3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
Size

759KB
MD5

d0389cef3d7b9431ad80b7420b2dffe0
SHA1

b56b61c1bfbfb4525f3de44b7720ecb9305f8310
SHA256

3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963
SHA512

6551a26272faffc4458e115f1f6c90016b59166bb41ebc8a0982e946b930e4c182c857c07dd9ec422008ef06bb5d91dac2f38d93be615be9974c26688647e52c

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HelpMe.exe3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

1760 HelpMe.exe

pid	process
1760	HelpMe.exe

Drops startup file 3 IoCs

Processes:

3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\G:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\Y:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\I:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\U:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\W:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\R:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\V:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\T:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\O:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\P:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\Z:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\A:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\N:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\S:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\X:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\F:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\J:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\K:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\L:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\E:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\H:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\M:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\Q:	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

Processes:

3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\System\msadc\msadcer.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll.sig.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\System\msadc\msadce.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\eventlog_provider.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.exe	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HelpMe.exe

pid process

1760 HelpMe.exe
1760 HelpMe.exe

pid	process
1760	HelpMe.exe
1760	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe

description	pid	process	target process
PID 2540 wrote to memory of 1760	2540	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe	HelpMe.exe
PID 2540 wrote to memory of 1760	2540	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe	HelpMe.exe
PID 2540 wrote to memory of 1760	2540	3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe
"C:\Users\Admin\AppData\Local\Temp\3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini.exe
Filesize
760KB

MD5
e2a0ee9e328a467646e86d243d82ab8e

SHA1
d242807748a5ad121783528946177d518bd0d0e1

SHA256
a302e3c0007f7e3f026cc695a4d79ff31e5739768d8a4b2eae26134c865133ed

SHA512
d9cef39750ad93a177d3b46063c415e1319dd49bee225ada320ed875d6354e5138480338b2fe7b447392bd1df0e05753002e141ca3f7e4b04baee8d7a64b1f7b

Download Submit
C:\AutoRun.exe
Filesize
759KB

MD5
d0389cef3d7b9431ad80b7420b2dffe0

SHA1
b56b61c1bfbfb4525f3de44b7720ecb9305f8310

SHA256
3ba0a4aabca51a19f79a8964f28ed37687348faeb41aac3163aeaacc9b3cb963

SHA512
6551a26272faffc4458e115f1f6c90016b59166bb41ebc8a0982e946b930e4c182c857c07dd9ec422008ef06bb5d91dac2f38d93be615be9974c26688647e52c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
6aa8c39994234303e984dee05def79ed

SHA1
b5b90beb0409d25a2336f6bae6116f716863c8a5

SHA256
cc6a366f087d92ff9edaaec10112bca565f0323ac6fc2eda21c2d5c429d3638b

SHA512
cb2c885b1cb16c996eabe9a5bdd7b331fe884ca0413851f2cc5cf8f38b8eecfce4b5c4f050d8b1b6f6ba16d23118b3a9d1c9c7b7241c0fe1e626e520103be4c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
c0a4b191dfe12284981d3f56367f64ff

SHA1
a812032d5cce02bb08d9368bab17b337d6a591e5

SHA256
846a11b4a502e68936088989748efafb9ddfa723dbddd0815cf9c5c8b19327da

SHA512
6204105d512e5078fefa8d69132720b53a6b13990eb269a0eca5ef3a5f549ec2c435d3a5e8e0e2b6a21539fc48e86a03784c4ef780cdb733714ae62dbba64c5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0fbf24df8da36cdd407dc06c0ef22a02

SHA1
97371b2fdb158cdece5c19d18501e7836b51a4d5

SHA256
50a0cfcaa7f7f70cf7c98231df61e162f2f675f3f1696fecd5257c01623d595e

SHA512
aa5e94fefc6d53414e456c17adeaf21db3b1d4d81b43a82b29e136c4b9772bd3ee00710fcdb5315966a1f982ea754938a710c6098a2f1d696a4f14d603238590

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
4718ac216b03f71132754b83d1389fc7

SHA1
b3b61e25d174f153b1ca8d7a9573ab20fd5bdebf

SHA256
f147da301df1061deb387ef1de82136b778f6406174740a1297be109fd91e067

SHA512
cec84137f86da6d870e688a35fa41b4b46bab476e3017f698c0ebc34a7cbf1332bffbf8772468b694fa0a879009dddcda0147568005b16ee48f446bc8d836318

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
27e006977462f677e748159661228672

SHA1
a755156050f119854db0cddc81fbb178a9a79964

SHA256
57ad3d3d9c9a19e4981f928fd871a175f37e489aec49f8dc19740072a467633a

SHA512
ffdfbed1acf7ace94095f35de444f4a207200b57a57cae5ab3caa2965f6085f703f4609bc425ec954a4f29569cdea52a64cfaf3823fa0c30a9acac09186a0756

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
9226335cca2100a2bd4af901cdd973eb

SHA1
fc980052473f6a2e3b8dd8fcd4edd12971c17155

SHA256
ccb5485f190e6a3a69ddddae06e572595d6841cb2779c52a6e5090d02eb2b5b3

SHA512
8b99966d2663ca8c0fafe3bafd13540f8660601f5af4f4bbd58e73d5ffd34a9b07fca746519eda103c6df0f948a982e87f041ed3b0342fd8e7fd411effe46195

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d59dfd17d49278d184c47deed508cf38

SHA1
7bfa36a133fb3c349594e39b99af6e7d7c81dc39

SHA256
b20a9d9302f9a76b0e9c0e6ab0c65ec21c17116a818b7bac84a589fa4700cab9

SHA512
9861aee3d313d37118e5f5923190de4e2ecff70785dd6d782a53d697cd89c779a7bc8a454bc891e4b5a6a05b3ad306a8ddef544f3a543974624f93b6e9faab0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
0ba0025a8b500a1359187783f609e004

SHA1
d6a57c5bf4fdf31c9234106cdea72cc951e4193e

SHA256
34acf6908820760c36bc62597c73716414d8b94b9a6c0833d4cc3186d5a1db12

SHA512
1cddf5ff513e4e826b8de9885aa3fe7632c2bca7bf1d4057dbabb4979c1da49b870c7fca83b162127f2ab70e6804c24aef624f5034fddc7e0c61ecc9425621bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f8ea3f1d9da7acc7fc63666fb34484ef

SHA1
b94a372eb44d6c7770febc45c7d6f359c79f1372

SHA256
1935cc1bbc4997a3fb5f1b1296004ec72a07001937e6508816851cb49eb7b952

SHA512
5e4c8cd6e2f15a9e498325f537b1f8a384a2308631fa22d4c9e2b4617e674fceee450714efab9150111cdc753cc62e00e9419cf41d6f9d4665386622f94f466c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0db104254424fd7de0ea366bb1053176

SHA1
b1be914ac911e2e87168fc889d3533a40db7855a

SHA256
6612d3bfec749f941fba68bdec3048624fd5393878550cdc90fa8466afe14880

SHA512
a8451f1c12483535ca0e91e28ffbe5fceb9d8b5a9d98e5b57dbbb02ead59cb1d44746aaa0092a60a61a5e363e1b106e725efbc2813361da3c278e08680cc2c20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
4f65dacf94dcf4ab4d414300ef070141

SHA1
9ce9386d32c5dc7d74e9e3580530158485cabe91

SHA256
428702db9d0554e176036fa890ea22d312ac084f80aeda58a0fa488fe78e969d

SHA512
a9187c43825741b7fc7dc4a1e5c5d69fb9ecabe3c9128d6c4a574919cd3232610618418afb2c78f8138f7e7400fb0905bbc8c81c3cb22a75b4007430c5ef8c81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
3a4d39c9e522ad2ee97e15f8b6b963fd

SHA1
5a384f15bf62c539b83fcc177c32c52916ac49a6

SHA256
fb1488533e1450632dd3d3c72d24bc6379bd54a6aab011ddebd71706cfce8291

SHA512
8582b0aa0ed645fa54ed345b345642b3e2dc54b5baeee132177e035aa2892564331c550495ea9a991c9562d233e898b6b9937945b779d2715ba942fcc71841a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1c91297947be8ef6cf5384f4d291a226

SHA1
edc338f5ee8267885260a5f9a2b4befea2b8716a

SHA256
7a4c0d4c00d92a447b1e9c0c867fb342ed94521d701c4c1f93fae2aeeaecd293

SHA512
6725ca8af67afda7982d3a4be616f600418f99f36d61f8170b8f88befd83124c40b1a96a47610054306d9e70b764ffb139a9fecaba304aabeb2c1f5bbcbf2070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
e262dd95e2d1f280947e58d4695a22c8

SHA1
5dca971f307b767c0f9ca10c6062e4ef09d11736

SHA256
5b77a604710d004f1eeee4b874fde6b6f5cdbf6c37cf859525ae6669a3fa08c6

SHA512
b91257e97d3ca76794c328c2846f78499378da0aaa7da8e100caebf481971c9d35579cd40b9906d5bfdf05ea85c4c1a1bb0ef728ce92eb487c8e0ec2fd3825fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9a5677c1f59faf5c427be6cb9d8f5661

SHA1
a5f05568e2c531e7167952c41a99b8ad377a9d32

SHA256
744e1de23915a84706f86f732f601c8ef14cb0a86ccfde54373e0f6574a68d06

SHA512
e6457584294af61b9cec9c1a8c058dacaea4595611344002d2423d81dc4666c800bd5dd5401bc72c2a0a447b5fc0c773eb2334fbe6d6deeb20365a3b5cb799d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
d265687d0428068d3f51e15b6552e070

SHA1
6c52814712f065708bdc106d7069458ebde62cf6

SHA256
9d2ab88fed358f4a360db6418db6475b2040586b8f3391eaed5687efb33591ea

SHA512
55794e71a6862394e322d014b0fcca46c7d8e9f64757a98d10266b445fd50971a7b90da6056c19cfde96f2851a57a820f0a47153de45a82b6a06bfe98e39354b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
8764e511d29f92217df69a2e5de61338

SHA1
d363e0a1796aa23ef15dc743a7d04b191e811f5d

SHA256
01fc45118289461dc8132de3a60d0d4b802cd987cea53be46397311f76484eb3

SHA512
fd142f6575a0174d7b2fa3145b94111edff892972231fbbb01c7662674087c3035ffd6f3b5bfa5758a5bca5c7e2c3d0d624952e3592915ae39e964d7a4e26037

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c162a4a7b95931638fad13f7329c7f34

SHA1
a78dfd38ff2f6295542c154fce2b694dfcad8931

SHA256
92e78982033fea2ac04b419c81f1149ec16667ae80bd02804d48115dfc5d006b

SHA512
69f3d2c3ce9440425c4329ed50c6d1c0498692ddefc52db0ab0ce44517e3e8e6e37a0fca9dff9b818140fba80aba992fcabe5f41637290dce3bc0a6a06d5fa24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
536d07347916b5ea667de6a353dad89f

SHA1
a7b093e722597a29393927a4930a79f1d6cc43d0

SHA256
1fed1b16b301d18c9d534dff2127ced7a70fd4bb1c4fd6fa29527228c6f90fbe

SHA512
d8d0dee7fe88c9c295deeb8abe8c7a9eca7ad62edef184d2dcbc6f0082edd678b3a648fdc1f4d3da20eb8f92fa01ab0d1368feab1d7980939dd8fde46c49eda9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
abb4e92eb7c5bd5a71ccdbd3007ac01e

SHA1
388acc936bc4b0396a402052376ac6434c1984ff

SHA256
3075c0300ecffcf1e825f00050571c5d06082f83dcbd64960b9820b762cd6509

SHA512
9a086f9a0492ef8f2131659c888417df9805b9ff2e8eaaae0af8e81e5a6b451c5a682fdf0beaa517a44f9f3b135bfe07796e5e77e7ce9206a2607b26a9bd1568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
400b319be7410f8fe398b574a9a68e97

SHA1
ee560dcb7deb182ec99756a21250defe46616003

SHA256
d36aa140018599d027edeac6c3845b9c895c4ecec7db87099745effec64c06bf

SHA512
b01c377bd6b36c4df34a3262834118147326b37eeea2b1ac3c9141512e85c7bf5f3bd8f0dffc1e2401f9d3282ef6d2825e60e5ac229e8e7b3045195adc71e040

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
fda1dce6b96c3619a9417e554390e146

SHA1
e05f5d04071b7db0601db11f314afb3e2b2e26db

SHA256
4219ae55c382b82bdfacef75d90d155e3f23acefa7ed8f066e5690e57a2053d7

SHA512
c8f58c6a43bde76e0901431088f3e8dc1435b7508968f20ae3c21ecad3c224e3c91e5510ab71131b38b76f9db04e0480e8317b1dfa57d5a54e85f6b0e3c8b122

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
64fb1c56168a83cc2548162980c540ae

SHA1
27c315895ebcc6107a75d6564b4a95f6539257a0

SHA256
7b8c6c671facd2677433522acbfaac0d6531c4c7c1438d06719688093b60828a

SHA512
befd999932c02f5ed55bb600c7ed8ab31697e739f7ed97f650d27676bd958911d5d3d7f3ad068e4b4510192b3db6f713e81dfeef7f9670657afbfc9a6298c364

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
628a146529b7d751dac9f7c003d8a5a6

SHA1
943fe9fefe806e1290224d33e8ab15cc3bb37da3

SHA256
6e366b9a3d94470266a9e2178c53dfd804ace10a35fbe589f1f72bbbffaf769a

SHA512
fb673aadbdd39bdda5657ac5462bcd17da463ed4a76f52054463807d1d94e35656d71746b471ab6bd1617098522699ec1c1e8305f0e1e5559fca89e853523167

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
628a146529b7d751dac9f7c003d8a5a6

SHA1
943fe9fefe806e1290224d33e8ab15cc3bb37da3

SHA256
6e366b9a3d94470266a9e2178c53dfd804ace10a35fbe589f1f72bbbffaf769a

SHA512
fb673aadbdd39bdda5657ac5462bcd17da463ed4a76f52054463807d1d94e35656d71746b471ab6bd1617098522699ec1c1e8305f0e1e5559fca89e853523167

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
4f2ffbb3c9f649fc3da3b0e387633467

SHA1
39db97dc2bac71c61f6421bd60d24929f8753df9

SHA256
9b28f3694de3bef93ed72d748a6dbfcd3b809d2d5c9c6d42b2f212e8779d4221

SHA512
67def7b02b99931eb95110c4dfd7be4c42f5e7611caa3f26efc87bf093331a70b32293414fec77454e5ba70a8352230c0a5054128134a4af3ee3681c2a7046ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
97907a6c69eb32fccbbd5e49c9c2202f

SHA1
dec339a21dfb0f676c6d8254cd5c09488b0e5b84

SHA256
cfc888acacf6abe37e28b22c11199ae0bdc595c947423f60f29896cab30a027e

SHA512
3f62460425f6d9d8e15e71fd2c911aa022a808fb479a1bffecc2313c21fdf18e9e5de22ff6b1b0fc9892ee21ca97c553f6b034eda5bb156eda9cc7d6f7161e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
06b177877db279b513c5ed1e022ff901

SHA1
836e35b8c5f4b6d18fc00f2c16184d603c029b06

SHA256
8f9c26bdd849ad972f1173f3a443eac7bd47f8cf73e48f9a9ebca0f251b1fe1d

SHA512
d69820a622523fc854ebc5b5aa3b36c805ed9ba29ba4f0a1ce34c9b8a07c7387aa6a18f6e481f5c334a7d454234380e6aa468532027b835e6472f0e8e5614fcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
06b177877db279b513c5ed1e022ff901

SHA1
836e35b8c5f4b6d18fc00f2c16184d603c029b06

SHA256
8f9c26bdd849ad972f1173f3a443eac7bd47f8cf73e48f9a9ebca0f251b1fe1d

SHA512
d69820a622523fc854ebc5b5aa3b36c805ed9ba29ba4f0a1ce34c9b8a07c7387aa6a18f6e481f5c334a7d454234380e6aa468532027b835e6472f0e8e5614fcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6b646b99cf662db2c30290549e98440a

SHA1
0893fb4916b4ca5dd234de8956cf304303b1a6c5

SHA256
312cbb7c1856b662dcb76cf41ccff3d59adc6dc509fddf25bcd7b661b29126a0

SHA512
d802bda51c47b1b3540daaa2e444c02c39e984205039114de4e9849d203544c996bd0ed189c63c84dea376a0730424b14e8582a6ab307ce0e9ecf2ab8c67483b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
635c4aa5a36cf8df8e9cab9961311dc3

SHA1
2f2fd67a227f0c54aaecfecfcac3628daea768b2

SHA256
46837c3a9a303704c9b5f8690d296dd548ef249bf4ff772aecbf20e6fbfb76a7

SHA512
e83157332e83de58b9810b26fd41454f06ccf9323e9cea5022a18d22d2bc9cf1d660dd89fe688d174b77833ed5953a3b7ccbc9a3a7f09011547165e0643f851b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0cd301145ddf9489b9fc56af17364c74

SHA1
fdbe8fc02e4df98b5aa2de8473af917c1d9e2464

SHA256
f2c7e656bf22c8c355b47bc47b217db4b60f98c775ca25747ec000dfc9aef265

SHA512
d1736a47047f34050ab12e97724a1fbddab61685cb6bb37dbf6ccc3685e861b8a94ef5c17ef23554bc18be045740adf0c7be73fee567d5759554ce04aa9d93a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
4fe419763a4f0e54e15d0b15fb299d52

SHA1
0e88c14dc14cabdba415f6e2f5dfda137cd26888

SHA256
deadf9c40ed15107110bc7df071817d7b15798cc3721d8ddc5f1a7e28c1e5362

SHA512
4a5dde42f3b8ca22080c7d7e4494011f876a31a4cdaa66bec436122e7e64089465cb881bac9e1cdc4b3e53f5b234d571a1e7e6b0fd758f21d5ce5dcae8127962

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9829eb54815affbe2a1e9d55b6eb30dd

SHA1
595d3abda73e97d05d67787284ae93097ff34a2d

SHA256
4fba9ae18fa15c438d0339abc1a82cd78154c9600aeae6c684c7d6984e632903

SHA512
85c05469a28a9998cb9f4e1e477b0c356bb001f38646f152ef23d9ade5afbdb77730c5b80078d55830c61d75b56eba356cd3b9193fc1dfaee2598aa50899ba51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
4fe419763a4f0e54e15d0b15fb299d52

SHA1
0e88c14dc14cabdba415f6e2f5dfda137cd26888

SHA256
deadf9c40ed15107110bc7df071817d7b15798cc3721d8ddc5f1a7e28c1e5362

SHA512
4a5dde42f3b8ca22080c7d7e4494011f876a31a4cdaa66bec436122e7e64089465cb881bac9e1cdc4b3e53f5b234d571a1e7e6b0fd758f21d5ce5dcae8127962

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b2eed00729b4a48a03c874e3ddf16738

SHA1
d3ecbca4f9a77cd18b3f2a18bd1f46ee413193df

SHA256
af6c37d441b814c22b5a1559e5396a34b53c670795838555333cb0b554c79d45

SHA512
7a4dbb94cfbb127fb01504e31dbdfe5eaef7b19e6af72d19d1033bf3fb2a094d9f295848de9354befc67558d1d403fd90e9bf26b4b949e659d39e24f012112fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
21c761898c63342bcd84eed68c966ed1

SHA1
78adef95b762f5970b5cb8212b4220423f844540

SHA256
cc3452d3f5b84ecc80bca06e2d4251b27741719954bbf35bedc28eb7eb8f397b

SHA512
8fbb43f554480a3b4b5448bff652e5f8433fab964cd118daca9a890fed9fc741dce11734ad717fcca24817092bb310767c30c48300ba5d436d6719dd7e3673f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
4fd21a309e92ae52a01a48fc3cc34183

SHA1
0926a244f8b114982392afa2caf29378127f6df2

SHA256
3e75d5c296bbc94d1c85e43d365813ccdcb229cd54d0d565cd845764f1c2997a

SHA512
8bff3243abe7710b80ef10c9115beb199070ba747edd2013033f0bead098020bc2c9ae92b5a175e86864248636c51fda02d4b5135d4269055110cadc24777c65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6fc5b342fdbb8622afeaee1cbfb5e1e8

SHA1
daeafa63669de57eaf4817b73c40da2b020ef36f

SHA256
30fd7aca07341bd2e320ff01002a42c3a6b29955fd9118ebd6957ee63a307cd7

SHA512
222dc759edab91abc19f270e512b8fbf3f0f8b3bb633e8f9c9837fef86898a1a5395df465769d3e52f13e2440a262f02f4d4ff3624e9f05de45c9d0c0eb4f941

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
63705b5df1b361d5f8e804e7f653406e

SHA1
f415f0231c643b5282e9848a7d97ee4b15915dd0

SHA256
510b1ab3eecd943568b700a580de0fc792b9618ecb1c26ccd48653fcc9f4e083

SHA512
b5fac837872c53210d1d94ae12584a6fb48498e7febb236804d67515d11888cc082989e9147638d3b3e94f55ff20728bb78c2c05f184d1b8f655f74b94a7ae3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
8a1dd6c14714e33f060bf8d7cb4fd46b

SHA1
76bb7dca79f110ec4af2b6db5000ccc018098ace

SHA256
c58273ace12737281f2b418fe76fc7c8291157dfc0e49f390ae8d6a65a0abaa6

SHA512
e859c2f70826359fbfebcd4b4fe835d29ef8439ad29c26a99154689a1aeda0d15ba8ee05355c9b86e3c11e4aaf65569e2619f7888fee912103bd0ea82b181c4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
262dd218f473f5f36767cffd3a5674fa

SHA1
ca05735ebd5db18bee9e050be247df75b229ffba

SHA256
3c3e6d9109fe6a67499115dcd8ffa0a51358d17a7569dfd8e7f5ed48b633b45f

SHA512
4ccd94f348505537ab4c78f1a5c159fbe0993971244cb79b20589a33cc143f2c3344e0cae63d40a511a54757762341e6638df984a1a90dedd9c98134e2358525

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
e3519f30a8aeaa6344cab53b84e9061e

SHA1
958b2923ebf1b21e75580c38d19e347a57f27b55

SHA256
ed7088df4fc4c8fe65ff6e4fb23f2a245a212528805996010c1bd5816559a495

SHA512
3a8e7d20ab69ce45e6c7f490dc49c9aa9f51318f9d4404f2f9e0eeb737aaeaf3096d3ecbf7001e8bf656f164dde7ac860ac7f6a0de715c89131d313ed1e70e20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
29a31db551f1c49d84b32809ed459dbd

SHA1
fad084d696547a20d338548ed733aa893cc02f65

SHA256
386622bf40b697b8e58b4ef846fd8df15b314f291f44ac80222714621e808c86

SHA512
35d8583ae36a273012afe1093f413a208535e03215a4586c5480dccab908fc6624d784834339f77bac5a620be570b954d2c63da1895b36c8e1da0bced3b0dd7c

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
759KB

MD5
42f633fab7ced160481e4be015cc352c

SHA1
a0d96061ae17175fd478872fdbe42e278e92da4d

SHA256
8995ce649a4ffd4b4c64614388767388574b8ed268fe8e5f6b3a9a13bc21de86

SHA512
3c6f67d42845b4e073b8f76432725604ccec4201c55f2af126a9175e4cb0b300e0c643611c55ae46516989af341ffa7391978e1dc0eec582430082b470db1b3e

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
759KB

MD5
42f633fab7ced160481e4be015cc352c

SHA1
a0d96061ae17175fd478872fdbe42e278e92da4d

SHA256
8995ce649a4ffd4b4c64614388767388574b8ed268fe8e5f6b3a9a13bc21de86

SHA512
3c6f67d42845b4e073b8f76432725604ccec4201c55f2af126a9175e4cb0b300e0c643611c55ae46516989af341ffa7391978e1dc0eec582430082b470db1b3e

Download Submit
memory/1760-130-0x0000000000000000-mapping.dmp

Download