3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250

Analysis

max time kernel
150s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
Size

1.1MB
MD5

9a2031a0649f7f7af06ecd57a6b64546
SHA1

5d3741060fb4babe79203b036bc60da4fd1b1019
SHA256

3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250
SHA512

b2e225edc4b55de03123c505b87c0dd38bbfa84009a6d506125aafebf4b17e26c871c5402951a23953b41dbb140ec378358c5820aefb142363276bec77c0e987

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HelpMe.exe3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

3696 HelpMe.exe

pid	process
3696	HelpMe.exe

Drops startup file 3 IoCs

Processes:

HelpMe.exe3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\G:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\I:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\P:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\N:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\X:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\Z:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\H:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\K:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\M:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\F:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\S:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\V:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\T:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\J:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\W:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\E:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\Y:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Q:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\L:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\O:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\U:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

Processes:

3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\ca.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.exe	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HelpMe.exe

pid process

3696 HelpMe.exe
3696 HelpMe.exe

pid	process
3696	HelpMe.exe
3696	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe

description	pid	process	target process
PID 2396 wrote to memory of 3696	2396	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe	HelpMe.exe
PID 2396 wrote to memory of 3696	2396	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe	HelpMe.exe
PID 2396 wrote to memory of 3696	2396	3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe
"C:\Users\Admin\AppData\Local\Temp\3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe
Filesize
1.1MB

MD5
dfa0e15f75a967b33798a7951c59f7eb

SHA1
844952fbc1afcf32f45fff5df7d6fbf18ac83c99

SHA256
aea08e7c0fef67efcc78d8a93438db2adf6d0ffb8053684dc26621548f050b3f

SHA512
73a2b450d738ce888871f0d7abf4c91ee44761266695644091d62e55061a5503da4eb4be8634227f3546df2dfcb3d9e55be75a2b2a65d253f64702c634cfa50b

Download Submit
C:\AutoRun.exe
Filesize
1.1MB

MD5
9a2031a0649f7f7af06ecd57a6b64546

SHA1
5d3741060fb4babe79203b036bc60da4fd1b1019

SHA256
3b1d83088375036d9175967cd53c0eb2ac8a351ffd7330b21478cd3d42dbf250

SHA512
b2e225edc4b55de03123c505b87c0dd38bbfa84009a6d506125aafebf4b17e26c871c5402951a23953b41dbb140ec378358c5820aefb142363276bec77c0e987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f3b4d524277f8b960c42eae4161d0930

SHA1
91a23648cabac8095e2fd529d12dfe443068f6a4

SHA256
aef50bdf05887977b034f6ca7d348425dafd9e940b2c25daa49a74a73df852f0

SHA512
468d56dce1fe6d56163d4d37f0e1ffbcb52f9538bd77d5ccdb20a94137340f07fc01bf0e9978f8da53eca0faacae5752d5196b00dedf6f16748ee197ef33b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
626241b629525ccb05933f20d94f2283

SHA1
292678f731e19c3a136f9de3c8246f5e5c798d50

SHA256
a24752da4a3ebb932d57489a1827dd3d8aaeeedc59ec642cc193851c714cf624

SHA512
aa6d4eeca8a6fb676f760f075a82c028ec2063a13083bf919f8ec0bf799122816749e327ee7ba35951ce6e7ee9ded1e9fb83b54c75d4a0bd2883664fe1067338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
8e693baab9286c801d93663b73f46ac1

SHA1
e96dad6b6860dad5275b8eae0c03fdc3a5228f19

SHA256
22484d3e163de95a363b211814c544b015d23c1f89cb96c5bcbbf4645af142db

SHA512
e2bd26728d58999ece46c3338dbded46a362bbbe20d2ee6a6b518d0a7eb9b0c7be08abae4f344e241e19e4754c460dfc58aeba8ae58a87884cee8369fca8c3d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
313610ac525ecb67a179397479bd0897

SHA1
508ed49508d4517345b0e19f1077a785e85d81a6

SHA256
b82680b7c757446a2078301685b16d49187531344a72800f657b74e825b0ead5

SHA512
40402e2ba131b83e0949edd2a6e3ed3b5f4f77eda068a4ad9f8e9ea2dbb637474d813a0007eb98aca1513b7a23afc87665d046702071f45caab6970799c86f48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
313610ac525ecb67a179397479bd0897

SHA1
508ed49508d4517345b0e19f1077a785e85d81a6

SHA256
b82680b7c757446a2078301685b16d49187531344a72800f657b74e825b0ead5

SHA512
40402e2ba131b83e0949edd2a6e3ed3b5f4f77eda068a4ad9f8e9ea2dbb637474d813a0007eb98aca1513b7a23afc87665d046702071f45caab6970799c86f48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
54aced8960944431afc0b00acf9862ab

SHA1
96c847c11b96caab5bd9e60dabc399c447580526

SHA256
6ca3b7f8d17b20374e516f85425254524b9a024cf885016ac17517bbff33c260

SHA512
e26d76e2551e57dbd2c4ea2180a58ea70a1cf8d2878a6cf7e5c497625baf7f0c1ce196fabd58fd1d795e71443f7b8f662b40b24b970a48d236ed533bfc85332d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
153e2a2b6326fc1aa5fdbd8a5a72b15e

SHA1
e252b8c0f31539967db6cf233f7373e5ad394528

SHA256
33818a3a76ae55a2dbbc2b52e020003a6199378d9f8633ef562e5fc227c61ebc

SHA512
d475f8030876236fac2de36817799a3733d0402d60bfb13bc59105905890da0a4f1c2f276639dbbc74097e733e225b39efc6091fd3e990252cf692d23749448e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
6d9381bbd02670ee34e0a32bfb3666aa

SHA1
69dab36f4f820ec0dcd93cfd6e7ca3254c8493c0

SHA256
c330990dd60b5fe281bb32d896053dc9a180c726a4bdaa9c4c2d661d30fd8717

SHA512
fafd2a1e9180f4f6ad02e423c409fc408ea99ffc4c1745ceb3d23d4e01e7616a18d763c956eab13400dd81bf53483e60eeff8d8705dfdc377d3451f33f86e8ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
ce4302aecbb300d3a588d3fe30e41ebf

SHA1
75d1fb5900051397786822f4cbdf50a3e1868283

SHA256
204b49a3b99e679b6aaa340532ff368e05e1b825cc12d73ba8b6f030c9d4b304

SHA512
60f0905c03c11e774c77c09eac4c12d8e11640d4f38970187d15f076a0c509a8619492e3e599b1ace2916448b1902f749a8146f5568ec8a83fb4309a2e9a48d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
324f9b42ba7e9f2632d6f6f9b0df5c53

SHA1
41c9a8e1177caeb3ecbba5b708d5cec192fd501e

SHA256
ba5962064d66030757a9b200d2c75f2b43659b7bda2d027bb3aece4ca66f1318

SHA512
2b478b4468481d45292319dbba06645f741c01aefebd6ba79d3caedee884225c574edf1a1691e641a6ea5a6b8b5d2a12c3c726e180f494517fb6160cc34a1b05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f08c1984f7c4a667d8287e7da0051a1d

SHA1
f58f03aab3d0198b5dd828afe3e0e3f5dfe3a8eb

SHA256
4fe5e891554fc776bce59681b61d21ade25c79d46ffde8ef82e9dfe28eacf34d

SHA512
e61971e71c7e46b6a8eeca4b15218f3e39242e91848a84e234af3b289de120bb5be94c3e1b86b5ba9254ce5f973cd727b8129b8fa875116023fd0aec11922617

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
cf760222a4ae367965aef850b535be89

SHA1
3bcbcad0d9816c296af0b06b025b02ad7a265815

SHA256
466f26e95f136e427bd7a69b2b77eb2a36384311df29174583cfb57ba81c42de

SHA512
0ee1f7eb71e2285951d4ed6a960821996be3d3e18c5c191a7515febf9542af073877b63484094d074cb5be9262f2144469b17b74ebd751e95db41aadb7900eb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1a3657eb7f1958c317d863106a7523be

SHA1
a4a8c8bb0c3c1102c469cc4323b0c050eeb6be9d

SHA256
6eccdf2d9ce9c8269a19cda141f9eedecc3330124d32b1dea95aec5c341c35de

SHA512
372bf3a55d09092826872e5d1ce09536205f3d66a559b58d209361b80fafc84556707253cfcfa35053f9ab5bb7582f78127eb3ff468db85a19c3ee3bdec27fa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
3a74a51e5f45953b7bb15b0c09a6e1a8

SHA1
e3711d7d408bcfa0008f3f3c62b63bb679c6c5d9

SHA256
cd800be660b6110dce301c1d9bbe6a4899851b05982666b72a08837329bd6677

SHA512
b2fd61e31effe03dce9ff5df7b5959e290fa8b78aea0dcd71522372afe9187c67671344166acb5bae0fa61ce378a195d21189d270d9010853a900c1906da003c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c9dc02958896fd1e3f146ff88870c6df

SHA1
fa744568f2ab5a0136b36005a687775e083594a3

SHA256
ad4f226d1b5bd16bd71c7ea09f8b5e2fe5ba238536b8a46ef1bd3e77e85afc4c

SHA512
a58fdc5b0e862ae47b26f22c2bbd2f9caaf8b30bfc8f188916166586138748f826386837b12c46874dd18a08e24f0360fc9efae1ba51e00398f524c110332225

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e74b9dbb2de2635e4be46e0ea0165a7b

SHA1
eb855983f3c4f2386c5bdc093789459f21c4ea9b

SHA256
790d685f063756c30a45c4a1ca2823778b26c21190d47970164a6447a7394f66

SHA512
239c39db7547ec96f40d2bc806aa03b0d5eba76a1bd384899cecc87c855a05cfb01ebf8b6e00836380034eecbd0be4ae77320f086a49507f24757a420b385712

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
594f2dffa1b4f2225ced4d18b54d06ae

SHA1
7014ee12cf28dce2b5d2c56f87c5d35059df8f9d

SHA256
1d7f8f1d64409d1f505d05ab6c4ef33717fca6239c427e8926bebb13404b5bc2

SHA512
f601b75e8006145e69aa4401ce57a85b8e75e05a92f375c5218783e8dd5b87a43be2c7e0b1b619b80fceaa9db9010b873008e78251f19522034f5d18d04db049

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
4f2ecd992599bc73976e6cda93a4755b

SHA1
bd484f9a84012d5ffeaa93e457b33a9ae47a638f

SHA256
1a341ddf9020f331096a2c36ff0c1c856af6efd6798bbf46f5549b7a7d36076f

SHA512
5dfa666c0c3d12d35bb33209481387796869888c8bf1e812ec1fecf664b8ae729dd9cc11eae09e6f7fdb2b37e0c2a906b4970cb52856f036b49a1f29fa3cfefc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
9f8584ec82eb261067912dbfbaafb318

SHA1
33a369d7950c377a99480d74bbb0d478648d8380

SHA256
cebf627bc784c1be31c53f885150a0643fb2739fc615f9b5d97c558c7a306e18

SHA512
cea7d162ca234b540c5b70ce243a2db62f71f80ff941af5045445900bce2bc675c2fd99e38bf8e2ba16573a8557c96c0f8a9fb7f4602a3694f1dd00dd7b0b161

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
18824faaa722f4e3e135414ae9e4b9cb

SHA1
e6b1834acb7af15351a4d4a42bceb632ec39f421

SHA256
ecd2c852d0a4ba0af6c88c048d35f3f1c918ec80b02a859f81cd352cc3bfc726

SHA512
e8d9c1915559abbb318829ba83d042f4a2e30846a3fbafbb58835e38b7c2b5897a70a328b53584903096c6bc606a64afb02aa50481405f6515f1f917499aff18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0dc8f1394c1a53f11993596fa9cfb041

SHA1
4f528c85857c030a6c4542d84baeb0c019c89616

SHA256
1aa3345a55d355cc76403056463289548b0f55f4f8a766608c5ea7b4ebef0bda

SHA512
d9659f681219a1fc1597b347acf666fddd0312c4b1ad4f12dad1f340a373b13e2fdd6cceaf4d497f2fc058a55fbd39b8d7bf94edb44bb97ae4eecbf37c21ef9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0dc8f1394c1a53f11993596fa9cfb041

SHA1
4f528c85857c030a6c4542d84baeb0c019c89616

SHA256
1aa3345a55d355cc76403056463289548b0f55f4f8a766608c5ea7b4ebef0bda

SHA512
d9659f681219a1fc1597b347acf666fddd0312c4b1ad4f12dad1f340a373b13e2fdd6cceaf4d497f2fc058a55fbd39b8d7bf94edb44bb97ae4eecbf37c21ef9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
ab9dc1f03337fa502725464ecf5085eb

SHA1
883843ec1de11abbbeda9d19cb3b33cf68e445e9

SHA256
4e8121a5e1531d3ae5c261e2a87d6e1c5e9dca9d786405e05ccea944ddfb9710

SHA512
115048c2b234604e4a2fc55d021f117555a5049c39d2aed29dfbe93e415b553aa4f7b0bd1ce4be5a586f25b04af1b4a8415c1d72aac91ef961eb5dec527e0e37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
7d48c80f87589ed4c57007d80eb424ae

SHA1
8ed7ee9884d28a265ce4c3fcefbcf22b4c6c29ca

SHA256
c6f8c95a9249ef9022bc9a1a9e968b59f08c2d8858d12f6ac75984f3f76e98a9

SHA512
237b44cd9c7058b8c16a6a21fc9a9d86b84cd1653258471e52c8cf75e50851ceb75bc89e3886a786e5bf5e19936d46a2e6f0ef3fc81d360662ffb98a2f9c8341

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
da733211b3f4062cc151128f852df834

SHA1
5e218301212c75db693bbef44445544bb0f3a7fd

SHA256
8ae8ffce41653b8a85813ab7a18c7bacf2381c1310c57c4d634bbd3d070bc42a

SHA512
cfb4a089d4a0a436feb028887d26eefdea24de67ee9b0a0ace2a4104bc1cede78fef248a5bdb0afda9a2aa3e60d5878fb6f547f7023b6a0ec0e1e7ae232b4105

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ea1683c83a2200ea7f7eaf96199a13c1

SHA1
6d3c78e91b64448a170b8405f80f3f8178fa779f

SHA256
3f5b9fb8ce3cddb930cd330b1edbb25a7699bb8a1f93916376634a4092cc87f1

SHA512
4b2b5f45b2438d652ab56675e63aad6ea7f825671d66f19fc78795096c1c82530b549d2ea386049aaef47e0c09694542fc980221ec327a84b9ad3ebd828b1110

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5070b69ac60ef361bef3101d477d23d8

SHA1
0d62373b9dd4777eade717fd3149a18098728082

SHA256
93ece35ab7c83c734b642a223e38908ad6b0e614d477e2ec8a2d311aab54ac93

SHA512
036c76b2ee5b706d02af6801be25a18a5c9e6e87611d03fd12ff894b3555e7110f5dcf55a68d10b899c491b7f00c3c1b05b676905975d45759267754a93c50bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
3ded53b8c730f597d51cab174911b573

SHA1
734026d08fa421672850b738fff484991dd346e8

SHA256
d7d6ca0745d504bcce3e7f056f31271d6be9fb3055837183540f8fce040ffb08

SHA512
8c99247c52490a0e3d8d9961dfa1e2a1bc8f2a0cacc3fe1482cd2ea380c316f443d986c0b82c589337bb7ac1ed85aaea7dafd873e571bd8b7b46651af7fe1730

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
3ded53b8c730f597d51cab174911b573

SHA1
734026d08fa421672850b738fff484991dd346e8

SHA256
d7d6ca0745d504bcce3e7f056f31271d6be9fb3055837183540f8fce040ffb08

SHA512
8c99247c52490a0e3d8d9961dfa1e2a1bc8f2a0cacc3fe1482cd2ea380c316f443d986c0b82c589337bb7ac1ed85aaea7dafd873e571bd8b7b46651af7fe1730

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
2e08af24fdc5c8ca04d1d45b508d693d

SHA1
fd8693acb748aa02850df2f22b64397e48707568

SHA256
e4036a2217bccb07faedaf44161cf03d6f2dc133616c86dfb1690e4b35ae58e8

SHA512
59949e0d126ae7bffbac7cd6e6250f98ce5044ed66af1b4a944c5bb740beb8c10b8162bb214eb699c68f0da15c31e0d3a924cd41546b48e6e68c2341e79c62ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6b66511bd517068b9f0ec10a40e0b78e

SHA1
b05aad4fd662a4831f9112b42c1cd076a3abb305

SHA256
fc6580a24396fee1fc5de1bbbe2dfdc1df106b01b5c5d47f48a0ec4409d399ec

SHA512
f31d050f5e426289561ba41f940db1956dc387b8c5b3f0c3bf1978e8af1c5684932c4acefa86d5539c40c6ff3ec4367679efe5d483c28bf82c60a5219fddc9d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e8b6de1cde43c823524ff794df3dda31

SHA1
93f8b0d007e2a3040b9651b6ac81dc68eaef5b70

SHA256
dfe28e9e5ce135c19bbbbab15a1d5c5231a0eef8bf2a5a590eb5fa12b2882eab

SHA512
cbb8cf5fa6b3f4af6297de1acdd7ef099f89ecfd47f4a5fa897524bb905a5abc99f3aa70a06c36a47e5d8e22a90f5f25e62090e06961a121404aeafe56b70630

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9ac9df4a19737cabc9b0151f5e25bb94

SHA1
65365a15af58fd3406c35312a4bf56dd0b4fa35a

SHA256
5c8c9ef8ad939f0f5c4872426c9a5f3969497579b758b052fd95ddbea66da899

SHA512
513c85c35fa8729061fb23e78ff2ffeb32d4284b24dc87a4ca763f236a2a3b98645f392894547afdb18ddcde3f46e6cad0b85067dcfefc8efce3110c9f39e670

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9ac9df4a19737cabc9b0151f5e25bb94

SHA1
65365a15af58fd3406c35312a4bf56dd0b4fa35a

SHA256
5c8c9ef8ad939f0f5c4872426c9a5f3969497579b758b052fd95ddbea66da899

SHA512
513c85c35fa8729061fb23e78ff2ffeb32d4284b24dc87a4ca763f236a2a3b98645f392894547afdb18ddcde3f46e6cad0b85067dcfefc8efce3110c9f39e670

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
1.1MB

MD5
05054500979f067f20e9ebe0f32fa39d

SHA1
45c004f4b0b18dc33eb9a83745fda39fb97daa87

SHA256
8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5

SHA512
1a006caca3a918fceef98d61bf3c23c3e8cbce83f065cb35ab674c82f8b98def9a62c4e54d2e109fb751637a6659471dd84bda4a4375ddade35d626f01a86f85

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
1.1MB

MD5
05054500979f067f20e9ebe0f32fa39d

SHA1
45c004f4b0b18dc33eb9a83745fda39fb97daa87

SHA256
8440f24f3854d729ba4cc3accd6465c1670fe9a63df8fa79a6a211b9d84bc5a5

SHA512
1a006caca3a918fceef98d61bf3c23c3e8cbce83f065cb35ab674c82f8b98def9a62c4e54d2e109fb751637a6659471dd84bda4a4375ddade35d626f01a86f85

Download Submit
memory/3696-130-0x0000000000000000-mapping.dmp

Download