458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198

Analysis

max time kernel
158s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-07-2022 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
Size

620KB
MD5

4c264a0fdc1a993c54a7424463d170cc
SHA1

f4c156857d7731cb0f5f79aa771d897cb53cb9f2
SHA256

458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198
SHA512

11abe4dfd564708af2e2869cb319d6774f8b208469e4d79b7837e4a29c05263e31c3906aa110eb91ea385eced4933a301dda4be83e7c13b30f5fc2095b563b76

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HelpMe.exe458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-1081944012-3634099177-1681222835-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

2564 HelpMe.exe

pid	process
2564	HelpMe.exe

Drops startup file 3 IoCs

Processes:

458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exe458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe

description	ioc	process
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\O:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\Y:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\T:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\W:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\B:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\E:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\F:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\L:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\U:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\V:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\P:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\Q:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\S:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\G:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\J:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\N:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\M:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\R:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\H:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\Z:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\A:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\K:	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened (read-only)	\??\A:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

Processes:

svchost.exe458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{83CC8703-7D99-463B-97C8-CA585EBD3267}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{69EB09D0-F971-4F87-A415-640E553B1CA9}.catalogItem	svchost.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Google\Chrome\Application\master_preferences.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dcpr.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_sw.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterBold.ttf.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\it.pak.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\resources.pak.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Internet Explorer\en-US\hmmapi.dll.mui.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\decora_sse.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jaas_nt.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_HK.properties.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sl.pak.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jsoundds.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\npjp2.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.h.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\vi.pak.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\tr.pak.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\System\msadc\msdfmap.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\plugin.jar.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\j2pcsc.dll.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\content-types.properties.exe	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe

description	pid	process	target process
PID 2716 wrote to memory of 2564	2716	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe	HelpMe.exe
PID 2716 wrote to memory of 2564	2716	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe	HelpMe.exe
PID 2716 wrote to memory of 2564	2716	458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe	HelpMe.exe

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2872

C:\Users\Admin\AppData\Local\Temp\458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe
"C:\Users\Admin\AppData\Local\Temp\458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1081944012-3634099177-1681222835-1000\desktop.ini.exe
Filesize
621KB

MD5
3f6b6f9723382d0a1f57c539582f6a98

SHA1
2c6235197bd65c6d4933f2fef60f35d4f4b9ac4c

SHA256
bf3fbad7f5680b378ff48bd50fafe828b5279a153fe22482239149b99692fdcb

SHA512
adb6bbaf632e61231c6dc764cf940fa0a1c5c6729a02470d5781147b86bf4c492482e6ce6ed51243c6ac81b7fc0e1735af46f6da72f4e2bfd8945ee75a86c391

Download Submit
C:\AutoRun.exe
Filesize
620KB

MD5
4c264a0fdc1a993c54a7424463d170cc

SHA1
f4c156857d7731cb0f5f79aa771d897cb53cb9f2

SHA256
458278f6a78ebb4a7d7a2eb665cd775b31ee3a4e2e70bbc6c0dfd268622d2198

SHA512
11abe4dfd564708af2e2869cb319d6774f8b208469e4d79b7837e4a29c05263e31c3906aa110eb91ea385eced4933a301dda4be83e7c13b30f5fc2095b563b76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ee3c69a4f2fa9a59503ac0c01b667bed

SHA1
2da05f30ff7250c7a57ffaf89a567b1c6016ecea

SHA256
740e495616ee1b78255915072eab58232f2a956162534ff9e7b737f1ccccd7bd

SHA512
86d2787ec52fbf511942576bb81a9d992828f1a9a486c6b365e953ae17bdbe57e5da0ad0c887a78ba455494b95ab3946473829ccc517a763ad7a3f566a0d45a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
af339ff12a8c76cbc4572a151bf7f260

SHA1
a1cabab730eabfe87aaab0e4a958a5928144a779

SHA256
b900d7e5acb3ecf79cd5fc095d935b3aea5612eb9e28c610c4351f248af06794

SHA512
2b41290b3420e122bd5267ba076c82b4ec4c02d32367189ab767265cedd8b74bbb2d95cd93788980347590002b062475d9f1e37b267f1ee00f7b01b4f02e5b65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
780a56ba21308bea934ef3593f6f7f9b

