Analysis

  • max time kernel
    145s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250619-en
  • resource tags

    arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/07/2025, 05:54

General

  • Target

    0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe

  • Size

    4.4MB

  • MD5

    e467ce5489229fd836c254805e7ebc06

  • SHA1

    2824ad737058f1df35b1b20db998f90972f58534

  • SHA256

    0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc

  • SHA512

    a8533736fc3893708874e146eca6f1924d775e71685927ff1f80691a1f216f18cf5c457a2d5205e332090d30e6735ae3b3f3aa98a5e9a4ef8f739a84f94452cd

  • SSDEEP

    49152:5Es1I3vLb7Lb7Lrrb7brb7Ewmgi4uYCgrGgCYu+SV7SkCrWGBydrGOIs5KknYNqm:5E2IA8WbGOIghnW8o

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe
    "C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3432
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:5888

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3972667009-3658015838-2693993929-1000\desktop.ini.exe

          Filesize

          4.4MB

          MD5

          06400b4eec5b7d8e522086dcc19b5dd4

          SHA1

          c7bafc712faf7508191e64aa2f1e7d44ed24b981

          SHA256

          005025ecce44077efcf175d9e53be3f7c7638a083d439a3e1e49f3c0b87feaff

          SHA512

          80207b8ba2b6537a6d0c8f53c6d6442bfa05e3cc572a423ca27d3a9bf335fc6eb49e6f7f7aaee6426e64bc9aa2771bfa8150859f5002c5c405f8048159cf2f30

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          d6a699fcbce19e79ee014531739151ae

          SHA1

          9a7617f90564e485bc11c1461574b5cecfc5a864

          SHA256

          c1418841ac8ca36aff23af4849d5c6ab7b6caab018a5ef30faef376f0141fd93

          SHA512

          3b40b4704853322e6cd993be3eec4abffcb7ff29ba34bdc3da13685f5cc871576ab8b8449a3d61b306b4cf3ad5ee38177a6daa2c255500230620f5bba6322d7f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          f7e04372ee4315e5bc63cb65a3bb6b18

          SHA1

          dfd3b79c17f06b15580a43b31a95410642353944

          SHA256

          0421d50649950a5ca7095f9d65c622bcbefc0b86f6ea4439946cb06da71b6b2d

          SHA512

          4acb0283a4f097a49267ad99c9e1a5fcb811637125bf28c0297bb8d3b5e8b5a68c67c60880d04cc2894436c95493fd55700bd1434ffd61a8b39d613bfb917151

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          71b6f2e686b6a2eda368110ead063736

          SHA1

          67731fba83d75745191da1c4a449471fc77cd358

          SHA256

          6e467641bc0b0561b91c5e7ce47d92c8b317d1d177ebe2d75fa7abadfd4991ea

          SHA512

          f0943fb0f2b6a8c1d493e9a74f048320262789dc8df766fb130e736935d5377ab7f390f36a32ecf463b357ad572e3898dc241d103514c577b2a7f1ecd32edc41

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4ec67dc9b7c2260715102aa408ce22e7

          SHA1

          c8d13110ac6d0fa24d52c1a1ed4bb1b88257e50b

          SHA256

          a013f2fd6dafb2fcdfe32cafa9b26965ba3daae4051bf040b0cf806199ff1a8e

          SHA512

          8246bda7e0d7b1882b3d2265deb0848d8a7e5b82bad1555dd9718f2acfa8b205d68c0c52e510ecd00d27acc5e3a5e3569830ad57848dd1eabc51df178f185f04

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          c9ac179a15b5559a9f2f73664ca66ce9

          SHA1

          2dac2fd81d40da3f0ae5dd9dcf14ad8cfed55eb6

          SHA256

          411e0d2c5e17191a79b67088381373b6d5aa3a25d924e1716014dfac715274fa

          SHA512

          1d6794321e0b198bdec95977b16e4a7c67c3c57eec8b5e1b273c4e04e14ab22151a2e3ee2d63ab080466dc2b58f26b28ca6fb0a5ec5be5a98a0d87d3013b9828

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          7e1c09698b08df44f6fc37aa33087e1d

