3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d

Analysis

max time kernel
151s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
Size

828KB
MD5

92640d3e2e5b4960abd4421788e8b732
SHA1

ff0b46e0802414ff573b5ef6ce8609b1e4ba691c
SHA256

3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d
SHA512

4179adc039f0455da316c9c2abe38d79bdb7349f5c29d93fdfcbe2961db45ec3c281e5b8ae020045b8c9d3d027de14fcab18da19d8bd6b4d58482935bfe3850b

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

548 HelpMe.exe

pid	process
548	HelpMe.exe

Drops startup file 3 IoCs

Processes:

3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\L:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\V:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\Z:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\K:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\T:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\H:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\I:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\W:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\E:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\J:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\N:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\Q:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\R:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\U:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\Y:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\M:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\O:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\A:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\F:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\G:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\X:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\B:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\P:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\S:	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\hi.txt.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui_2.3.0.v20140404-1657.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\wsdetect.dll.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jsdt.dll.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hi.pak.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jsoundds.dll.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\GRAY.pf.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\he.pak.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.White@3x.png.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\packager.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-text.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-compat.jar.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jawt.dll.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.exe	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe

description	pid	process	target process
PID 2200 wrote to memory of 548	2200	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe	HelpMe.exe
PID 2200 wrote to memory of 548	2200	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe	HelpMe.exe
PID 2200 wrote to memory of 548	2200	3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe
"C:\Users\Admin\AppData\Local\Temp\3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\desktop.ini.exe
Filesize
828KB

MD5
421c440062c1c5ca8a1de416248fc9b6

SHA1
baad50099bff119e50af9abcd2b4da32e6b79ca7

SHA256
f71778dcd464f681160958028bb170d15e0b6cbcbe326a133de5d3c369d29f93

SHA512
5254787f67d1b59ccfa614bef26f56eeafe1b48e2c4d0a810acf39ad32b852e3fd2a47159ac3d573b3b3733f9a114eca39c52fbfdc7c506d234284b276e520f6

Download Submit
C:\AutoRun.exe
Filesize
828KB

MD5
92640d3e2e5b4960abd4421788e8b732

SHA1
ff0b46e0802414ff573b5ef6ce8609b1e4ba691c

SHA256
3c60ef5d72840aed8543f28294f979025bb53500c18a2915871527a7aa54f94d

SHA512
4179adc039f0455da316c9c2abe38d79bdb7349f5c29d93fdfcbe2961db45ec3c281e5b8ae020045b8c9d3d027de14fcab18da19d8bd6b4d58482935bfe3850b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
2a087d939b23fa0853de847dccf78f9a

SHA1
f6d72654aa767222d1eadf00d343173f3a2bf033

SHA256
3ffaff9b8f013893df0606d0e78412ed3204a458565efc20b4d1fbf9ad3cf738

SHA512
de65ee0ed721f3e39289601a246acb31f0a51a18e7b94b22a56f79a7b265bce9ec6257610410b1f0c37789e3d0d2be156be2a0785cd9ff368d5f6fccefbfce3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
1ffd74611b1734cd96c20992db0c7ea2

SHA1
d767c4059dc6addb9d542eb8d015ab148fdb0d5c

SHA256
4714457378a6663b68abb2d13bf7528a40ed11f9e0b278a77ca90ff942eb3a90

SHA512
8842b77948f19f95c2aa1c8c7baef061e44fdc501678e2ff8c62e487c1e40366cdf9dcdca0524206c2aa9a0e9b37e6c7145716fe700de25263e415e3315ab8ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
1ffd74611b1734cd96c20992db0c7ea2

SHA1
d767c4059dc6addb9d542eb8d015ab148fdb0d5c

SHA256
4714457378a6663b68abb2d13bf7528a40ed11f9e0b278a77ca90ff942eb3a90

SHA512
8842b77948f19f95c2aa1c8c7baef061e44fdc501678e2ff8c62e487c1e40366cdf9dcdca0524206c2aa9a0e9b37e6c7145716fe700de25263e415e3315ab8ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6633ff9ad4cfaa8fcfcb98a7880610b5

SHA1
95cdade61d6c5c39b2b4f61d4ca98b52cfd00f1a

SHA256
f226a7b3ef5afa645fc7f5e11c700b3de6900edad27a08b4c215fe5a0e6408f7

SHA512
cf391384562f72e37a45eecdff9f8dbfdc30377d51b2d776d2e3683d5324d7bde514455b6793b39232eb66a2f120e32996717dbb25bbca6897e02214a07d7e51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
2aa86907433024838b1ea853bb57e6db

SHA1
cabdb4ad1e1f5bd5c8eb79a3538de9668e6433b0

SHA256
a630baf1ec4f0345581cfd1d4092dd8565a26b11ab9357cca3e4c439cdaf5665

SHA512
7d440de4b2ee3622e90c58459db84ea91fa0bfafc4d8fcf0992c63004155a2644616b2ffee0360895c8da3c22a1609793d3e352467d330caa07fc6dceacbe460

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c2722113f113fe823363f7783559dfc0

SHA1
5925f05b55777d3cf7f6705a450e132721519422

SHA256
d547a439e47497ac97160b9991c02a1719a608cb0fb25cd86931caa0c97b3f59

SHA512
39ae1b5ca8421b3b1483eafa2fc569801ec4aa1bd6bc964e7a3258d1a64a6abf52bd9dc9e48e98ae8b6cd81520084427f7fa184deec196ae6959b1f9e5f473aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
73bf2f5ba3d8d6a3a426e6c466604318

SHA1
d48c0225c0fb1753e00e3fed74813619da82937c

SHA256
68509d26a9f12f32dcbe9c1bfb67192b52563c0f9ab240ff1c6dd8cda9ae7ae3

SHA512
1359ce060b9628fed52867cc60e62da71b74adba2fdf12b00277652a7417d11178e41acf50bd525c99db9e6f36e0b5090af352576ee87890e28fab2133198768

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
343120bb4556ebe2d3a7823da411263c

SHA1
8eff38c4767d894c90fd07bdddf3ca83097cd180

SHA256
38bb3f3d9fb65c7db517526eb7edd6ff4136e34428d0b654acd5b9e47d2be4ca

SHA512
56bf1f9a076f69a7add9915bea4b03e3285518280d51c90e8845e91662a931cf469a628f316c943e42e0cc714b234bb265af68d739be823067a53d561d69354f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d9a79815f1a79bd367941882af20be58

SHA1
1ad5894d381d1ea8e2459d26f4e6b045eb4601ad

SHA256
69ad6c2423a7aa22301d2e2aa664e717373ff8bd4db667b3523d54118eabeaba

SHA512
03499a942d055e30b76eb67960e9a934b67a4970f8c99932a101884223a44e97bb9fc0848855a7641bebd7b81a0f06c1b126d26be35083237bad7bc2568049cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
294492e846b18e44b9b0036c9f7f9e70

SHA1
26a16362bd4aa551c13a7fc6eabe07effdab6066

SHA256
37b6a10bb8d025fe5ab743b2fbd60b510c71ba720643c96442095879e69f97c7

SHA512
e1a00e047f28650e99e2c0531eac1bf6ee343fa5c048e06cc14553ede9bd68557b20f49f162454dcc435d02aa5f3d48ff02c497f342f327036bafddd2ac14743

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f2a6f929e5e0c9997ca1d9a5b737b32c

SHA1
dc55b267e80c5b3661f36b46439a793f3579c5e2

SHA256
551b272c3b043aa576bc6964c9c654cbdb5a88b331209646a4b67d47c210cd90

SHA512
ee9d85b341d25e35da4d732d4937c30590928b4e148eb1bd426391a5fe5f5cc98f1ba7d3f5f0d74f138739cb56fce9a14702b519cb800c8d1f95499d0b0bce8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
8de31a92415aa86be0c129d31a32dc5d

SHA1
fb757467c1aeb27618730579f1f18ce07e41f390

SHA256
cd64317d5af3dd035c20f77ac2ddf348b44347ab71f6ba28a7591baca6d36a8e

SHA512
0295c14f2ddd1d41c94d0ecc28856b4dc71818059840be1a5669aaff665c6b23154155d2ac7f722cb4e7380c3898f681e2b5e33b1b881f2d2bfdc695731e3a54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d8de8aeb93dfa39585e96e4cffb01ee4

SHA1
d795a6435d414212973dc297cd3804e41d96469d

SHA256
5093fa443d93113ce42422eea43d3bd9bacfbc89df0c9f16b04a1ad80c804cc2

SHA512
07a9738ef664354103efc2edce2b0cafa66cc04b6d9b50815f527d723cfe042d7fe4fd1f62e699da615aee2f7a9da9fc8b669a6a1385c68df666ae4b09dbf12c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
94bbd636a5a06490e7d3d5e68947197c

SHA1
d156437314791d8a91519ba34f416f8233365407

SHA256
cbbf33d7334d66a76c0b4cf5065ad0060798916bc9098ad4100d3d35d558bff5

SHA512
2571a097886ec20a190c641031b2e684f114dac5f0d7da09d797bfa9470bbf7e87e64834273904580003bac129c292d7517cd9d8e22db4a4d7faeacaed206ce7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
94bbd636a5a06490e7d3d5e68947197c

SHA1
d156437314791d8a91519ba34f416f8233365407

SHA256
cbbf33d7334d66a76c0b4cf5065ad0060798916bc9098ad4100d3d35d558bff5

SHA512
2571a097886ec20a190c641031b2e684f114dac5f0d7da09d797bfa9470bbf7e87e64834273904580003bac129c292d7517cd9d8e22db4a4d7faeacaed206ce7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
456a3a497a992844adc3bb81c877a3fe

SHA1
b396339db5d612a6ec95af387102ec15fd1233f8

SHA256
5527b3569b96b2e4f311a9af8498c97db3d18b7f8fa675d1897733f74f230675

SHA512
31dee6539f497365747fd9c385f4e46d6df6044913ef06395ce647f9ad20a9e7e4de214073d631b0c965a960779d975d0e5682995fc428e2544621b2c9b98cb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e1cf29dc04926fdf86b0bf67d597c577

SHA1
e3d61484c791d810149b89a9cd06dfe785050137

SHA256
7a7cd99c086ec3072d4a02c882e84a578013c3d648ca60a8985e4609263173ee

SHA512
281b62339bc31a6791474653920626659091cb4af64628cef7daa695622e2a1c3673e50bf220d2249a06c5f6f14fba1b43f72371da79fcb38da2971ac61fac43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
aa98d13175b5edb66b74f1fecafd1164

SHA1
e0243fdfb5ae7168a63eec3938c38d51f8fa818e

SHA256
32d3ef963982acee1e91d3fc7ce42bf470518287445f6abcb525a8d672612a1b

SHA512
bd46bcae35834f9b4bc2d7f26f03235f043eb32b7b19cb1389e516c5142a7db728311439edbcc69ae2f949112dba239b30d786606471f54dc7f8e99a37dc3122

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f348a19b0b123e3442cb0ab941f97538

SHA1
0171ea634caa7f10313b45d31c01195b5626ae68

SHA256
038124838e49a8fdc8121a2a2f0b9f6f950e4d4a4465bdc9d66f77d0a880dca9

SHA512
468e0090928e17239a3c9a6de2dfde8f6f872acc9644c3e0b37b984d745ece845e7ce8a86692f2d58e0683924573a171e6dd316619136371e880cb9f4fa3a62d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9b0b5ae58abb5fce7d05b536e367ea46

SHA1
4c325a0061d85384c823dd9a91f654bd23d30abe

SHA256
911bcf3ab15c51a2605d0b762fdee6966a538a91a6900a3d303f63490c25fd8d

SHA512
144e9f6448d9792cb0d35aa11342bc2a750a97c8bdaa4da070aca75919db2185b47712c9d4528711b4b2a06a55bc28d6d25ae3dee661e15d935afe3b23329954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
57ed1ad8a0814dadf75f4bfe7f4c9a95

SHA1
1d7806002dd4a6f8333567d969ffcdf96ea60186

SHA256
70ea4682c5d069596fd63e3c0e4ee8b91a9f490ade9273fef27a289f79c15c6c

SHA512
fd9a936de7037010f500000169d5a0245e5b44cfcae3b4f56edea4a248b538a94befc9e294e989c99fb318123c9495131ca94e69e899fc92ae0cfe1ccd203042

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ecbc02136d2fe878de1a759a71110783

SHA1
6425a039d947664de2404027de8d46867a876546

SHA256
6cf613a8f9262830ea9367b17aaa4c55e565f59fe6eb8a178921918c5b51ede1

SHA512
6c496ba9457f797ac155767392a3a7e788e568fa52e65e0e03ddc1a017b65dd66925880901d8a1b91e2c076bccafece542fc5118cefd018a026b62d5b95f488b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
ea1dcd3ac02de947fd2faa66a0844be3

SHA1
3a0b0d36cabffbf687cf7c3e911ee2971c276cb3

SHA256
3c6967ec5a4aa31128b561dc9212cd9f887a6b0bbedbb02e18319e1839fe47c4

SHA512
9da5b5023d2a6ab768ea96eae6b750e3332b792f1b52b5d40ee4c5bf4bbb0a227e03ac64575b5b327e1cc7c784a19ce9a30388955b8ef929d74dbacd0f18fff8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
97fe4672c2fc8a22f2d5d232724ad5a4

SHA1
fb81629459a70d5bd3e20e90e7c9b51ea8003d85

SHA256
6093725bd5249b5bda9761cadabb875f6346485b30397533b3c07a8211e9d651

SHA512
3bb0e17ad7fcb0c9e345dbaad5a3c3a7cb5868306ec5686455a450b7ce24889bdff542c079b09b4c061806c7aae6fc1f92f94104267663167d1ac8ed5577d180

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
700b12a318a30416ebe580dc9f261617

SHA1
dfab6eb21a87bd7484466d8834787f4d53896684

SHA256
468a1035d8d9c465b8c1e380abfd337caecc880bff8b7e0f8bd4848595e467f7

SHA512
b9263d7842f73d801758ede4d3980fe919d11427792421d8178eb834031f1d7e8d16c6981ce6631d4e4801a0400cbf5f418107ff909a90df1c96bb73b7d9f8f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
11634a98f9a8614736a776079ccbabde

SHA1
1d83b2d2a6fe4de5576b09797aa13a7b7953d956

SHA256
b09d28db89e390fda5d2dee2665419e15323575e72199fa769220b5f7775bef0

SHA512
dd992db53aa4778983bce297aed499127ebf71adf7604835f3007005c131e174f986fd24e42aa549e7e01d03676b0f50f69f3ecea9d4d374e13baf813c3efa3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
7471b90b87454aa8b88f52f4b82ba467

SHA1
b112bfe8a72f1e7f1d4a6a326989ea22cd135440

SHA256
a820b5d35174b9be140b94370010ef5ebf5ec8a81b526749810b3480680da9f9

SHA512
f5a017c8158d0c3be6a72cacf0eb52946070a18f0b7dd942f0d618dc6740b0ac0881f9d08df37403ae89230f5f28632d940326da1ac7c47953304a21a2cf33b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9317d29a7511a41a5a62bbf30fd827a4

SHA1
6815aa1c2bcd5237231f9b783d17bcba2e39339a

SHA256
375799195e65cfbd6520d691d68206835b2364916f5475bf1932b4ddd88ee6e9

SHA512
b1caa0f7c72ac47e60324c9b3b084b8700fbb03da86dcdddb2d92dae2a25ff342598e9720a98750c5441b0e6708df5cfcb692e69e2db1a536478f2033fcf3b51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c50add54e49ae8f0bec6044fd483a743

SHA1
a375da7001573a8125ddef570cfcbb4f73281edc

SHA256
51aa5a7d030e59ed21059351527a68f0c8e5904c71db5b8b42e6756fb12c4e1f

SHA512
6b1e7a99f94f47b9d5152e01454cd30f5b434c88aa5391b37301d58afbe9643e0ab0d66bb3c1d060598558c42223cba78718981dc36a1be0a95e80fc4cf94bf0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
635006de5f32b4df07f2804e1fb6ecbe

SHA1
43212ad0a87b75deade706cb926f1dc6237d900b

SHA256
8c59760ee9d4cae3c11bfd146e8532b3539edc9dbf72b6d141a83b7981a5422a

SHA512
d6f5c886ebf16f27551bfee28c59a58ff5c9533592245dd086f4ce2f809bd43187efdd79c972b86dc127492195edc1ceea89b7f166dcabffa60e72caa92ab49d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
cfb05fc9144ae7175fb6640c26352c9c

SHA1
ff772943923ba6b496e04f13b0d74561363690f1

SHA256
7567076ee7b70e3eba9400e5af696e27584e12ee60ce4184329186a47f9c298e

SHA512
c99d940b175c89cbecf34d3bd6011edec7d3b354898e69239f8c99b2e32d6b47cd9b9c4ef80639c2c7d2c9189d9202aa5189b0ff721fbefe484efffceeccb330

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c4227a79cff2bf1287801397387c0368

SHA1
ba2ff921c99ef64416230f4e83eaf70ef371447e

SHA256
b7a777bb771d39834199d5fd44a6cd649accb14ca200a18cc2e9eea39ff5e486

SHA512
8b6b1daad4d9d933faae9ffd76692c267ab4810b703c100c24cc22549b45ba21caefc1ba43cfecfbbc69c89825c224e829f37c66481456ec733ec1e6a4a6d497

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
55535f8e9c8b33d69fe96596dd79617c

SHA1
a27ca664ce257656212761704afd8ef0ad3100a9

SHA256
71272bec714938321d180fc9da0367bbd3406e7ab9721674938f81bfc807f8a1

SHA512
60d082a10668e25046c6ec1e899141e9bf59fc30bcaebf5c362e69e4edd33748dac5b8c4d65b32a3452eb599c8a266ff7b16e2ed2bbdd1108d2a6f9a665beec7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
7a7f94fec1b8f53f9da1d9b37866f9fe

SHA1
1411cc3c6a00f3fbdeb499b302df6b1e1285d64f

SHA256
7d93cab668dafe4668f283bc10a2f967b237d66def856aded1db88e313552bc7

SHA512
87ccc5247f71eea87de2ed21537adc57dbdc01f5272b1a3ba5852ead9b1cb2f4344fbc8a9b014832433d8b24a8efd1252ad7e263c6a6a6af9eb1edb157256f74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b676064aa13be78e67647a83a2f65eec

SHA1
0ea00cb9cb38bbf6598c6e68ddc79a1b8261db05

SHA256
d9f3e4f0090ce81cf05b917760d174402afee209e6be1cead17cfc69ad404847

SHA512
8982e77874b67d418bd7a6e58c0938646767e59b42f774f62c7012f3a0542fc5b46a24ff4d8ecd4156f77c99abaca283464cffca69037c8b14a0f475295c5836

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d3b90ccd35b155f5d4883f8c03d8dd8e

SHA1
5059c7b0966271b52d9f8e8ee25eee1649bfd1bc

SHA256
b16735f6491d38fdb89d12e846092569d3ea3910a56c3e6178cb26541f94f00a

SHA512
abb1d9efc9e6c71fb92dcb5b56f535611f39e35c8299aadfdab627adc082452f2838a0d24f7f2fe02e3081e83b65c9394a1a752ec0b8cabe62ffad89dc1128a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f37db785a10bbac01a972970ec772ae4

SHA1
c54d23ad1d41ce35611ec8d4105d4a73b4798a76

SHA256
00238b0717b58588a53c476e1af0f2e9fbc9f430fb514343eb382886d7d7382f

SHA512
2757c1c9458bf74a738b7ea5bc3b9d841377ce50886de0ab471f096d451070488b375dd20904b4b7012c05e42311133f4c46e22e65ed11b566ed8b2b67a22131

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c9e9ca3ce9197e40ce733d8fc2e97de1

SHA1
d28454015753926ce5291df29980b21a17da6e3d

SHA256
af9e5f66ff94e206c08739baf986ba0aa54db4b8044373026c7c310c8a3de4d1

SHA512
9f798f442a85a1178f66da7cd99b9c21455674478af4ad1db60517da932a3ebd1c5579f38463b05020a367bf832e336ebc9e5f9fdaf0db1fa71aa5d5c735a79e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
32575e1c481c560f3eae51bcf403e0f6

SHA1
88648e1e5c50f0ca1b0be7308fa4559fd2231f8e

SHA256
5d4b77d39d3fb9a3a1d980038c972d62fde5597f0dd6668cbcf7b61606f545c5

SHA512
27608ed74c8dddb3cbf78ba629e7fcf9b6c86ab24207aefeee26314321e769713b6c537b458ab76594231d78f4bae5cf4d9e2edcf746addc83ca20b53fa372c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
a96a835630b163c07bfc12decdb80eeb

SHA1
00cb4d50a92b04f12633adc317e5408d9072f5a3

SHA256
3ebb0a20af00d93ef267bb407a285e107b5b43074dad2c65a6196bc8faf7c6c8

SHA512
2b65426dc516575dfba17ff0275451a051a60cae0bec9f6e365693057e18023f066515b9da2478921a8ea34ae210230d5b934e496d887ad40d92a89db7dfc431

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9ab3065e4099f9b0a04d8b1ffb9071be

SHA1
79783b1bb9005ab7b0214af528d37a0e35dec062

SHA256
39ed7ff55a27076b069ed9cdf68f1f995181f9116b5cc07ce52c3bfb63dd3a39

SHA512
a615bab47b7e429ed711cc09120a504bba4a9e80ed7fc77e3778c46a254e4c39da904891bb52616a46bb2f0a6d36b95424ccbbfe7220981a6357368706a1c45c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
8313744bc3f49a2d9cbe6d561fc7edbe

SHA1
36a4e6a002a167dd5613af34ac0fdb054ca7abf4

SHA256
0624dc95a219f3a70d039b346790c5cd3c7639f1883ed101869a93b23f9d55f1

SHA512
007b7978bda80cfa9900a6825c5b0bacad100efcb6e229a916094077b501fc25f890c5395faecb0740899501d235dcb95b3b1c549ed57f8b67f58715cf676785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
a4f9ea8f6956d4696367b2fedfac0fb4

SHA1
4cf1ebe15ac0719bce5e0c52107efdda8a6cd325

SHA256
f5bb6282fdf3e430c07db65b6695b9546c5134a2ce4a707210fecce0b00957a3

SHA512
eed5abc27f9342ab70c60831a410c04184fc9274c2ae322db691669603ec83ce5b4e3f19e0f76dbb885d2514c8f0d67a00bb0e39c7621de5380d04dce3c3f56a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
fb2db948716e7a77611fbb5426dac5e4

SHA1
20a359bc840e4f7b1eb8a19c201ff52c34fcc321

SHA256
6b635218319742d72a040e5a550a09054f99ed2a1807a3a15310f7b546682dfe

SHA512
c95fd5d1e0b21a620591d605929b972bd664eda6f2471d11b887942f414994132debd8bf0c9d0ba0734700905164add6e118ca36199498da076df6ab96532be0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
dfe861cb59b8f112f804b861c2fe0595

SHA1
9ff98aa2f49b06359c8c522b0ad35f2e8b108b87

SHA256
2fbffe5c7888d846e5c7f6a7f1355127f2afa640c093653f994db78c7229ed5c

SHA512
aba2248c51fa779671fc8498a51607368f84b57d09f09fbb012c6be3c97cdf019454db2e94fcd69c84bf357097a577b019c6f7f20c69bbfa282bed681c6eefd6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
180f3b57b954e97d84fb86128ac32b6f

SHA1
b01013913b081bd6ef6f40d213dcbc3d88266085

SHA256
07994973745e00df907058ac35ad88b5ebbb8fbdbea4fda767406bccfbad7592

SHA512
a3359348034d978ace3f9181d6edb5669f8fca01ecb62189e9c6a5275996cad2a5ba3376aee5c917416bdfb85814da1ecc8e96697d12f9a83ad0489eca20f027

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
1ac34b93d6591b4da37a7b07a0c74429

SHA1
0d185fa85d567a334ded25a1c4b89b266204db5a

SHA256
d5d84e29d0276c7c37e05d0bab5ecad9f5d613ab906b7be53c75065e612b80f4

SHA512
6b7b13b4d445e6205ae6e7c98014049b2b5cae78735ebecea024b9432383299859bc1fb93f158432c221796b8f9c2a96727301dfb379f3ed323ccb43b647d186

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
38f661fb022a10e6fcd6b7b1c09d12ce

SHA1
0e16cd03231fe0a24ffcffd89ee5dfea124adcdf

SHA256
9c8c2e9e241bb2b001ddb144257952514b9761551d19b74767c777c648377d11

SHA512
36021c0c1f0ac6b49f879e99c3cad2cd3524cb62c0e69c986136275d21fb0ecc4e4696cd8927182a0bb6eb0e273fd8ae9424c43a150a570d7c15b896e5654f67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
2011f3b0c46e4f5b7540013bd675d2f5

SHA1
d056405695a916ae753f971602fb40630faa0aa2

SHA256
1cba56d89a00578c1a6d56e2d6b3edb4d3c35d1496298ef99efebfa2999c7512

SHA512
34f479c200e81cd2116d0e1f712dbb97b798a5653d8140e396fc2a0ec6c2c91636332a2b00f21e3d97c10c3212fe4c67294d0c45576f0da7431f3ba57c5537d9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
817KB

MD5
226606bcd347d16760d0ab2bafe726d9

SHA1
63111cd1017397fcbdb8d60b2aa4f069b0b092ad

SHA256
b8700c18138936cfb5087591ab3e311e1b39fc7f2f91ff89305117e1846a45b3

SHA512
af14dec7b7cb41b4e2e6fe901957556d551b2223e4b3771f36fdd33ebba3655d9fadd81b755c5df991f592de48d2b6be92355ece6950a195eba9b1ac1c6877c4

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
817KB

MD5
226606bcd347d16760d0ab2bafe726d9

SHA1
63111cd1017397fcbdb8d60b2aa4f069b0b092ad

SHA256
b8700c18138936cfb5087591ab3e311e1b39fc7f2f91ff89305117e1846a45b3

SHA512
af14dec7b7cb41b4e2e6fe901957556d551b2223e4b3771f36fdd33ebba3655d9fadd81b755c5df991f592de48d2b6be92355ece6950a195eba9b1ac1c6877c4

Download Submit
memory/548-130-0x0000000000000000-mapping.dmp

Download