SHA1
203bbff4de598c765f4b49173dbac43826c6a90a

SHA256
950b8627c97b9ceaf302a2f1a14c6a5df4c6255ff6a8714c8df2edacee11031c

SHA512
da2265afcdd9b5827b434832e1f3e3f0a906ad4bb982a0d0bd989c39019b3f64ec17f1d2e5457eaf6949073b9ebfeea14e9f792294cba13d0f2fd5f11f42ee10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
18e0840e523595d919be468f16e24d9b

SHA1
240af983e2572145379d450672362a9d6d133f4e

SHA256
0ed99d4f20c2b0a3b3b1cb27a87fd50e34df309a69666efdd106fe2c86d915af

SHA512
4e39b42c5deb189ac64e695eeba2de6e39ee2c4d7e2379679a495cbdd8782aabd8ea35904fd02686f81527c6d5a81fe18b9a545915b5fb2d9e768bdf486c21a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
176f74c005b85229339f3737dc8971f4

SHA1
4cb6e04c451de999f17824052eeec800943e24c5

SHA256
65badda5efc1f1694d2219da8c66fd359a27fb0e2beaa4988354b211ee91ed24

SHA512
619a37ca6b7933adf3a62f6cee344913caff9f5fe3c2544c918cef5bd104ad5cec188320269fc0fb256968fd1c13db9539fc522aa3326cdfa65fa368651cf8c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1924d90bac4de57cc19583faf53c911f

SHA1
79b9f8ff0557bc4d277381aab09845a91736af29

SHA256
7fe8a9d8062559beddfde631546783dec9fa9d81ed9338f23645c06f346cee3c

SHA512
c4378fb7df4f9c1b31fb46bcd777056e885d0ea86c8de84f8202748348dacd11d712dae58592d1c62458c03b17022a228750e25f31ed0201b09df8b66bee02c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
4521670020407268d7adb2b1e4907244

SHA1
143a0d403973ef9a187a4f98f7e37b2137303d29

SHA256
6ebd4e5b254fa53351d67df2d64305d7a74f08a7f17ef88ded26f78c2161a372

SHA512
18161c067958279df01903c9b5e2d50e2f0c0aa48fc14db19431a68a1eb151e82e56568fd29f46a09761d8a72b0f300460db50d2aaa748aa405c8bc089b4aae8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9a4993f9ef02a7ead8ac7384f5b14a0b

SHA1
4f430359ffc7765d11a94deba5bc45c4a554a462

SHA256
0308c11a74b06a110ef10807ec7967bac3042c470a11798adb56b0964d534cea

SHA512
73170ac5984aeb2963683d68e76f83481e28fbc2d5791466495325431e203760dc4212eff2c7e306d76e8216a4cedaeedfbaf78343ba2c2220eb61d55f32f666

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
9ed5b0af75588d9848feb8c05ef0816b

SHA1
86e1f2f60cb405fc931aee700e2c7f040915c6f2

SHA256
a4069515d89f7731228746c02813ebac360ebe1b7c29edc670d183fc04a262ee

SHA512
1a74d17727b220fd2895cba316c1a95376e65ac47b7833770de69ae3ef09b0661d4b90f71e47a45a9a2573a0ecbe2ba5c5ecdf89ea6a2d7f1a17297b8aefd360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5fb6397c5b1237dcbc379b9274f219eb

SHA1
2c0f46c360a43e172478f3c4291750b025d4b10f

SHA256
64aa59bb6faa0e57a0d338a5e485ab737d66976c253dcad28c119de25236f2f9

SHA512
c6331c7fb0a58e9a97b13925b3b0220091ed52639840d6c3c78c451376ec5b05b01cb0a5a858be1712d1243b08a1b94d403ba72af3772f5fd12a6491fcdd8c5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
b91e524328f82f3d766ef92edc9cae91

SHA1
506c3f05c1394bc16b153fc47356bf5521cee5ae

SHA256
7ed171de656aa5999f2a2c64d9d17b71a48cdca95d979884285796a8617efc0e

SHA512
fcd1bc196b48eee66a2158f04e222e40d11dbb322cc606110f0ac0946b0ecf78c08a1f56f2e88cae1b28fac4cb13b4f4ae16df7d8321e44d03f3548e90f7923f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
cfaca2908ccebf965ed1eb7733158893

SHA1
6823b19fef5e8fd696b5d3dad3917e6bd10fa195

SHA256
a7d6018fde63dde143c5d54909754dd46a967034eebefb7a3ee789b625c39c7a

SHA512
67206c34e609eb91dccaa3e8970c36a084e44956205f2f140a0b94c38c166dc20b4e2725e899c4d496c6dfab7a8674f43b42f9aba2024ed67c653f1143e97b65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
dfad274c99812b3d5de0995a2a0dd0ff

SHA1
278b097a4bda778e8817e861efb7d76f6786b171

SHA256
b8c824069f0528ddb899aac421f775a4b74361ac5699d3d1dfaf02822768e8c5

SHA512
17285887a8cdfbc0d11eb54670b175ae43ced77228f43d6a7e0429a71f2742535f3a01a9238ae8b6f937052db681b158528d158e76f03acab0292acbb917a47f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
45685d6cdad7ca4b38733e948108bfd1

SHA1
c1c3f5a26f6c0feb8b913ca6236e58894dfe7336

SHA256
9731e41e144d24a7b5602471276aaa7cc35606489f3a8f2bf95f6ca50e161786

SHA512
28d35264d208f573f419b301e239e2639c762d603a088122c6199093776f475252686d7eca70b453927839bcb32813a6b8124fd7e4fb574b3f50f900258e6b00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
8477c022ce2a4cf2fb7696bff2ec3911

SHA1
5114b4bad6f2a820357b07564498c457768f0008

SHA256
fafa8de43b873490bffd526873a34fca1cc47cdb34ae51be7c37d5315e107d06

SHA512
a574327f6b1edc660cb552df1bbe2c814213bff43933e79a6cbae298856bf250cf881c5edfe39a039a54a026528cd10a1a089a944884349ace3742295712b28d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
04e5983ea38c56bba8a9fc0aa26b48a2

SHA1
3e9da9be7c61dba490e6e3aea17bfe23c63b4878

SHA256
70ad1eabae115e14c80ee0aa192816c3dfc2ca7a04b57e676f56f33df8224be0

SHA512
d8f3b31df23fdae34e7bfe23df88ac71763c6a877b7bbad6c4741f2e30f13e5ecc5f8fc8eec405705bf52ac05351cb03ab4776ebc2440c603a896a85bcebed45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0cbf4ea5e9571065eb3edc35859456be

SHA1
b427a7120515ef09faa79340684afc0c357c63f1

SHA256
4216bcabad0bffc0bbf796755b1374eb12f9cbc076e8e58aa017d00c0e0ee75b

SHA512
550dd14a39d16050f779f31f6718e7f0b3c52b7d638228297935a7ff2fb03caba74ef71751e210dcd1195e228dd9b9089ce9f9636b8de6be3040de6c1f1887be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d60e8f7c7c712ead6e2fb3d6fccc3b52

SHA1
d877e221cd92863d21b81f1da0c79c07e3eafad1

SHA256
2284e8a7e38044dd2b26ef8161a411837deac92299e59ad4b2d0ad4840ad71e2

SHA512
9cdba08ae0b9060a55e30c9c0fb18b6e5584fb7465b588c5818a22a5d1f297a1f96c484d258d0f784b88a861da817b56e79dd37c251f115e4fd7c18fd79b53fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6f3b4068183c97bd7c1d58377250379c

SHA1
2776c38692fe5d576ea607810873b70c96278523

SHA256
debf07642095c6988d86e12ddbafae57e4b2fec82977f5f6426f9c0c5443ae32

SHA512
3bbe0d8bdfb523beccc58616fa6424c3bfbaa13ebf160e076c82fb2572213f307ec25a1ce4f41391b2aa2f2ac13159191643e1362140612f535ee2c529178207

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0f5062bfaca1b267e85e839f00f9eeb0

SHA1
abca2426c609433dd98f9c3431e4e792f3812ee9

SHA256
0b8a5c8aa9dfa8146b94ed5f609cde56c318b8adba8b880757f9d2579ce070da

SHA512
940c7e9a2b0e66765d160d48f516fe72ece7836cdf83c710ff17e2b07af4bb9df4ec37ffbb40a6a655e09ac5bb1c3dc053393d72f9536948d8a53818177f0a02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
685508e07119da134592c4f0bc0b640d

SHA1
0609890ae7bb3b754e0dbfb58a2c4ca603754c4c

SHA256
aaf9ea87826eed46062f48b872688b72278d004f1458f65abaf446143885cdeb

SHA512
2c82dfb29e41236d5309567d03ec3501c1525c50af855118858da1619136cab2a79ec9c687fc7d7ddbcc99bca16af58ff3a3f3e79658601a88b06704e26b343f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
55c348a041690e25f304d8b8ee8862cd

SHA1
320894891bfe16c085106de246ba480fd6231c18

SHA256
c32c12501ce080beb080cf85b0edeb0f609effbf94185eae034b61fc644fbf08

SHA512
5d0702628958fa6d20f2759968f5ec242c5f82dc39e07a572de1d3ea27ed3a339275bdf7d4c0d3917bb295b1e041ca1de90c22d4d457fddbad7bd0ff127d7f6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0bb8efd9951f08113459df23c981ab19

SHA1
c061e8da0e2cb19d5ac3557390a2f30d1f6b2915

SHA256
a3c28cc408dc909062ac7c288a196cdf9d1e796128dd0fe1a55a416c7af1998c

SHA512
54bcd8c01cdfdbe38dd6e9795e49c4939684eceeb09644939cb9ae319a0e6efeb93738f9150bebf297648cf61c526978909ecb704552d7f0ad4fc5c3aba4f1a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
437c62319545672ef360ff38a189cffc

SHA1
5151b71bfc000cd94c9861cdad642c56d44598b1

SHA256
e9d0148bf17592610edbecdad907be3b504065058530325e3e0a6964bc6f7c71

SHA512
293ae0a731a029cccb67d78c40fb766f4607f77c5ee304201a86b67609bee78b4fcb797a07186a082a2100e3214d695789a97a6c6fb854537007a549e9b78277

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5c2e0b6dda8ebc3fa36ec9ab6d2fc25d

SHA1
9984d9fe0ceb46602cb6c459643bca371b5066e9

SHA256
21c7d10c893c3737ad5e4aa27e31c6fc3bd80a22d239dbeeac7e61c89fece0b0

SHA512
1e1d3b2d510932313ce4fd2b97a9283b102e10e72ef31c08d502066eae6f5aae58414efe422d00c3013092ca0588d9eccd5db5359709c28a1d80e461cddb7b8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
206cf91643a2e0d309f55d782f9d4db5

SHA1
95412766505200dc0145868e23746c4bb6da482c

SHA256
9041741d84cdb57117e68a12ba31f5ffb1f86e8b03085bb6bc51111506503153

SHA512
b6c94f7f830912d7c6ca9ba7d0a90caea3b8358bb498ef1b9a7719d04a978d87505768e1dbe713988d3288a4e5b2b26ac6a3627eb764a373b74432e12cd9ccc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
29d1ca57f8b4a4f8d41e18d3f939372c

SHA1
dd8f70996312b3e551a5be672fbfe2fe68bf5cf7

SHA256
df66d3b721d3ff85d06748c5d2d333aeabe659d4a0c73f359e30699d196ebb76

SHA512
5e787518f0ed4605b337c9e47cc7ba3eca809540f082f2119e3ead94a789a27443aabb3388f2479bfd3258e95a132ad40f59d6b1137a94afd785cafd74d0924f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
db5bc6726e3ff555204013196e165be4

SHA1
961003fa0bc44875b0888201f72ada5470cb2c9f

SHA256
b4c432fcf304f0bc99a2c73ddb2d75f5385936689b98316e8f829b08a4846799

SHA512
2bfa0a5d7770415b33815e48b84ca9a5b864ff1a7e63aae4f0744c995edd914c4487570c24100b7e6a54bd389c12a5573dd78c831eace4bd2bd1c8127a885467

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c7b7a1df37b2315b5b503da2faeff923

SHA1
40a5e6e2a8e13915faf0d3dab69d3db66e8f9c52

SHA256
7fd9d204093fbdb5f8184f218df808c00524da5631001b8a2fb7e3b7949c5b68

SHA512
abac44eff43b3c6650afc9a6d911ccd306436d2a43ca07a8b57d11d7f55db14d573a48ee2e8d966ced282e5a36f72a19600648758cdf72e0ca101e451c72da9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
b8f289b0380eb3bf59516e929f197854

SHA1
0d47d16d05db59ce8cfb762cb0fc8fa0d6a75713

SHA256
d851eaf1dc1f6707b77c60b6f3d745392858afc9e2a7d9edbe7c4d04e92eec03

SHA512
66359b8ac8a4e760888b0d31393a5bd44c62fd832ae2d902cbf29c732fe118e65ef998b2dce2af7ef7a920a5e062a50bd6ef039209a2cce74ae793c4edcf31bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
30c2bc690ab784f4b24cc8012efabeb5

SHA1
d6f2a6c2f0c20a262d27f28fee57b2a78b78c7fe

SHA256
9334bc4c6c8feecdb550bcdc5e0e4de0bff4a53ece95583a8f83b6ecf5eee7bf

SHA512
b017ebdee1c7ef4889ae039653959cc929917a17e6bbebdf63bf03cb2c43a8d93ec8e66948a2ea621b74bf543c88dc0d946a2ee6e73ac95785b68be1de1e98bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0b0abf103b6c2eb305f1591255059f0b

SHA1
986c6f257428fc680f69c7c1cacb28252014cf80

SHA256
854daa1371dba0317fb2914ea2d01498055fa102fefd3ab2f784d784a50c331b

SHA512
0b5a7a5f6461e70e11213d806f85d16cbac21fcd7d098603d8a6c28665be57d4a28a98a11a7aefdcebfdcfa45d27e165d9b08308dbd762afb1a0210c01d60d23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1e2893567564749a24c7c98af3c1bd08

SHA1
340d91fa4773013da9ae7b4b6326a1bbf80801dd

SHA256
0b9827687f0159b93dbc2a32ddc2a27d735dc4becc2eb9dacf7ac7a9ac88f5bb

SHA512
e29b49ffd99e16d8854fe4967bedcd7a066c35fa37c0d3616cdfef5cce111c793286ce6a5fccfe8c435b8efc04a6f17c25a3fad33c390a77ada18db5b5a88180

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f7424591de8c21d8c490e381412c9aa1

SHA1
f176d4bd4c264494b07f4dcc94e711c43e464947

SHA256
e08d0f8450f8b64b133179a156794016ceca0a91d740ccc530c7cc10754c2922

SHA512
28c4c5fdba9bf0c5eebf9b0559cc12939f2834b33181bb04ed2b52557e8b077c23ed73423333e8ff4460c113b8bf568cf07f128fc979672724c4d8bfbdddafdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
7d72d76e6e225d550c35fbabb54bb46b

SHA1
fc31808ecac467ee6f9660739841d65b8e53df3d

SHA256
3ed11348719772f54d89fa5690cdf4661419df1b5f8239764263c4b84aa02128

SHA512
ec848837c37a1e9302f27550d5bdf1c2ef0c09c6bc7f4d6a435ba1f830ac7d29b516fc119c6a616843a15302b3e18152b85efa875603610bbb86fef7a2885a12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
69d018914d14cf6e6e400be147fe6091

SHA1
fb5595d095c2b9bda13534dbc15ee12a02964e09

SHA256
c7edde27556b56bca527c6cc884fa67e9d464f0fd593cbe98ecac85af8a2498c

SHA512
237e79b8e08c1ec1cdb91b40756e522af41626e24889b67bd854830df190cb1844e21435465299b368456d8687d35abe3fff66dcb43e496bf3b0245bd5259be7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
6372120eb64b598e9dbab73248bb3cc6

SHA1
a72fabf1c6a695f76712de525c8e07a18b9eda4a

SHA256
1ff53a2ad76696b064ebc0c1a956658c382f8a382e65e9c9772d20ad9a3a330a

SHA512
95d7790519c51dfbf883c3f6f623f5228a35a76544e3f9e11320c5ef528705f90de58a6c4525b4d73c93ee1f4301331213b175bd763e0712996dd40434ba70c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
91a0afddf9dd4284e30cd8dc453c2cc0

SHA1
41b566433b802043974ae8e8ffa2abb5b233f834

SHA256
2642e3a97d84e0511d50075901c976f99a81f0146babc63cdc1e7d5da1564057

SHA512
3c5b775f99fc85b3083d540af9e4b567818510528ed1564c7017294ee853a333642027123d94f854641defb5fca0e61cc2bc21ae82640d77326e26f8c5ab4061

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
306615e7d2d4e5dc0b95666cdd111761

SHA1
7ec3a7763372b2f7d7e25d93eeb43aaf53097795

SHA256
f72f55707d626780c908179340ca5a08cb54c8338b2e95b48a47b5fa9d4eccaf

SHA512
cb4d3aeb256ff35af76e40926626c646c899598c08222c7486c7276178e4e434afb337e2e696d81db63f76b798b6ecee18c5ffad14eb88fa80ad1243578bca63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
70b7df8b489738ebe65dfec37da2a50a

SHA1
120c6788caf74c10f6a9f264e0705f0fd1467bb6

SHA256
89ecf75a015f3f25101d3e19a65f50f986db38fbf29c46dcd321b681f5398951

SHA512
0f739b435b8b483ddc096518d372905fac5ef292635d8ef88987c661e97cd9158d3f431dbb67f8fc1c9754307e1ebf4c3d38e59fa47c21ba1766b019a7e78d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
7881add22febc366b6e042771c18f3d0

SHA1
0cb293f15346f7426250cabd73c8c79f7cd54966

SHA256
0bc3aae71e6d847a197621867fbbae2b7c78ff760368254119ec346c4dc5ef49

SHA512
a5d08720bb01deee41e67f2cd074b58f66077ae562c2a2df55e0457c714ce7947ecde88e13454595681958890f6b975f3b46f5cb1ab5a834aa9dbab38b233b97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
2989a2bb3dd01d4ff3f34a5ae8d6e66f

SHA1
0721e444beb27a9d202ceb5b908356ea748efd97

SHA256
77e71395a0ae6113cc420f9289da1923eea39b2e71f8b4fec261cf4000353226

SHA512
f87b94cbe1dd7b1c54a76f45083167e49c5d70e1bd96576e37ac85b48c91b9cc0d25450ae30395295845031ad2f7698868afbfbfc0dc1a7c1a74c3f339d42841

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
bd2c6ff4bae3b6a9044b0e55b9f182fe

SHA1
a6bfa454dd1069b2b00bdfe319a5d604d7c4b3c4

SHA256
5f8eb3cee8f11a2509535926aeb41f04b6720202b761fff1b500e718b4007d0f

SHA512
0cd8f76929a1d6bb2fc5a5e45b2beed7010f55146b43a70419b78f381fa79db642fa97988f667016bde67149b1e872ea0c4fe1ed5a3a9ef25876ab0aad8478e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0d233891e02ee03a0ce59653d9adba55

SHA1
20cd2c5e42ab1f6ca1289450c9f9fbe93a74b5fe

SHA256
6634a3a6af3f967a210ed948ef0738a772d0fc60bb4b354dd46c26b9d8c20307

SHA512
f3365d32a331625ca1adfb07798fed8618a88b9c362a64f1cc6e0eed392e58047a45afcada5631cd132d93a3b718601d975858d3c0ba41dfe4766af21ada7d3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
2f093617370fc61adabfd1952f549bf8

SHA1
fe76e5efd8d05c15ee63f76b89791af323fb19e1

SHA256
13781259c45b9a372d2454076846333a88a7185175aae51e81c80b11e649bc4a

SHA512
05774d2cdfe243413e4f5fd9ae1b50f6d89d3bef3ef51956f17d8681e0287ee1d6aff0c0fa004bb5957664c5d9157c97ddc0d76c2420712f4c2d23bf722b3eaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
38c98e31a0b2268e708ae1b91aa3ad2c

SHA1
fb4582eb564ca1928a1b5aa6e84d312e700177fa

SHA256
230d153c61e93478287d492c5e12486ae1c5b85c4ce1e3bc875042e03c9ac4e7

SHA512
2c338f1f24859a6c7fd0b0cd82c1e5b25979e21fa7684f74481b652fc442f7be86f5dc47c190cdbd6f153aee4dceffb3c88f8dab325b595205c7691e76e383a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f0fbb858b8c5c29e50c01e8c738f1a70

SHA1
cf27788347b17de8276076750211e7c29629a002

SHA256
10ff33ecc4bda70bdb83a0a93af9c46d4376509b4cd40c3ee0dc86eec825263b

SHA512
d3ca645bc7a6964d123e6a8e715c3bf70d8c4789b1da9ca16d6f0a53c1040aa9f2ad058427552a6a13c1d01c0904be00f39964fa0cb0cdef3c90f63eb4dcd088

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
fe923958b4649ce6b436ce16745eab60

SHA1
21f88b3b1ed3901499150b485ab8a6182962cc5d

SHA256
87de12f1c63680fa20d06d40cfe65f6de93dd142139c8be767951a06fffbc5c7

SHA512
4b4a13e855582f157e0b341121ac82224e81d5f1fec480f14079aff8931b312abb3ed5d3bd461b1add379e3e26d95eab11bec40b3f0746a31fc0d4c0f18513c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
8313826386c6681bc7c2f830a8f5c028

SHA1
5bffdba4fd72b7bc20b890392584bdd4df3716df

SHA256
cf94d5d1bf34108cd522273912027cc6d977238ef9d238646a53597b7bdba214

SHA512
c3d3e83382b02709346232ce2272830a7e5ba3c5dfea356de4f7a21521af9368e1d037fcb114c5edf8773fc0112449f70b8171d3f0b2875361eae3883e2a6ceb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
893b9a6ff063a419e697424f1fc3a017

SHA1
800bf001652229cacf6a5629570d6d13c36f236e

SHA256
aae82483740846febaaf20f9683c3de1f45c3df4aeb738e77177dffa99196f13

SHA512
58f504b7bd119c9d79c37aeb6c49d084c4734ae2c88e885e9c02dc0fc5ad5b128a0e1182abf67355b343ceff52c62cfdae6f9113a4788f2e0815892c09b7033b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
58a266bc15bb048e978f671da163cb84

SHA1
2ed98c77ca419e6d143ff1c478c0a414b326dd22

SHA256
9e076e89faa413db4aa2babc0b818a819141ce4b7b9d890db1d69de96c2abf3c

SHA512
ab35a8279f3e41dbd6627afe159ff1f4ebf09aea2fb2af1f6dddda6ebfb287a47c146f66e31b110954c6226f3abfa2e21c053c1582d1007b91716ff016c9df1d

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
544KB

MD5
791128b93f9d3220e0a1f4e96a4ae1fc

SHA1
d576ae49878bc81d4f42b8ea04cc532bf64414c7

SHA256
d73b2c3e6a7e32a021753d70b97c86d68a2395f8a60c9b0c1d279e8fda883b0c

SHA512
800eb3cb1f62f6e96ed163a88a4ed57e2dc2aafad183eba5bb911edca077f2ae34e8666aac4e1634545fbe9faec41e119f73c7aebfede7aa21ca849c3e88a1ef

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
544KB

MD5
791128b93f9d3220e0a1f4e96a4ae1fc

SHA1
d576ae49878bc81d4f42b8ea04cc532bf64414c7

SHA256
d73b2c3e6a7e32a021753d70b97c86d68a2395f8a60c9b0c1d279e8fda883b0c

SHA512
800eb3cb1f62f6e96ed163a88a4ed57e2dc2aafad183eba5bb911edca077f2ae34e8666aac4e1634545fbe9faec41e119f73c7aebfede7aa21ca849c3e88a1ef

Download Submit
memory/2564-130-0x0000000000000000-mapping.dmp

Download