          SHA1

          76f7c57fd6ed4126b1aac89b955c43b91804cfca

          SHA256

          d52e936fddeddca3fad3c513f02f3d37d6ce0f221c49ae05fbda2a647178dfde

          SHA512

          f1eac8a2f0dfaf70382d23d9f2ef0da1a8b193ffea1caf5dbd456acf95180d970636ceabb32e1686acfdb070e3736ec30a3aadd1021b682a3dc85845260dbd19

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          d9d0b5e60bae2f811ad8646f3789ae9c

          SHA1

          94c8be4c587ea819737b51c477d83beb59513db9

          SHA256

          050dcd46ec65391adc4d152c579b5d3e6966a3018be3ebd2becb29e2b88fb1f6

          SHA512

          c039e51e9b10c5c0413d249520f31d7d575264c8482161ff01c649a87f9b5301b7ee0e1057e427cafcc181917862063877fb48b75e3dc429f08f7a94b5c39587

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          3a89850f13aeb27769078d782f3413b0

          SHA1

          d111a675b5dcff6fb110b293a9fc6409c00cb559

          SHA256

          286f168e7f6faaedcf1d2bd1efb5ba416c48c7c5e132a7363ded4f1e82e1bd9b

          SHA512

          1d2e9244b5a68596b52fe1981410f8477a6dc9bc674c245dc6d3cfca5852f95b8a2c36641b8d955326f8bc2aa11b917ae81813b38423e408ad8c1da824de48ba

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          fbfdcaa18bf2220ecb5ef8b9dc57aa16

          SHA1

          2d88cf4d44b04887be205cca8440a5e24d90e857

          SHA256

          ae1f3fbbf950d58a3e25f2dd1cb8e4c006a00c201be0a5341c20067b6089ae2e

          SHA512

          5f290deb71da028ca5740a0e1b40d55881239f7339a68e6c629fafa68d9b6768bc525109cf9a1576a87c7fb6c94ee0d2066276650610bbdb968ac257f29b148f

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          6b3264ef584903fb07d9133b287b179a

          SHA1

          fd27f6483cb40dfa2622793170d218f6a882e8bb

          SHA256

          b31b4b798fa20502f0dee69c4c43c7808b59d53dd7b1e75ad98cad0ba6bb9f01

          SHA512

          26908c349b3845cd0b6afc3d2b4c3c77f9d647b5291de0d1b0de269f51f8f05434509fd94d7a21103c4df7f0555674afe23fa43d2cb53cfd102a44b2ba772924

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          ceb7f533988206456b64ed0d7087153d

          SHA1

          1b0ee90f47db4a28abfd326ee7e3ac68b91cdace

          SHA256

          61f03c582f5cc9bea01f8c7717692e721b23eac1c92541cad0021feea9c8faf4

          SHA512

          c4b683cbf99a4f644e8e9365a89b3d4d63aeba725ac522e123b4712fe51e41f3883759695209938b644808eba0c4efca98d2021318b0d4210bb891da119851c6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          42bbc144d889066210da19d89f8f712a

          SHA1

          72dc940a16d8164eabdf6c8362c2201fce17d450

          SHA256

          991d73921a33bec13c80270004ee7dea4e56c68b6c6c4ae6ad44adab045c24cc

          SHA512

          5fca94e8d751d863d73921848523f81bd7c01be9429f265b37c282c8a203e436f8a9d200c6f7b366a351af637847d1f8d470925be52c4f2b0f93debd6e59b260

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          0fafb3e7116852dc97a44262448ca580

          SHA1

          60bb0c341c4b225978828110b1d9ff3eac6c9d58

          SHA256

          e14f8d4bc00c699dfa641ad9ac7e8b7b9b700ac035639ac3060b29f21ebe6b5c

          SHA512

          cce48f35aa1bd5fa51ff003911d11fcb59c4f93925ba3bf6cf7b57c7a45df58ff7582baa02020330481064863b1d51a21028565a9894b4958b9e4abfccf054f8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          914210969ff102347ed5d215142cabd4

          SHA1

          6b2069ba7e12443333445b50fff203aaddff4f31

          SHA256

          789ad074a3647841f14d89a32c77a93a620f10373b2ec40d29d5cc31d1a65ee1

          SHA512

          510f21f06a4d2ba2e4820ad2477809513a06d1a20d23249ff35fd7a8155b094356713e8aa28956e31aa8bb828da94aab41d47bea886572dbcf6abcac56aba494

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          59ba6d5f0379806288e9fc1316fa8c36

          SHA1

          034edb71cbabd2940ab336a2b8826f5ce9b1462b

          SHA256

          9f3bdcaba7d6be773dc62d396d465154dc9fbc81b74ebb1c728aa11103188451

          SHA512

          9fa086cec9d04b2b047e1a0bd915c518a8b0134cb1437b1a30afae3a457f656b0bb50e7e1ccfc3100b82d0fbfc9dd3e2504bea7f43724dff909ea2c10d74dee7

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          c467d18d0640e3a4813bc68148cf826a

          SHA1

          d116d8127b0e941320dff3a8859e82280d2679e5

          SHA256

          621709f1f82b779bad28e22df97cecadeabf80340787f76a4a294cf2c9413e45

          SHA512

          e192f21fd8f6236d5d31a9efe6ed5f32407ba34a9e4097a3c9fdb8e9feebb382761cc9d6bbf5b73ab6cad2e202566b52a0d383e0ce0a9c8b62cf844f951ce5a6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          80995204a6c5e5d0f0042d44ba5d154f

          SHA1

          1cb6af66c0ffe78d812bc83dbad15f7bacc01701

          SHA256

          ad5338bad6aeb1fc12f55618b5619c5d5fbf1182bfc589082e2db21933ccef2f

          SHA512

          2ccfd08e1ae19a7e86cfcb04eb70af14ba3de69f23d09b942fa5d4b07e06f836b8d6b06fc588bfa822ed66d6e13ed820b42c34f84395dc5c19fecf11c748ebb6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          7c8a5d380d2d4a7fc55509e397e6d3d5

          SHA1

          15e04bbf1d3f8df81c246e6360204ccb07f39776

          SHA256

          59a050d252408b886572ca642aef5afd018343ff445e1313ecfd0be2a75a8d9f

          SHA512

          66377668a62e29db25c49d7a072bf3f86059a3b7723834b18050713f2d7094ad0bb1f890f2b96e1ac15d627a10e5eece8c7cdb90d108506d507e94ad5c1735b6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          df57e50e726753531876940afa4971fe

          SHA1

          85324f2760d4682a6e3f510b3cb18b6f5248339b

          SHA256

          4cf265434d4730337df81789e2b1e5c23f2e2d76dbd724e66a88454b7a39aff6

          SHA512

          0969c608e16e99d320df73cbc3e5e7f1ff3ed0f963deae8f2c91b59c47f8a651229843d4f6a98ae7496ea539c5bcef070b6be997e164d145e2c0ab0bb9f3dd80

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          196c180ccd4271e0e32eb9c1d2165f36

          SHA1

          b3a7b0dbddba30b57b32668b84aa460e0dc2efc1

          SHA256

          09ab73369ba526fc8774be30bdece569df986cc41a394a34c3285521f9879269

          SHA512

          1e8982dbec7f864789c823836baf8d2edc86e2e9cf46d7ee6d93d10cb697da0f7253b88433720119271beb5792cdc57f4268779f4e863fca00280a093f6c9057

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          089821e56dbfc4ed40005f6064fb3c3d

          SHA1

          c865da5f22f6e84a45a52aee047b8d451a29bd30

          SHA256

          caf64f39a87360bc095047f5973d9419aea9a22e95fbb9e8721cf33e26cac7e4

          SHA512

          91a7e392362047a348ed60980b2c5453c3daa8eb1a98f45844a8d1caf766366b431ac514af62af5b942fe6e63b5e3e5a3111cf18bf4896e04fed96602d77c486

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          624d02e8c07369ed5f883afd34e8b09a

          SHA1

          71e8bc83b1f74f830d307857de2f7515846c639a

          SHA256

          3b830e1105462338f0d933ef901ec6a6ad4e7c5c9cf2fdfbd0ea3d9853293312

          SHA512

          1a7ae7c888f470e992849d34110b527bf0ec2cf340c3f91d6be46ef92fc263507e2965bedcd32f76de9af555696ff035f4ce7a0802d99d4904359afff11a0c0a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          bb40ed45a746aab6f5d9d95e108b78fb

          SHA1

          16923a45b20082da94362f5d05bfa6c2d75ab78d

          SHA256

          1020cbcc3c8faf6f9edaccc2fa44fc1038a65cc6941eed425f07b0980838d04b

          SHA512

          452ebb9588df4ff5f2e64a334deb8277fe6133780098bf84f40d3e44cae26bcd4241b75d8a997c785e88998bcd9611212d149bcf5b5adbc842abf152160bea51

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          82f2590136371d5b60c0e6ca2f0567a8

          SHA1

          2879268853404d7023c18a340bced3598c94e6d3

          SHA256

          7f4c51ca23d63b91436d478d09f6206f68ca242e60bb2a25d8a6b9478e336ef1

          SHA512

          261e55c585738ef47ed8669a5cb7d9c18c63e3da758800aca65cd11bbc1267da6c5eed72ff6d6f5e25e6cccb09160e6b531cb327c9174636cc073378f41f326a

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          b14bc70fb2205731a03e77e7c19b67f3

          SHA1

          1f21f0c4c192f71aee008b5d13925020274827c7

          SHA256

          bf4a1da0cc688c89782eae6b7780d1c3a6549ab908199d0660991eee06b78bc7

          SHA512

          7ef741c951518a9e86e348b4289eeddcc171afb3e77fc5e7786610b43266b7163276b1c8ebb93fae910fb32092b8b595a6776c95fe2a973e040516e523dcc663

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5bf223ba98e718c7bda45218cedf6ce9

          SHA1

          bf0584d6c27e6b4e76fea96630acacc208d83365

          SHA256

          21230f2c7f7c73f70800323bdfaa0ea293dedcadab4dc5bb23c67b3351fe2c6a

          SHA512

          b1794be92f82180a656a55df2a0b081cd51ffc88e7857245276854845cca77bcfb45ec8ae84579b30ee87a0f234b4cbd4ef5996a23ef5f91d5bc0bd37d4867eb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          2181c8739d3b131541c7889429c11d8b

          SHA1

          5a1a6f78d7e0b29a5a41006bd3ad9c41a65dae86

          SHA256

          d33f0adcd998779b1993be4e19d8eb683a0867a9523cda5c406ba5d1a2da0c21

          SHA512

          e70107f0db62129b6c5702397eda9c50f8d2e5eb62273daba162171429d44553986814de9ed3c6bb0892cb7094182ed5d80f31814ba14a328aad7959722e95ae

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          88b120e6e1509f95c25f096e2bfc9919

          SHA1

          a5ca6e6bb55b8eca139551c6ada7d94a70dc6d07

          SHA256

          e1f697c1788cfb6318bea9060205f4fb9abdcbd577d3601ae27253e07afd941a

          SHA512

          9fe8b0cb19b166fafadd7a4c62dff2d6e2a596ec2ac64b514027e00783d5ab6c785fcf6fd973ecc791c029d61a642654e73528714475c89e61daf727c9804542

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          9c22cc09f31ff7a8a2db812d9a10f747

          SHA1

          ce853e7e1bdc47c02d67353a082a5cbdb59fadff

          SHA256

          66d211031876d20ad5416f465e49637ec352a3cfac2a30963ad97234064c2368

          SHA512

          6e0c578984641e3f7404041d36a953feb9b218857786306864eb67eaead6d8062090eefe2467adf86be528b2ca7879c4cc7441f5f3c4aa8d8984aaa672621cb5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          7951219ea81a3e4c4529a1e2a37ffeef

          SHA1

          ec4069726609af1afca67d174cbb98a5bd94489c

          SHA256

          dda6daff8ca60395ad1fad034b957f869ee80fd3c370abe6522897caf0509873

          SHA512

          6a0df5ba5ef7498722bcdb3ef09af74586a78e4aa7f05e2008029652c40126fac79f3e3f99c3ff9765d10e5af79386f705d9038cf92cbbc3b20ba98fa5b47601

