Analysis

  • max time kernel
    145s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:54

General

  • Target

    e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe

  • Size

    555KB

  • MD5

    8bb0690b730511d5dcd2c33d18755f13

  • SHA1

    2be945fd527e31b6bc6dd5f06f94ab4d68185c94

  • SHA256

    e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da

  • SHA512

    06e0c2d744004da0124ad275ed5c47a52edbea4ddcecb2e58af55e9532193a5c3c5bd785adf126b0d530b283ab5dd7caafca92023685bfa354551cb08d1f9916

  • SSDEEP

    6144:O82p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBwMM:Ip4pNfz3ymJnJ8QCFkxCaQTOlOM64w

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe
    "C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4208
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:5616

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.exe

          Filesize

          555KB

          MD5

          3f12fafd46ef929e255bbe4c53a39afd

          SHA1

          856d804dbcdcd5965a7147335a6b03564684495d

          SHA256

          1fb34daf65424a736622f49f0b659657477bc9a7ab4b4cecf6f87ddd554d9867

          SHA512

          822cbe777f6bf0ab40c7627ed5454037400ad7f9875b1eb6c183d80d65c011b51ec4af3f02f726f1aaea4070c644d92357f0b09dac63a4a4b97381b48e834750

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          1105929ab64ff8305f908e5020960522

          SHA1

          e4d9b762130dce6b46e5b2290342dac2519c6951

          SHA256

          07ba9e4170f3765c4e990373d3eb0762d5e133f334adf415a8b82b29d3d5d3bb

          SHA512

          07c8de34e4979e14a975b6e63e356684a84142e74967e295a36c0e6d1e45d0949b99efdc6eaaab953863e29735830e91e4fb8aa282a3518d883e4d11b45b25f6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          8143b95a084e36fbd64138ce050d6d13

          SHA1

          6e04603fac427d0fa43e2eee48202ce5b6f24ea7

          SHA256

          27c379316ef9e9f2daf021dc6aea0ded209bc97520faf49bb4732f30fb4b0ed8

          SHA512

          94f363a940fb1e67cd5cfb6938c581a1d3835711ef01a023a8b1d47512c9b38d9942bf489c8ae395b41a1b5d1fd9011b056f294653ce5e0d787bbb3a4c96f096

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          3d15ac75256559aa60b1dae77aaf618f

          SHA1

          9d00391ae7db8fcd7db98a116a61a36f3e97e30c

          SHA256

          ce8e29ab83c5b2de85619ed3db5d980b5059b8eb915a1139dd93bad293eeda76

          SHA512

          552736f59680b8e13939810ec73df6801d8c53aab57e8ec3e76e753d5fa1dfbc1a32a0e90913a93da4c4f3a5f33f35fd7628894381619bcdf5707b1ca9f69ddb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c5adb42074d8abaf424af8191656892b

          SHA1

          c633cc302f1f4de9ca6d6df107db3b686007656d

          SHA256

          abbcb856f93494dc962ad4231ff367c8c7e9ee8feb65265c2726c3133d9ba725

          SHA512

          55cac13f191122a7478efabb5c1ddd5c911ef9cdad1681ad37aaeb2ec7bf22273c55a992357b0ae9b15742f1e820dda4ef30efa534acc85c25d221ffb24e9dbf

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          59b61c59341bdb572e79e2f3d0248aa4

          SHA1

          0116bacc0a67df3639254f205f409b341abd9c8e

          SHA256

          9e406c183b3ef70dc0f63ee5ebd2c7c100482455d8e04202429567d763d7fc51

          SHA512

          5a1ea22a2c1dd5720846550b1177eb0600f238891c58789137e6f52bdc78bc09d8bae35f8faeb7bb13b6ecbfd4967924e39029d867ad665acefe29c0544d8616

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f35bfe56960771a535bda508807b8b4e

          SHA1

          ce17c4bbade11c1647e89058df40d07748d9d75d

          SHA256

          f0c2e226b1ab79f629ba203a44eb1f2bc00663c27d8ed0d8ff78f8bee8ea9ce3

          SHA512

          6995c5ac4c221a8f71a73ff900f5c56b9b6cfa127be28138d092d5a767c03c9a59f9e1e2eab7444170bc02402c584a9620b8a9a6cc250c7cd1546342f98d09e1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          ab042815c2616791a2d31f221a75acd3

          SHA1

          9259b9f1591bea6f2909f9cc3faed7cecf5a4725

          SHA256

          57dce1b55f86ee87a88835ca21c8d915ef0a94ea5738711f84fafb2568e5f731

          SHA512

          1cabfe1d3eaa0375fd5ccc4277282423ca6503e21435a74850d8cc4fa5c57928540867a43cca0c9bea715b21a43faf4c00cac89d3c324c100616f4e3d6efa600

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4ca49c9681e13156eea8eb9bc5c4fb18

          SHA1

          cf87ce12c20abec8e87e909e025ac500f51b51d3

          SHA256

          803226dd7deb25c420d44a9fe7beb3ca423a0a704610bc6fbd3d31fc9279fda4

          SHA512

          8e075776a5abdc95b6c09864a7ce72f4d0699d16a963f60430395751b336e5a2929bf85381c5a360a8b688b54b6f64fa627f9c65489a27a49d9a2457d92a9a32

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          a30d9ae2fce38a44762ef3bd37febc72

          SHA1

          20a7911ac84af14d6e3e6eefb906016a2dadcfff

          SHA256

          e6b66dd441a4679b7348276d74748ec7f9d2ebdbe10a774acb580cd390e67b65

          SHA512

          1d3d78bf81cb8765e89552a6bcaedfe6807e8cda1f7f443ca026c5c719312d69478773b6038f0b292ee18563e28bb24fd929e4f7ae57743f230af03e2413e6da

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4a0f6d7cf174213492e25fc18570b3f3

          SHA1

          b81d7d86efdfd38b0beba8423896fee6aa087db7

          SHA256

          4e20a9d5e8d62bec99d638d25312625a487fc9e9d39d76d75cc53fb2419f4f23

          SHA512

          649a06f919ec2d6928dac96e7872a76630e836c2378a5d8b340f5ffc45788f3eecb7680bed81710c9f81bc199fa7ab4c611b5cb63d75abed4dc5e7a3decffc57

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          874e0740b579d692ce3a1fb28e0e3311

          SHA1

          5bd8e7729ce173fc2d9f2cd3725d618858d81762

          SHA256

          b2dea2241dc64315fbe8c7e84db9632da5d2664bd55f8f6c103cf5efc00d488a

          SHA512

          c02fa04760c883311c44f78e209d7c571ae0d1281623102d4d88bc74aef03284873236d0e1fb4b86f1e78922a5cb3aec013fbc65715d5936d0d82bdc576f53c9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          27f3866119d71ea347ac8d77b70aa4c9

          SHA1

          486aefe3d79fbc28101be2ff98f813a5b6a692ec

          SHA256

          bf225a4cb8be7e9c4a23d54705258e36ce502e763bc59a1a6a28f9558d911d0a

          SHA512

          ae60fb5f1b123b2c12e2cf25a9baf14075b734be2c0612ba87859a54b1cf081782f7aef38cc1d9c12e8b47422852a3e6b3cd4a219687f1aedf2e0e94fd276cbd

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          5785940df1edc388332131c9901f537b

          SHA1

          5c6eae24a4fe1b9f5314965950d543b442548abf

          SHA256

          b6716f00da5367246c176b740a7b3dd5419234393d54480f3597bb5735a52ba8

          SHA512

          d65386c80e9e3254b2e0e6ec36fe94d2a6a38e0b203cabca47b81622bf4c1cc13c97f1c01bb22156e45fb04234227ce46c418cd089be3afe7f54e8362344942f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          3b11d52a485a9ab6a1c4a777e6875a50

          SHA1

          55a564142f745005571801da9b76021a8914a387

          SHA256

          1ccecd8c0af473d069501380b315e0ede61ef9b633ddb56fc4de550f8c8c532a

          SHA512

          f0f4c1240c7ad332ff19cf58ce993a2a0522faf898dc6ee940ffceba28d8acd2977ae86df6fc88dd5ac8c471d2d5cb83f8141678aedb8ae0bb19f0162b02296c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          0b7fcea7904af00719c527824b33382f

          SHA1

          4b968fa0af1cfc493c4eba20943cd5a70e0d90f5

          SHA256

          ff930d9ded20f000c3de2e0aa6d07130b0a3357da4f49175c443cb6d66e0c098

          SHA512

          636046a7ace6614d565044784c7a5aa3c34509d3e7b625f00d56273a85b3770c22c9d7ae3637771e4c0ec35a7c9fa116c8c4eb2be8ebcef4e04440c1ede9a4b0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          43c4d93371099cd8b6f1544ea3aeeae8

          SHA1

          7655c422ff53a06d569c4c2987109f6777607404

          SHA256

          9d3cd553b3213de8b3e9b43d5a92fafcb7a6266fbcf19371c7196d4c828ba301

          SHA512

          76cd88ef700c88495fe6f1e7a7cf8b8e316e5b0179416424a448b8cd44720e1c3e828a6c01a299703da43e1736135abee0e81e13212b703a9b72ed2559beb420

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          84ea6ef75694d0ae08fb0b1fec9ce181

          SHA1

          7ec116928af268f48f19722c4cd69cabaad4b9d4

          SHA256

          a1e8ad251ae39f072df2c347dd18e8552e8a9e8255cf5751864bf5171db73879

          SHA512

          25f78496a1fd7b7e668088dc065f4fd029eec1e0e1c1f1f3b20a4baae15d21f5f7ff868790b55be64968838651d159aad4b7a4e95264f7041082c1b25ef94b92

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          bf2d2be8c1abdd3ed61f5644a6dbd8ea

          SHA1

          3ececf39e8bf04273659f595e85c0023d83728b3

          SHA256

          c35f85efc84f1d3e2ac728ecf885739a0e6278448c6f59c8c71e739926795dd6

          SHA512

          607be1a86aaf1cb3f860664525299cd7f8d994c562be904fae88e8ba6612e2a63d617f68d864198c7a31c35913684bf347906c26b4ae54a06d51ee5e73067b3c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          6ab5239d2e8dfa73f258292065982cc5

          SHA1

          bb1a98a6df84ee3dc2ddc2ad5578e688be5eccdb

          SHA256

          257a68bb326e47a160667e8d17827f8b42bd654a68abcd73f34a0cf420a903ca

          SHA512

          347763f72bf173f60f1586e9234d59ed00528c1d52560deb178f93b5b24be9ed42c64b226bda5025df0b7bd9d73d9d25264a68c6920ee2bd623a7bae5e7d3237

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          258ea9ecee8fac2f3fcf9e20bb0bb696

          SHA1

          881cbce7279cb4fae6ac5ad02c7caa73a35095ab

          SHA256

          cc9933fa2916600e5e6f55e73fbd980f7bf7928ce866a497658d7ccfcbf11ae1

          SHA512

          5bab4aed6a4bb76f76c7e0f855b05831e4f1d79cba6dd2eeae7920148ce8230e644ba7c4f6bc78ff10ef332847ce9716dd0fb32d74faa93df6f97b3fdb563c30

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          2761fca6ccb07a898ac2f11f54320571

          SHA1

          04766450b8a3bf836cd9ad75746c21cbc3f5f59b

          SHA256

          10f229057b2c0cdf4e33f9090e939b5aa4278aa7974c6bacdc7705aeafc26b93

          SHA512

          efa529c65204818ba4a361c62da5f8769302bfc3f3e36ad1fa4960e4c5c84c233b783bfc0d418ccfb3a187b473c673a76bcd16f85912de2ae6661d6033091ea1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          7c19b06e25da618ce97011877ece7b54

          SHA1

          163aa50115da28ec2d888dbeb36d511bac703321

          SHA256

          e936a61a11bc95d8b13e3b4be618613a1b84e47815178f602a567ecd57aabc7f

          SHA512

          0c2f4a8d7c23e580af6e65852e79fa11b9628c895e07ac9a3e3014091fe4d789db598f63f8ee75985bd3743ca9edb8f49c47b98c599a912459a3e80ca188c975

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          db22996293f6e4d99601b654e8ca39e7

          SHA1

          604253c09135828c0c84709969f559167266a9cf

          SHA256

          3641a0325f3b85a7612f5050e119b6739f754a0cbdf434721597af63024d63c1

          SHA512

          58a39725f14d77570274e4f7c781ddca22a77d1e9e6c1dc66261bec45cfbff09d8dc113e0ec35671f77e5882c02b164700d4600159568f101e334a3c1b80470b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          638ad1b8db37dacd47b326fdbb41debe

          SHA1

          c89d35b61a44f9be01422b8be43f0330ad043c28

          SHA256

          70be6126273d1e14c2778d5f86c777830d5be0f1bce11f9ba63bf937dce2d443

          SHA512

          0fca33acd9a2c6cc8942109712ed8c242248f3e2efa43ae14731448eab0beb984e80ea57ed6ce23ea7aec7a6fedd44738c4900e32a2c6c91dfd59f35959b5cd6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          f7e098312b5c787cc34a1428b81e385b

          SHA1

          639baf51d8d60bd2b7a74fd2024faf6fd7bfc9e0

          SHA256

          ce97b29067e1b0f5affdf1f85238d0bc43f6509838afd63a39aca47dc8fbb3a6

          SHA512

          21b3bdf1f1857760cdbf2f3faf18da5530976966239e849db5440d30170be9148b5df2ce1dfccbc2f70f2318661823dbb5e0eb9f81ee275c4ebd61979f707f8e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          7f9804303e4db42b06bd48748d0e55ed

          SHA1

          b0a853125b89b6cf8d213616ae13ca280cc7c9db

          SHA256

          16fd5c9679a3b9074867013c2490a6b9e24680ba6e0ccdf1aae251d2045f7d76

          SHA512

          d63837224be3b94429bbbb378af063f601cde1a8ae8ce82f2e2c8f77bff74685b894cd276f24d86f8a966208d8dd85c247247e81fe627585ba0e2f70ebeb408f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          c0dfecc2487585f33b784e37bb5c92c7

          SHA1

          d4643b4555e633420220f6e8f66b8e05c69032ef

          SHA256

          fe0b912b0706313f554f88607696793f1de5dcbe0ffaab71e88c5d79c817b269

          SHA512

          1cfc22be729a2591315d8ef36a4413dc8c0f452d51cbf5525a4ca894ae46af930d3f61c201b22d68b157cb1da15dbf68b35794d97e48dcbe2016573c26c0ef7d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          16cdfed4d8814d50e17248b91c1df734

          SHA1

          05dc0415c123a9d52f0cac4279fe55ec7dce2ec9

          SHA256

          3c80e54da47be455f22fb0acdeed8e19c77af701305b846a0ca2a49133a4fd84

          SHA512

          4d3bd06e68f45176830590775c17702792e4422035e9fe817ea6a70a88e5f9acb000312c8e1155a03f34546d8ef37ea4c9bbfb90f7a3c7f8287fb59826c1929f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          9a6197ebc531081b624db73be8c196dd

          SHA1

          283771e636818cf00c90780d9c19db8a8acd76c3

          SHA256

          5d68015b61e0fe0b360e9cf5255468af7e012d1d96020910f123d2f2b22f797c

          SHA512

          9b4cbefda38c2eecc7e8efbb9f8c67ed51d09615d307554b3d73bc3141aea788638648f61c28b0579202b8c8a907323fce0dcdbce5587ac84ddee6833e6a5b47

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b22225de8f3b22d4b9c19b061ffafada

          SHA1

          6eb684503292de4c1c87ae338e9003bc2f4a77a6

          SHA256

          3b7155c7837632709af0ddf32529db82c195814bac0b2ef5e916bf3b25e1b9de

          SHA512

          5a3d6f69814eff54e2b5e5f5387c5b9553636eac827df0f38862ce5c8ff389599f583f5b0e510c45cc308a4ef66345f47a4ef07c52be9946a4a3fe5ceadcbf59

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          d2e2c70407b6e2f57ca66e77d5109e95

          SHA1

          9bef8393c35b329044ed117819cd6c1f42081985

          SHA256

          41302f3517508e1ef7e8322f54b6c5dddc635e5bb17efef1cdf5f5339c2ae161

          SHA512

          999e5cc1a5675cd472465676ab157e8cb58735fb455a2fbbd649216a3202483eccd287f4aaf8823e45766b47f8d2656442d91249a283dc50ae8246e4678c1094

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          1c37023ce41b20bc61f77174f0d9fe7c

          SHA1

          75cd7e2244f02cf8997328795d48e03c2a72b27d

          SHA256

          cba53a84c56b6202bee50420e16f970507aa96e645a28f2b8213f3c5ba8cc7e2

          SHA512

          d30ef49913a1841058662acacac19b26118a379ebd67ddae398a87e3b73efccf26d8564e80bcfbb8f88d07bb35347a37b60cf628bd3412c9b12b834b7a7886ca

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          ee31d17acb2f4867fd6133a06db42f6b

          SHA1

          96fbd41e0af43310408f7b82da5280de82b5f0e3

          SHA256

          1eef1f77e253a2c4c185b3d9c229d560f83d6bee96f3149783b61528a3d353f2

          SHA512

          9707c8f19125763fdaa148b5d7497643076c1ae25a94e1cfafd8062a49c9db37b032c8f11eff247587238571c29bce4bd0f74d4667321042b5fdfec039b03d0d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          bee54f5ea9fc43b9648b20c618cd33ad

          SHA1

          fa6c4f239403046406d7d9fc1a99a7bc258fadd3

          SHA256

          9ddcd9c08de490aacbb1a569acdb5f012cb315a85c43b8414eb10834cc53a9a0

          SHA512

          0f5228fedbd70228f2c2f94c72e5400ebea67440e8bb59d1e8f3465653ccfc9e11846efb419e47180542160cea6c0dd5fed46d1d8bcf573ef282992a36408484

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c0f98a0dfaec3170b64339d4afd76ea1

          SHA1

          38eebe5eadba7b33a39ef3339035310d97515a4f

          SHA256

          287b2ccefcb20a592a8183965959984300e80eea3e824709c379b9e6647adddf

          SHA512

          d9711499bb038ad63b0fb62ec12f0f5823ad6afeffca5cffe5ab57321dfe6991bba7534e3b69ee2a90d1cf707cc50550bf0fa30463e0c6e072406d9ea6fbdb67

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          330b6ab5fe2c2eac69343b88f570996b

          SHA1

          3cdb20a94b355d124533e77654494f6bdebb4aed

          SHA256

          86fc9c7638d34874d08662748fe5419e0141a57c6a23d66ac8eb7f11d510ccf2

          SHA512

          eb9a3f3639faf13d1a2bf2f6f56e65986253b210fe51d31f49d20c53eeb3be77b94fc480215ddf436be0cdfbad2e9a4c06bdfd62382812e9bc2c03cf0b570b5c

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          200950cb98c4a58dffda12824b09d13b

          SHA1

          5d3be96d3fca31e27d8afc1a2260f5c1cc19c062

          SHA256

          74e62a3d2214cc255c8e033069cb4437201bdb6adc1fbcedfb3fd5411686a17c

          SHA512

          47f5c57f102c67ef8d64378629f73f93dc63a0e6589b9fb6f6421a3682bed842c24997ab9890e564926868856c4a0596db662dba99b883737c471b2260508b43

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          1ce9c64b4099dce0b8e5c095eccb525d

          SHA1

          9037259542676721192fa00bcd29c8792ec1647f

          SHA256

          d788e185490cfef3e5acf1ba0aa7376735ee6106637e59ce2c29d34a6b846333

          SHA512

          3c50b6a9b345814c48222766d37ae778171d68482c1072b735749104b137ae8fbb65109efdc8d9f9e1cbb8142d922bee75d24547cd57e981b248e1fdc7e45a1f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          629bc5eea2dc6f58e5a12c3dd7330da8

          SHA1

          efaa0c804c00850aec08b0942db57ad18c7e473c

          SHA256

          ea8df57d4ae1cac796d0f33b07ce22e20c3a40cdc353f738033bf31359174b16

          SHA512

          649f6d80f06e31734ba8890c9a417adcc4d6c25fe1a303d5d49806a2e4ad0953b85bfef69cf9a52c2e2c233f38468c9ba3f503ac5f4ac8dc2c1194d5306295ae

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          1062b44a26473ccbba35b321ab284c34

          SHA1

          d264370e91db804531523c07a5bb35222483346d

          SHA256

          522c89af40c7fcb26e802fc5c866e48895817e2c2350a38c20ef864d36ce9fb6

          SHA512

          edaf374c15459937d5e5333c2e824c07476d04a813a3e99afb2da4de5733dac2573800a7f325ffc2b1faa4e0bc1dbde4007147ebe12081560e0af42e52f35230

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          94b1c8f48c2a095a17956938d47a3427

          SHA1

          94dd571a8120eb1188f6fce36b79f1e06b688beb

          SHA256

          803def76f814a417dcb7dee726b80c1fd211ad9da974e5b1664e04de895e9bab

          SHA512

          2762face67a5d599fa878565f1494cfd7a4ee662e48dcd6f704cd71890d4dd1e25e09cfa0127e1ac03c09642234ac4eb6ebb9cfe96bc791e8cf3c06b8711764a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          78e0af0de8e093b34a680730495ad2b9

          SHA1

          4005c47cf6483bd768dd228b51c1576e98957855

          SHA256

          ec1ecad548dd7769f32f1e62bafa22ca5ff95d8dadf6ab1541ddcd36bd8d4ef6

          SHA512

          9362a7afe8f271c8c16b770df666ef02ccfb308a4b9fe35e7b4ff54432ad4e6545fee4858b94104b34578a8cb00505261f5b2b5d8b4295dfa173efc8c722e2dc

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          8a0c34a8c95408cdeb56e64742cfe58a

          SHA1

          6f352759d866a9a5121d119df2fbb9db129ea002

          SHA256

          ec0eb1c6d4779b25a482dc8d48257b7535e69b73d9ec038521c5ab9f216d9083

          SHA512

          2fa04c0f77f433c9768eb79266d6473a1db977f71e8b37ddf620e19b2effd4f69c440553e2a703a598ee157234cf59d63c664801177a7d5765ce44c3e972f5be

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          816f0502104be96fd792fda7f3981f82

          SHA1

          2d8eef9dd220ccd7e3b46cc83222d1c8c7e75a02

          SHA256

          8474a302f1f4839ebdc6425fd735709811a344cc2b7b2ff83b07fa7da2c561a0

          SHA512

          661ecb95ea18f7d5098c33f209abca95a9203f04892fe34a9430bf6f8abd5a1c8283ba27646d723e4270128223fcd2830e611e7146525cb29cfbbd93ee08c434

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          cd0882c2f7884606b017515ccf8905df

          SHA1

          eede19183dd6ea8f85d974b8a65aa3a233d3ff82

          SHA256

          d024b490c6d4af7428321ca02c4b642881212a33afb4667e0ce89a82b58cd79e

          SHA512

          e0fd7d905d667b72c31594fd2c82a8badab8018c0308471ea2a8a00bdc4d3a14daee45c431a6bebab4d27afc44d172654695f2c3fbf86b4057bebbb07dfbc6b1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          79d0237a658c3e471275b42501918a8d

          SHA1

          2837858d47002c1dc12a7dfb9da5eb9f23a5b413

          SHA256

          b9996ddaa9fd050814e51d1be5fb760ed188328e2614b977ad751a65c7b21098

          SHA512

          8a82368adf6a85bc2de5d989ef67a14c249c2f765cd80397a9e7938e20aa8f77c6d327baea93dfffe6ad5cfe7786eef76c6decc996ee5e6e6874d237dda534f1

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          106e6803e43d07f332c5437b99f8204d

          SHA1

          3b6f9241c57b59d2b3133dd14be09952ae55b63b

          SHA256

          5c41b29feaf6e11ab5ae65e3902a96c0f2bd6df5cdba034cb0144c809d6c2dc5

          SHA512

          824c852c657d2fb0649ba8b7ceca2ab5a79ff18cfbf02ef39a20dd3600f3bcc1085c1d0824f2f45527c4f367bd8346a9f9699db84c39377f1dfd06500e299922

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          541KB

          MD5

          d2a480c6b868400f6820f95246df35d3

          SHA1

          fe4df3542d779584c17e5ab5cc74e239059a6976

          SHA256

          ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03

          SHA512

          c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf

        • F:\$RECYCLE.BIN\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.exe

          Filesize

          555KB

          MD5

          db90fb5ae3d56777806ddb2735e169ae

          SHA1

          ba66077d95840ab03f25ceb1f85f315daacff373

          SHA256

          5c881c890f7b7a095b22d0f4f2a721e4c72572e7477962fd360a0544e09b0064

          SHA512

          54b0ac6c4b226b70016e43b173928f7282e9004fa49457e0a195d95eb864c2f77b95d2d28e99f788ef18a33763dfd4ddb4bcc0f2073ec6cbabceb59f2035be76

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          555KB

          MD5

          8bb0690b730511d5dcd2c33d18755f13

          SHA1

          2be945fd527e31b6bc6dd5f06f94ab4d68185c94

          SHA256

          e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da

          SHA512

          06e0c2d744004da0124ad275ed5c47a52edbea4ddcecb2e58af55e9532193a5c3c5bd785adf126b0d530b283ab5dd7caafca92023685bfa354551cb08d1f9916

        • memory/4208-48-0x0000000000590000-0x0000000000591000-memory.dmp

          Filesize

          4KB

        • memory/4208-0-0x0000000000590000-0x0000000000591000-memory.dmp

          Filesize

          4KB

        • memory/4208-1-0x0000000000460000-0x0000000000461000-memory.dmp

          Filesize

          4KB

        • memory/5616-52-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/5616-6-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB