3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17

Analysis

max time kernel
187s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
Size

637KB
MD5

3a911f140e54646eae26dabfec53eff3
SHA1

a2f140bf8005fb2e0c56a87b136f624741e44f24
SHA256

3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17
SHA512

f3d9812302a4de79f51093820411b28b265125d70570e05d48ac3fcbe4d37f75c316a5d0e470c98cf6a9913fe7d8ccbf7112cacdc12c5baf1a33818f4dc8da20

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

4700 HelpMe.exe

pid	process
4700	HelpMe.exe

Drops startup file 3 IoCs

Processes:

3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exe3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe

description	ioc	process
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\F:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\O:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\X:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\Z:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\L:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\S:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\W:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\H:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\V:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\P:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\Y:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\B:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\G:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\J:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\N:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\T:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Q:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\K:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\E:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\I:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\M:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened (read-only)	\??\U:	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\ClearWrite.gif.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\BlockRepair.vbe.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\ApproveUninstall.mpv2.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.exe	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe

description	pid	process	target process
PID 4248 wrote to memory of 4700	4248	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe	HelpMe.exe
PID 4248 wrote to memory of 4700	4248	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe	HelpMe.exe
PID 4248 wrote to memory of 4700	4248	3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe
"C:\Users\Admin\AppData\Local\Temp\3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini.exe
Filesize
637KB

MD5
95798d0232f34179f6abe94543d9fc8d

SHA1
923dd93b49c2e6859785a81864aa757af33161cd

SHA256
594b5607de51f9e1de6799148fe6ecf6c47099da9aecb58d720a6d18a44711fc

SHA512
b6889c4850e91b16b7a8a2ef870ee0a03f9ad96bd72846c8f45d10f690cad4cb907974f5e58c51cc7f8581885622a49d823021fd2ed558c80299d30973cf17f9

Download Submit
C:\AutoRun.exe
Filesize
637KB

MD5
3a911f140e54646eae26dabfec53eff3

SHA1
a2f140bf8005fb2e0c56a87b136f624741e44f24

SHA256
3b50e8a7bb15a231e841c6bb989deff1de7e13e7f4897f7ccdc265469adddc17

SHA512
f3d9812302a4de79f51093820411b28b265125d70570e05d48ac3fcbe4d37f75c316a5d0e470c98cf6a9913fe7d8ccbf7112cacdc12c5baf1a33818f4dc8da20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
e28bf548d62cf3eaecb2ac368670e7b3

SHA1
2ece266f9e46985704498ef57f70e7d3e4a32fe3

SHA256
a82897a45dbe72eea50139fa17863aefc664a556982488711dc9f6e7482788ea

SHA512
9367867598f16399550820406c11ccedea828470727e189a01f8ea804b393e83edc87d67bb1b9a203d334fbf160e7401d3c90add6597149d533de070c5200ff1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1a09d937aa21eca3a0482e43b1c5892f

SHA1
bbbf8d1a53f4077528071bb7cb8136653f338bed

SHA256
b44f69b2cc31442637f18afee31ba4338aac46a2e80642f518406fe9801af8a5

SHA512
01a73a10652170a2ae7acb17014ca1900e3fa01484c93096ff7fe82958d9946ef54b26e5a769fbbb2dfbfe2d81691464dbfab2e511ff9af3105e643e5804331f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
579d86f42f622d6048c113815603f277

SHA1
481288d8c3b4133fb45cf3f6649c217083a9506d

SHA256
eebfd3dc27e5a5c88dd874945b6a2008dff1f587b594a93a42d1d9948ff983bd

SHA512
722e2a022cc789de9637bb1aa1cbcdba9d1841d41adc07297b75c5f0a8fb406b3c2e39a37a3e52dee92bf98afe9c8d663dd585e0e0e1391718faac7139c960dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
e49ed80c511a9ae01a466aa385f277ce

SHA1
4743f951c207922826206896adfb63607c3ae680

SHA256
194a81d193a112652bafb5ad81b848b5df8f0c26055d343ae0565f69b90fdd8f

SHA512
b1673de70bfa3bb3423e2159ea14b4808a0ed1d71bcd307dce8fedf423de2930cf5baafd73550cb679bc4b28d84a17515e7abe5726ef5d1594ce0f7f9df127c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
61a0331052d13ddf8e848d589cde7662

SHA1
5997de8e3dfc613e31b4e3d7c4d7b62e99660b00

SHA256
d1f678a3fed4e67971d22c05bdb40f387fd8ffd154b119fa6d44723b3ca570ad

SHA512
a9cec6e31c407f43646ce1decbc6c3ae410965b72112360a70bb1c5fe86a67b6775016b28295b3a7b88e8f7d063d564ce3691718e8587a1a4f00b527469ff5cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ff909b64c481e98f6c8301a6e393b425

SHA1
79d9c5a8424eb24000fd04851ee7841787108e68

SHA256
6aa57ab50f5997bf6d21ccb4ed3fbcff66e7e486c8467d4b4e605d263dd769f9

SHA512
6d1c77486a8bf3479bec87ebd6197b46419567424a5f1eec567c7154379851759d7015f1e9fbdc11dc9a7e5eca4e3052ae000885df03e4efe3e827065d49f1f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5d6a969a4598f1725011ba2438bdee42

SHA1
8980c0d85777fcdf4ce37560949e593e8d1c9609

SHA256
7f19d4878f06ff457cc343fffdccfc8022d808398f6f0fc9889c0f7de8630dca

SHA512
d00a3f606106208c0d1cf3bbb0572bcda86b33e1b592f8e9287e6126acb5bee440c3888f500846bf12a225921cade1a3982bfb0708897a7903b704010da217eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
6fe58bc6ebcd297d63fb30b321b47142

SHA1
7c1c4f74a4ead3357d02ba5f8ddd256bd9eb85ae

SHA256
7ec2e70151c98a0ff449184953fe704bb7e93f9f475594bbbe59487321f105cc

SHA512
510a9d9dc1c695bb72dda2d77c50852aa37ad7a4cac2cb1a0683aa7e3c7f310b3cf7045e50e957047f4ff253d0a0fed534d22c93fa3775d128634850c85ea974

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
2b8f64f64e265884ff8c49dc47c72eed

SHA1
f9fd774472ccb707f62c88869e848757fc60de0b

SHA256
5063ee283aa7ca3af8ea6c9f43db165932ed2bc4f8bb77a3e08b296a09585375

SHA512
a5000cc3ae8154fe617b05c68300359ecff8e1303498cb1518f4f5d27ed1d7bd8211e5905f40b6630683c1f33073665fd3d3ff74cee90fa34ecca3a8a52a6251

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
7048550a23f128c6ad25b37023f91e5a

SHA1
06beacc7b7cfd7e30de8e5c577f910ce1e62bc8e

SHA256
d928e11bb683f6ddc6611ed4dc405394972cf8a3d0d9af4b488f7bef78bf5a1b

SHA512
38bc6ed89c93a6723c07155b10023d9d16c6f824044afebc5e3d960433fcaa2494233ec9af7d33bc0488b2dcb9359e7b67fe91f7124d626f4dd79aaa44966f97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
7048550a23f128c6ad25b37023f91e5a

SHA1
06beacc7b7cfd7e30de8e5c577f910ce1e62bc8e

SHA256
d928e11bb683f6ddc6611ed4dc405394972cf8a3d0d9af4b488f7bef78bf5a1b

SHA512
38bc6ed89c93a6723c07155b10023d9d16c6f824044afebc5e3d960433fcaa2494233ec9af7d33bc0488b2dcb9359e7b67fe91f7124d626f4dd79aaa44966f97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
45c1164d95385ab1b37dd25e3efd794c

SHA1
675850bade0435a5220a1098888091a105113486

SHA256
2cca24f560e7949a7916486ce2962404ae97e1fa5e817769b7558cf2e5a88509

SHA512
81df9d2122c2df21dcb451f4c12079cef922652db01fdfa4cc19361cef15bf1cc7a48ad2600bc15306c9c81b86bf46aac3405a56625051904926a90bc9ad2fa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d0829045f5501b6e3365f05db7e0f8a1

SHA1
e912cf3d7f868cd26f8bebfb6ced9c9c704bb082

SHA256
5111e542a65efd222605df283007c34bf7a0cd3cf815a23bf3310c40079da36e

SHA512
9d87e60dde92256f09c65766f7732aedcda3262873f5589c1ac5035251f2bd119f28b8351eeccd832fcd0302a83413eb57e991434c281c9c847e32c2d1ceaf30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
2463f680545b82b80b84aa923aca6b0b

SHA1
deb17c5f36c8204608f258bb3d72b3a2f9d0a440

SHA256
97288cd9b17ecfb84a4d0d26f629d106b9638721d457b5d5e29ebc117c048e64

SHA512
6b552bab5a2a5a9948b9ef6ded946b150d30ce4d85bf61cfa1f3305f45de8d11944cf637b087dd18283ce40dbfa39d13dfe24f3c4cbdf9ee487f3df92b1861a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
eee107950c0af4d31d1581e060c237dd

SHA1
59c0b6fb508405cf554a829df00687fb285c2804

SHA256
734e3ea7972ef53a2b65d069689c4c194a4c2823dad9da3be4860e9add7fbbfc

SHA512
29be1e4806920e260a24c32e1c1c48c73c88881c7f4507d9aa770e3a33f77674b6c4ff7f6c1d12ec5b0cc5c548618b43bbed0f8e29a3a4b93b1e36c6d27e8a69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ef19355f67ed3823186ed7f958f6c1d9

SHA1
7c8e330550de0fd9c71ff58f859ee85ec7a37fdb

SHA256
6a6249455846d3511b2de34c6441643df253d602655c048c549eec5570d52fda

SHA512
0e9912884d3d04544dafc39e2152661eb3b037dfe8afbde8aa6d09d3bba5640238812bb1e4723b9cdde0c1188e66cfbf2b9eb703935b162a224a0a009f3fe36d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5cf056c06940d486c43e1a9a2059075e

SHA1
fc537ba9116b9666bbe90a01258721fbd754fb10

SHA256
5566a58bff70859a68b3c8112bced0629d5a8d36343049a789b403dc715734dc

SHA512
ad6638634dc33f1076fa5bf1453d407cfc89b3f004781b3a0945bdeffad3138776a6f4bbece4564bfb9e6a995a44de6c0518e7ff137d757777a1c0369c7d1dc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5cf056c06940d486c43e1a9a2059075e

SHA1
fc537ba9116b9666bbe90a01258721fbd754fb10

SHA256
5566a58bff70859a68b3c8112bced0629d5a8d36343049a789b403dc715734dc

SHA512
ad6638634dc33f1076fa5bf1453d407cfc89b3f004781b3a0945bdeffad3138776a6f4bbece4564bfb9e6a995a44de6c0518e7ff137d757777a1c0369c7d1dc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
69662e60bbb64ab09653cf3a62aefc5f

SHA1
817ee015a863bd4957d13b927ade0add5565b174

SHA256
3eccde293c18dd3fdee7c0713706d1b0500d6b6aa0322c231bb61f215bfd2995

SHA512
966b1910d874563edb2d985cd52f940a36137011e3d5a846a3fc04a23906a831b8f106032ae68df195eb5a6bd595acb8fb7f7fd86e1ad5fc9d497e97314a4791

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
147b6d5bdd3e86bb2c8c6b7fe90894a5

SHA1
dfb8ac62fd2f2a338f55948b69860726b81d1a08

SHA256
ee3fbac9168dcb626b717c1ce176a761733d970945a0c28393c38b15f434397d

SHA512
4124cd8c445b4ee5449ed21c18bb22df097b9e65668f869d4933600b250721210d3f9fd4fae570c7c25f3ff8b9339ae2ead046c6e923271274afc772037451c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
bb55426ba0fd0136b33865518d3f4f69

SHA1
7cbe04486c7278073891c5f133aa91e96eb21c11

SHA256
e00c77bbf0050c6518cc7471285f6d9589674fe97337f894793c9ca72d27100a

SHA512
476f706ff1f8c24b376cf5571c57c311fa4c5791560d5c91c33783925b3b57191716b9860b0ede32ed0d6f187d4b1f0d0e95ed4d0a736291c7174e4c9fab4796

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
911edad20c17abe6c59595b4cd70f331

SHA1
c8d05895b2305ca376e38cea63099795861ffe11

SHA256
4b8a77adc1d0fd04c348b71484217bbab27c5f429d4d628ccfe6db961052db8e

SHA512
eef28619eaf9ca7fae59c3ab631b77948b89b9e7cb0612202ec786cf52d1e946bb7976975abecd7373790a66270da14d37eb824ecc4840f73eb08f7cc9ae05bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
e5fe6862fcce1f2f71cb9fba3bdd5e84

SHA1
1a4989ed04c78a4304397b1283f0d62b3bd8d74c

SHA256
8a15f54bfc82482372234a8e48e1602bdf284ac94f52c6042484a18be6d89dda

SHA512
5bfec2622ce04c23fa5bbd91f3db08d04b00f6738df912bb6792b767f74fb36ccf62b3a3035ea986be98fce103aa409763bff0b49856836b2bdd63eaf105b10a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
661fabbe222195071482c58d814de36a

SHA1
d58bf7b979bfbf2375d486c28d1c46c9921111b6

SHA256
ceecd89288a444bbf634505daf8e13f2515dcf0a5a819e32090238d433c57d9b

SHA512
369f3cbb2dbdc90313eeb138961d5402ea13aa343e587498e3bf74cee17aa1c077bc4a2633b4bf2a7627be816032d7d6f055f36b5cfad47a8713040b1634ed7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
547a24159b00b9c904a53de161766e36

SHA1
63baa54f8daf776f77f70b225f98abd24a70bc79

SHA256
c06f7ab41b5ba7a45f0f4bd0b49c137b573b51d2a864f1e34122f994dce83054

SHA512
25155a6fe6b602c3366d8c636f0325d29ba4aaf2a49276eda1267bffcf442fcc02c74134a270bb5d477d9551325a626a372e765183aa9453b8e062827bd0da22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
23a5f10dc23fa630b535d501f4191d85

SHA1
18a953c1f8a21e6b27a59b13b2b7a37e2f48000d

SHA256
c8673a43b7f12c50156fb14ba027bb2da9bd5d7543e5a9c8491b2cef6b8f13cf

SHA512
38c769c689891d04c3f23abfa9ea40b7d6cb09d59f571cbd34af4b6f4ad2da4a459136bfccbf7cf563287045a698377a49add05bcbb8152fd5c76e553fcbc72b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
06e4a82fcd81d72eaa9154aea18f729e

SHA1
cf7e069b2d787b36edfdd572b64e2ce1fc31d9f4

SHA256
32b2613afb0d1037cc8a456b35b900811ffe4ea74acdce257725e678ae9e8d1d

SHA512
4e9a142cf053ac25458f3d8a4fea1933ed9d45c4e87bc59398b2da7f9befcdcaac582aacc111cd590f5635aecf9b920e514682f04d768eef146d7686742dc947

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
ad8aba6d4b852d0d7fc0388582ced9c9

SHA1
e72ff93519e417dbb269ba8389ec1d9cd44fd89a

SHA256
401451239c28a91cb25d952cd04ffa9948cb506222959fa077594077692bf625

SHA512
bdb02ff91540e5586ed09354b82710d02a0a1603ce1859cc146e379131bdfd6e7917f46e13e1987b339cf13fc0144567196b9c779ee1f2a6229e522593013530

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c1d1a42d2e0cb543ccc7f2fa106f73ca

SHA1
7be5466d4a59398fd798ecf282dc7cb12649887a

SHA256
11e9ba7c88d0811688607993b8c95a7c1931e7cf50aed2e980c7d4c4d9d8eac9

SHA512
2ac48e9c31656949433825a297ef676683813295be2eac094c217573f6615bbf81418d140b15ee97d5f898b8603619fc0f9b5bafe8cbbcb7c0db54bc34f8d258

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
d234fda28a5a6fd1cc09bf85637b4f56

SHA1
6824a95b0ee3bfd15621446f8093ce6c8b540ba3

SHA256
2df1c11538f2981a7d0794d7eadbbcf988f2ef9882c47142aac90ef7e3f3db48

SHA512
28f3ff2e700c65a34e188aaf08cae83f904384e94a1d3b09a4212c141d09f3bc6164b44f9c3b90e44974f8442608085831163f3b94b496f8219269fd5b792ff9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
fa36a0db92cfc0addb6ceb05ed4c1275

SHA1
14502baab39578a3b6efd1aefb90563fc30afc42

SHA256
ac4d22b0c5f48269737d29962e5ed666f7c90bab03512af086d16a3806a59b57

SHA512
5afc808ecafcba54993ee6258e63e081a286568b7d5d4ad5a83daf61627f30a8e2ea0e311f6fbe7618b483626a75b10c9d233acff9e6eff51bbaed6a9b6e709a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0fc7f2c70793bfc05575e9a0b4729450

SHA1
89a0d247dfd2b3757e20e28ab0628902830da2cc

SHA256
f725561f465424870be430371ffb2dd79c13dc07cd403c8306f5659f84bf38c9

SHA512
61c0ca72e991f6bbc6443be7f0cae688b5e5ef3b6a985ebb3a2f163ebd98e9c423ec2ab6302e098c2c3fe38a756c3611f1c3dbea39a556d81a2f1349b66004d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0fc7f2c70793bfc05575e9a0b4729450

SHA1
89a0d247dfd2b3757e20e28ab0628902830da2cc

SHA256
f725561f465424870be430371ffb2dd79c13dc07cd403c8306f5659f84bf38c9

SHA512
61c0ca72e991f6bbc6443be7f0cae688b5e5ef3b6a985ebb3a2f163ebd98e9c423ec2ab6302e098c2c3fe38a756c3611f1c3dbea39a556d81a2f1349b66004d1

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
492KB

MD5
ad0b8d0a5acae82e01b299db3581b7a2

SHA1
661ac21517f52b216e54e0ef6df2a0b61fce012a

SHA256
df4875fbea7e9d7480e62980d4780c73186df9d4e2fee1029610b5676aac1d6d

SHA512
90d013f653f417a6df090c324de246ccc13bfac962e025776792ed150da3f4a624c0f201beb310c6e89c74345b6241ad4febf7d5e6aeaa12a1349168cdd718dc

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
492KB

MD5
ad0b8d0a5acae82e01b299db3581b7a2

SHA1
661ac21517f52b216e54e0ef6df2a0b61fce012a

SHA256
df4875fbea7e9d7480e62980d4780c73186df9d4e2fee1029610b5676aac1d6d

SHA512
90d013f653f417a6df090c324de246ccc13bfac962e025776792ed150da3f4a624c0f201beb310c6e89c74345b6241ad4febf7d5e6aeaa12a1349168cdd718dc

Download Submit
memory/4700-130-0x0000000000000000-mapping.dmp

Download