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          200dd76365db83ed35174a2ddf96f6bb

          SHA1

          e9a4b211e5266166555a6ae13b6ea48b08455f22

          SHA256

          c8910f298df2fd74ce38b6b5d21f81a95e626b259e264e179d3c5b03250b8b00

          SHA512

          9b70f5a2d94ace48f6c706042d70f3cc305cb26f09241563d28f7138b28fb5bc59c6b021344f34a5aff441de754bf1365c7fac8d9e1f1966a559110f0a549483

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          d9a2f0e857d705d140a0629b8d77ab00

          SHA1

          e1bb1a2cb9e2a074aac8f81d36e3ba566b9b9496

          SHA256

          5eb50aeffdb2b5369f2cade4c9117a0a55dc6217dc995b7b34beb5f0f5225064

          SHA512

          2215e8f04af3a710a24a6289b564e545d4fb55a1f40963ecba85619a56412da39164cac00553fc45d55c58b3476857cf944f17f0de6b829d3f8e8893140b7701

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          a7a35a09e71bcb68134e2c0813f9e033

          SHA1

          465c625abf1b6cd94aa7a20e031ef11e978a6ae0

          SHA256

          e967aa872061ffc8e6988eee2eaa08fb567e89b47bf93becf9c9301b28bcf26e

          SHA512

          ca84214148547bf446db27b13591d74b399a4f5e8633255952f85f0f71fbe8f4422e7128a30e5d8c6ccec2e6e0a42d35c6acb5183fe5437016bf888db47a3b31

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          4642566f3ecde2f04cdcc1df8f0bfb0b

          SHA1

          a72b3abfca2a7babfcf4ce439b5102c360c4b98f

          SHA256

          775f46d0a1e78fa95a9fc7093023731516b289a17c2baa5feeae1419dbd513ea

          SHA512

          79fe29972c46e87dfaae44ab3306493f45e6a4f425e64341d50da4b1f55d56497fc82ef37f46b1bbae86719ae252a67300a5aef213bc799b0a48be87a2ec663d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          08d7c5d79610f748e5ca38fb1c140ad0

          SHA1

          dd280226f40264e9d33e013e3a9f9b82955e6ced

          SHA256

          e271c808a378ab3074abe06a5a043785cbe9f42515413b1156d898c93f2aa1ea

          SHA512

          1c4299244371173875546c271740fead1ef0de894785e09a60c8991a8f0f80ec936172ed5c49dc5c9903a626dead00b7542b040913ce229806448f99cf02214d

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          a92a58c2312c4cf5562b8af4a07eaa03

          SHA1

          95276210d34dc18688f1c856aaddb4a638c4a1b4

          SHA256

          d071035f284d0369f02363a16e92a7baf1cca0b05d0945c5d9bbcecc7c9b1987

          SHA512

          23f815872488455e451f9d7d6ae3ff0bf71a933f33c7a24a5497b5ba49610881a82b92c28afe59b96e24dd744b058d08011e5471807ecfa645f6db21c7afe9c5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          aaeaaa0abc3a999257512ba49eea5f3e

          SHA1

          b003b7ec7d562072bb585f2dd2edc57c4bd5a7b4

          SHA256

          51b5d617b0bdfdb96a70cbfc78c1a391d5f872ea7a7c4144f01f43b7ecf52552

          SHA512

          5a94ff99446510a6f93611774e1497e9db0fe14ae20fefc741481b29b19bcf285ac5191040203cc76ce0839144f5235e8f5caab37c8968db59fa1bc5ce73edb8

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          70e074dc2e299a13bb8144936725afad

          SHA1

          654e93930149b26ba194310499d8801e4d14e33f

          SHA256

          38a3df05ae8dd6d9d7a59d35752dc8123100b48c4ea77c9edce13e054d95f300

          SHA512

          bb8dc497299b7bbdc4d6bd04e150283c53cac6cacfe1f2d93894abbbb3b7d75badd76a70f342b5a69897012e912c3f7e9eaf95c074f521b1fffb9b6c04a44fe9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          bb097858e08c51d2ac971831f3b46ba6

          SHA1

          955692189b3562e099085ecd4aa43429e849c975

          SHA256

          8da7b43464463196b2ba78b8ef3d47bf681d58304a4b5edb244e90f09e01fc6e

          SHA512

          8afd89b14b25cd7ceba7bea67051d706ba88e19312a2c7307347bf5164719b60c435f5d5c9dabdd383516fda1b7a10acfca0a57cc66c1ce95285b73d1724ac35

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          5ca713e9c0373db81bab86a6288b2504

          SHA1

          4efe6d5477f244998fc5882f649747b7ea6bfa2d

          SHA256

          7b2b274e21ecd36e3ecb2c55d1a857e3f7446099522df24d6d685fed4cf9dd6c

          SHA512

          0d53b7ce39b7a5805f9164ed15e20ecda2e471086689b753e90cd155f16cf2a93767a7ce9d4ffe57706d520066e0d93a430d8e636cf42be3065c42221e0d7235

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1023B

          MD5

          d98ecfe433d81a08ecf3486fdc28c51a

          SHA1

          4921ac69839526d4b28cbe8fac32c690bbd65ee2

          SHA256

          5c8fbcfdf771a49d312999510fd27b611da7337ed6ef4c9e407d6de6eac27fbf

          SHA512

          cb74dd1e631c62b7924623add09b6daa3ffbeff65de078475b4a6f09e7e0ea3fe7f70b7445af14d7a4aae0cada547978c571a2122ed0ed8e61726edc14f32c47

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          a6c26ea1f32b321d4bc2e728b6948d7c

          SHA1

          bb31715e189b8901f5f1d3083fd2e4b58bd3cd55

          SHA256

          0a385b57c20658b90c9d7621c3210fd9bd76235dce89657321116474a652ab14

          SHA512

          7945d6927f0be05011a3837d896c0aa4ecef56aeacb271d03545daba23a80056f1f8f3eb1b2cf18ebc42f6d16aa0c79d5051cb4446b26da7552c72425686863d

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          679KB

          MD5

          3c7cf9f3bb85ac4eb465e276fc11fbf4

          SHA1

          71d759688a7548b12ee2c59288394e2986192f97

          SHA256

          1752d6f61c1f3d4ee64fd934a2601140b7124c1f1f916b0c5e3a21524c98f24c

          SHA512

          37e84d30fb671ef96a5c29dd00ead410eaaca93f961891d10cfb91d2041c06407da286822cabb4dbab86d8a561050c33a4fa2e79f8deb04dbb95fe3ddc277369

        • F:\$RECYCLE.BIN\S-1-5-21-3972667009-3658015838-2693993929-1000\desktop.ini.exe

          Filesize

          4.4MB

          MD5

          94d324bdf6d2757c7fa2ea0bae0a8034

          SHA1

          d111f192c6f968caec6d195aae7387cad349917f

          SHA256

          922c7f749b5db93cdd21ed46a61a16cab13d87a003c3c6ce79701ae00d5b4c8a

          SHA512

          7abc60b1e9b53c869ae1bb58ed3b6956d6abf13f5730505b8515605d999d2c2711d932173fe1a52fd5e41f3f804216f70d3230019dc82b89719a8cb613fd3601

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          4.4MB

          MD5

          e467ce5489229fd836c254805e7ebc06

          SHA1

          2824ad737058f1df35b1b20db998f90972f58534

          SHA256

          0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc

          SHA512

          a8533736fc3893708874e146eca6f1924d775e71685927ff1f80691a1f216f18cf5c457a2d5205e332090d30e6735ae3b3f3aa98a5e9a4ef8f739a84f94452cd

        • memory/3432-48-0x0000000002430000-0x0000000002431000-memory.dmp

          Filesize

          4KB

        • memory/3432-0-0x0000000002430000-0x0000000002431000-memory.dmp

          Filesize

          4KB

        • memory/3432-1-0x0000000000460000-0x0000000000461000-memory.dmp

          Filesize

          4KB

        • memory/5888-53-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/5888-6-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB