b1bd96d70fba053493ca8290aaeb510b112207af69

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          2236458deb9f89ffd859d11975c40c8d

          SHA1

          e30c39500220b362b8bb65c45a1e5452ab3b2af6

          SHA256

          6f201c2b24b0ad895cff3f052a9029e7735c5e9d55dc40cb332377424d55595c

          SHA512

          bd50cf37a7d941319aea8a90492efe7f56193936833b751fa1bd0c1cffe9169e50072c4a1587d5f97e42a6b7983b9d885818af881d9dd1c8ad7b6acf35c073c9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          4523af0f10fa2c7bc5554097bedadb4e

          SHA1

          e106303dc55a4c8c3360bf21e62196ea7cca5456

          SHA256

          2ad7aaef5d0b3611c30f85935a8f36d0d600c7e7c41ae9627c416cf6d270d3bb

          SHA512

          bb84aa27de50cda550d4a4942dc9839ee83869a6a9536dfd9f2093945e3ed63a493037a4a086dab9ef9141894e048e09d62108a72d2e88eca7ae4bd848b5ea3f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c40826edeafaa180ed2e509e88edd49a

          SHA1

          5816ea40d2ad3332be9cb4f77e34c24417c00c1d

          SHA256

          09e8c8c423793720bf02e2debb7d580e55e24231bd49afd1039e1b0afca373a6

          SHA512

          3d3b10caeadda9fadb2d498526db77aa640ccbc91ccb0451307322f2c5d352c6e7074a94fb6727fccb971cdd14c6ff4588416013f9c61459c73315e424c0b35c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          97c02d1a7d291482e2a9cd061642928b

          SHA1

          f10b9e3b63557937170e92e5c5279e7d711fc6ef

          SHA256

          96a2a3add9f9303342ef9c8faeb2fb9dd5ab37ec948949ededbf93c0a1992f4e

          SHA512

          77d5693984cdd4636124d12827e42072126e4c2ca2539c5844f60087b094e60b00591cc2f4b95ea5a01b964e7e9b8f5a264ad9d6c62791474893f6282032747e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          1418583589fd08961df0b2d6fd95bcd6

          SHA1

          6430a84e268aa8c1f095fe718fcbbcfb9a1a676d

          SHA256

          ab4cd48106061f2b2b61b21a37005c22cfe6c61f3d975f99551f80b7a4c936f8

          SHA512

          4e6aa35c3bbfc044170838fa4212a494f42c62dad3548a1da7826948f1c83e507c128498219b7a44df77d7cf967720b295864225eaabb97303f69fe4f4739805

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          016059fb5b3ae275df5f38c08e372f57

          SHA1

          de5777206a1e8b38dd1e40afd3d3cbfee8dbde2a

          SHA256

          5fd5d754ea46e20870fb1080a3c1affaa46c73cd5e5204106cbc7a09d0e6eea3

          SHA512

          b4db130e64b4139fc6ea787c6c20cd329b14a8dfc4e9dc1cfc79048755a712458c52da5d0f090a77d3798203b8f5b8bc1a5d42b675a9645545f843b2df5caecb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          2759dcfef8ec363b348a51e67134219c

          SHA1

          820f0912f1016c2411fca1401581761f6da42043

          SHA256

          3708c16774f50e21e88656db6a19b865db81c208ec400e57493a3c6d01e025c2

          SHA512

          5482db05215ae99d6766298343d7981cb3127859d14cfad270bf4b48174697e37f482e1edeb6ae363d31ba4d905e59ac1668531883e840dc9acaefdbd84b29d9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          e3c53988bba2d88d53e7eec212f6ea38

          SHA1

          e2b09cbc8121b0c72746a55f04adbbe6573ed557

          SHA256

          0250e82facb78a62a25a4300d54632c78ed96709d519d384617881db91359d43

          SHA512

          4036340d3c751418f36a9188b62182cabc7a9987cbea70311661585bd87b34ae8965b1de16fbb8b95bc48a9d6b831fcb27f4859f43dac9bdd86b3bd7cfdd03be

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b35cb23324e6fb7d9ee388bc0b2c2d48

          SHA1

          47b8b1f878ecd34a16283e23ab8be8ebc1123fbd

          SHA256

          5af90978bd7bee1530191c760781bbf20d8ea26b7b0c6d4c151d8c1ab8e6bf2d

          SHA512

          20d376ba8b077d898ee03df7b3449de8cebacd73cc134ad6ecefaca85a1fe18550bdf2b114e2e9b3287cc1bf2832ef268e959df2d89cbaf69095c0b6fa83389f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          b65bf8e9c4aeaaf73f427b6ad31d6d68

          SHA1

          5c57d8b95328a053e5956d7a4c99caf05e90d6b2

          SHA256

          59da4903ae5fb1d36c160da42836f1b17c0797e9507ac3c3fd68fa5bddfe0d3b

          SHA512

          5e9648f14b23104ff78b6daf53c00382d65de9ae2049a6b5190353951742d1f56e8ac704533f468f7a599a5cf3e12cc1d0c424f8c08096cb9979a331d6957313

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          72b157254f5bfc47edb6733117d159bf

          SHA1

          88f735823ef1140069638346fad117736f60356f

          SHA256

          88fcfb3de50c74b7a680a8bc20089fb09a1103feccc38174a6dc04d0b580bd8d

          SHA512

          ea73b680ff8ff2ffdfaaf0013d86bbc4d6d92731ca7be22729db5072987ea89f6eb4f08c7da451b1a328117e624d6adcfe488de2a4d7c589d29d1e5f42e65663

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1019B

          MD5

          1f1254f39718581c06ef72c1ad7af691

          SHA1

          7fd18a73258c4ce51e36d5dd162cfa8d27dae9d5

          SHA256

          947da8ac9f83db89292e0ab94109b42e9c37a5e8512ab1e13aadff4570155452

          SHA512

          f52163447711b8b65505288fa0fb43cd8c205ca42a0abb124427a06432aa9ea7937538717c32de44520d0aad15a974b841be1eb32ab34d2e62ad64b07ad26008

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f13e87efb5e89dbacc66b29ce27e7600

          SHA1

          2e04615444e88191b5b1798990ca24fa31612f8a

          SHA256

          3eacbb9ee455132b8e11404316d9d1da274e26a5957280aa1e65d893d7598400

          SHA512

          15621fd2a620ccfcfee353d1638620b20a1cf82f3175a267a5e9addc59a087a01fa54239c770b340405fb932c4c7bb9d38a54290b3f108484e26c2db0147dc01

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          679KB

          MD5

          3c7cf9f3bb85ac4eb465e276fc11fbf4

          SHA1

          71d759688a7548b12ee2c59288394e2986192f97

          SHA256

          1752d6f61c1f3d4ee64fd934a2601140b7124c1f1f916b0c5e3a21524c98f24c

          SHA512

          37e84d30fb671ef96a5c29dd00ead410eaaca93f961891d10cfb91d2041c06407da286822cabb4dbab86d8a561050c33a4fa2e79f8deb04dbb95fe3ddc277369

        • F:\$RECYCLE.BIN\S-1-5-21-903960561-1545645218-4290906778-1000\desktop.ini.exe

          Filesize

          1.5MB

          MD5

          1c01889b2e55b0b4a615f8c9f9c245e4

          SHA1

          07e77cbf5a7c3a81724ab6d7fc443112b8b2f2a7

          SHA256

          531cb689572780747e411f61bf1b8f2a26e814cabce51f43c3cc77646d253fb4

          SHA512

          854c5f17ef59575999f377be96358cecaa953d5f72d4e97dec0fd5bf4d7935aff1ce279b4ed3d17b2453d4c229925f110a92a6547e03ff2555dd2548898edfb8

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          1.5MB

          MD5

          eafbe162e08d83059547aca5b50c3143

          SHA1

          502409915c2d68f34a66d7d10388e69ce10ecfcf

          SHA256

          a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943

          SHA512

          1b5351450276dcc863049a7439ab1602a3de35ae57eaf41d1d9567294f90bb25595124633a109243f2859b966fd1b23e45c485a08108055dc02e9a23ac490b76

        • memory/2000-50-0x00000000007D0000-0x00000000007D1000-memory.dmp

          Filesize

          4KB

        • memory/2000-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

          Filesize

          4KB

        • memory/2000-1-0x0000000000460000-0x0000000000461000-memory.dmp

          Filesize

          4KB

        • memory/5808-55-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/5808-6-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB