b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7

Analysis

max time kernel
173s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
Size

183KB
MD5

0e8848856b9611f0abc46fe41c86e711
SHA1

7b793725ae2dc7eb3d135501beabd64aefb467a4
SHA256

b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7
SHA512

c4da33fa0a76400e4b22837a45e994f991791f04dae23d86540c87e51a19859aa929d7254f50b53397074182f0f68eb151e3205a838e2e3222226eca86a1a112
SSDEEP

3072:rimsXXK9HRTOeriRfP6pXfSb0dspqc5oY0htVFAHT11Ual21Cxcs0HKAH057kyJo:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HWe

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

4320 HelpMe.exe

pid	process
4320	HelpMe.exe

Drops startup file 3 IoCs

Processes:

b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exeb5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe

description	ioc	process
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\K:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\P:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\R:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\S:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\B:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\V:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\Y:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\F:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\N:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\G:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\H:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\L:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\I:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\Q:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\U:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\W:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\E:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\O:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\T:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\M:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\X:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\Z:	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

HelpMe.exeb5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe

Drops file in Program Files directory 64 IoCs

Processes:

b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\external_extensions.json.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\external_extensions.json.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\preloaded_data.pb.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\ado\msador15.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\wab32.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.exe.sig.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ru.pak.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\msadc\adcjavas.inc.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\ado\msador28.tlb.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\gmail.crx.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ja.pak.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\DenySync.wav.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.exe	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe

description	pid	process	target process
PID 5024 wrote to memory of 4320	5024	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe	HelpMe.exe
PID 5024 wrote to memory of 4320	5024	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe	HelpMe.exe
PID 5024 wrote to memory of 4320	5024	b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe
"C:\Users\Admin\AppData\Local\Temp\b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini.exe
Filesize
184KB

MD5
c36f4160cf99746911eac5d3d762afa9

SHA1
f0fbfaa03fbbfa08f6d53690657c23e3b458c592

SHA256
06241c6e7dd19e21c88e6c04ae0b8e667cb5275a88a0491536fc49eab12fcb46

SHA512
1201ec5f937e7bc9c0b0681959937da4de778b0047021e5692753027203252b29336133ae134d98e32077375cd4ab6b6b9a3b7b73ac45d4bedbf4a620fbf59a5

Download Submit
C:\AutoRun.exe
Filesize
183KB

MD5
0e8848856b9611f0abc46fe41c86e711

SHA1
7b793725ae2dc7eb3d135501beabd64aefb467a4

SHA256
b5d5ae353ccc83043974746f3f73bbafa9e28549555a4deda2e0356d60a466f7

SHA512
c4da33fa0a76400e4b22837a45e994f991791f04dae23d86540c87e51a19859aa929d7254f50b53397074182f0f68eb151e3205a838e2e3222226eca86a1a112

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0d883a21a8c39aaec27cf2805364db5a

SHA1
7ec74d6eb41264eed14756d01de17a0e094b8f17

SHA256
51e948ffa7fffe06e48492a9ff1312df30eb5f904645867867ebc27f3a2e7e0a

SHA512
1fc4287548e8810daf674ada708a8a357acf5b5ab927d0cfcbc262e331bf2e025228fd6f5607f42b60fe4fae127790c7aa0a181126da6a6d6f621f5fb55a4825

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1ba4b855e4bfa76985f66db8e2181a77

SHA1
3ec41acf1802796739ba06f34d6280395542efaa

SHA256
87c3f37f6ffc0a2f7f8d83c7e63a64eb4b7aa197875f72c4c5d4f0b26a0860c7

SHA512
409273943076f21d5bfb164a18160874cf12c989a4acc834695a344e5eeaac758175f54af6d6acf50de729520263921f300ce563e68b81ea70ab68936be85fd6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
bd55f612db260bca8e7b67b743580a6d

SHA1
27564876f977be4e501dc2e67d4746372be0527b

SHA256
2e44bae497bbf8c569774653852bcbe6f335604e6408b6b239c9e77868b7e506

SHA512
bf9bf8ea4222b93b44cb3aa65e69d9cc782807b76b677f5147351b0848a58791c56a54421d067d9376ae396bf31cb5e0edea9502cc5df5a346a802181a15e7cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
bd55f612db260bca8e7b67b743580a6d

SHA1
27564876f977be4e501dc2e67d4746372be0527b

SHA256
2e44bae497bbf8c569774653852bcbe6f335604e6408b6b239c9e77868b7e506

SHA512
bf9bf8ea4222b93b44cb3aa65e69d9cc782807b76b677f5147351b0848a58791c56a54421d067d9376ae396bf31cb5e0edea9502cc5df5a346a802181a15e7cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ebb35a1ab74885b23e0420ac0600ed80

SHA1
e6917b4988bbd89edb2d201c2501964716e785dd

SHA256
3dc6b58f23dd53c617a9aa0f849a7e918a30021c3583d0165a52c85db8f553a7

SHA512
254d8588579502e1cc7570feb5696f6989bb8a400b0fe9b46dd181dd594017abf9d4b9b90bc516b5cd11017f56c41e8d267105371886c412600367aa50f58f34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1f36a30c4aba1d2e32e644eaafecb334

SHA1
7083d47b9597e13611ba4e20fdd9260f169ede0a

SHA256
e7d53b78731b01035b49107c1d0128c5ebc382349984959590d1524d657d1209

SHA512
e695412dd8b99965a2145d37ac3fc31c4027c6e884b430f5e76d55d94c140b2b4b7b16bfed56b8f00694522901ebe4c6d97bab47ed8a4825b6ee223f61c4585d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
629b1b738f6b76e3c361dedef8395e10

SHA1
04d5294b993279f751580a604a8d570ceea182aa

SHA256
d5128593be2b7a8a74533fbc8af4ea8c98f66584b2527367ab9277690ebcdf9e

SHA512
9ca36f5a5549a6c684a38a0776e8e6e923577cd461787e1f499012760fb5fb08def72e1212ac4c2b2e09bff4d809ebc7c3f04fcf056810f62ef91d46666b5436

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5b80b586f112376293598c185c9da306

SHA1
0490686e666f27aa703696811b179a22274ab67e

SHA256
7e3278b60cba27f3cc308833aa93129f0776ce6a91449c8d7777dee309d2ddec

SHA512
3b98291b90b64bb70670cda78f0918a91c53a7e0b6ef4e7cafa302ee8e8b7b63495b15e5a027108da2ab1a8c61b1fc2a8e70fde150deabbd9e466118e502d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
27d73ca177b77f5831345bb2c997e400

SHA1
60ef8000494ad5fa009227345d72b841bfc0741c

SHA256
26bd29bb3e713cbff4e67aaf924d371f966c5f596777bdd4b335833a7359b351

SHA512
80cd79b34ff379c8a21c03656f4c7c5b7cc628d9611562ec116a433081e42ffa889941221ed8099e8f78465ab577288233f0948948187f92863df0ef4e93acaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
57f3006b1b3b9c8fc2793acc7d1bca3f

SHA1
8001f5190c48b1e8581a99528c5bd7966c221f33

SHA256
41c8f5aad2d24de59add1d9aeea140bbb3b41948c86cda58c486ed0a6c6d2fd1

SHA512
6dee0a43b08b82d57e93c79fba7a7c7c9e23102374da810625e2e402c2944d80822a6e5441effa782dbcef1e520e681d22ced38f6e73febb2334b59b8f4e5b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
3f0681d6368f98207dba0e45c573f569

SHA1
47588da1677fd534267d1780d83383560b9c3e87

SHA256
e22296fcefe193061c9ea1c633b38474b361ec348bb656fbc6923172f99dbdfd

SHA512
8b780722e9e49f9cbbb5e4d8309513966e13765d60427cf08bcddadcef99b2bef1d6e96535c362d9b7ff0151a3ba353067aa5b6752f2926278d3c9345a67499a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
82189307d8621bcfe1921b4f47881980

SHA1
ab49674d76600eeaec59f04cc6611371b9110c1a

SHA256
955d8a3e95563f8c6444c2651700addcca0cb6199f9c3d9970c753c32150813d

SHA512
c785341e96137ca212846e0b79b0a3d77858001c46c5a2fbaf46c95e0acdb558f58eb8227515ab9ec723a1b6a43161e42aa8b7852a12804ef99bc8dfa88a54b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
3bb672ae8eb75e96643a339dcb1115ba

SHA1
135ecc0ef33880ec8dd9c93ff967e56e54bf5597

SHA256
7902b87d2045d85456a7170640ea8dbce4ac521990426a30811f52a85778c513

SHA512
d7c52ed1d640112b9fe1767bd1872c9fd1080dd2886966329f02b4a0fd40f848b64dc5ad198686c3cdf38af59647e6862a088c8f2ed0b8e41d9bcd1e275772b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
173792d18465ec4f1745674a8a794cc1

SHA1
2e0dc4586e6df865f8924ae4eaa7e10943bf267b

SHA256
63da25a21f7cc48aefe19a0063880bc222766d2d440427b5036e8f87b909c9f6

SHA512
2ce120b65c61ccb8102201358f370ce3424863a1279ed195b4a569dbef23a899272f11db23b6e3a307a2113f2a6b5e1121729ec1608287457fc62090e752d85c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
7fb37ce4db18a24881f2eeddad744beb

SHA1
d0624981d721eb756ca68d1798864804cb4fd4ad

SHA256
fc50c9549ad897d32cc9ce3d9e9e410dea7eee274a3c60b01222010001fcc5cd

SHA512
bfcaf31be896d26b8630ee62d64982b1fc4fef6fdac4d7000b5f2d7f39653a0fd9e091bcac1df4c8d5c46107982a8c4ebd7513974e545c8b09f097237dcf99ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
7f41ff82ade32037b370768cb3d3a1ec

SHA1
76e07c11d2bd187ba86f9340a02f161327707d3f

SHA256
8686b12ae617f8cf5972d353cd12376dda1eb5c7acd6e7d91c2dd128d086bbc1

SHA512
512ff4e3a405591bde055791b4db21c1b01074147b6c167901f87cf93ff212ef2ef9f84eb3cfb450031cc79d820d0568b380eee3a1e631fdc822ca5428699b44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c476b76141299ae2d84284b5f701cc6a

SHA1
489822b66e7b968aa8c2607850d82d4b291d030d

SHA256
32a7e8dafb6861dabf7b2e0ba4786b97077f312f17db8da950cf54220f3fe08f

SHA512
19c97b8bcac6fb41d79118b5dfd65e4074039bfad71b8fa0543d0ca576c441c3838fefb8be661173afff85a54be81bf6ee471340d0cb9eb6ea53c89ee6f17ef7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
68aa061b956be307ec7da474c12bfb23

SHA1
70654513f38ecaf1f85798f09e30886359932360

SHA256
fa72e8ea2e0734bf003f88ff0b5be90e02fe184a31a2d8e1ef98ba751cb63d2b

SHA512
a08de358a72f327a04961b212ebc4d52a198fd77383e2a9f5f5675dd8ac8940ceac892561e379d302a43ec3d041a079f6d2bc7033eb9f081d7d9a4a0e2ac9db6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
05219cdc161a96a84b63028c74c561e3

SHA1
d683de2d93341aa3fe898034a31e7a9bd2642206

SHA256
13e60606225b5541ea9f23c5426bcc99fcf39beb67dfe6fc0f1208e18c4a7912

SHA512
72f58936fc7f73f9c63498f7cce05ce5878169c6b20fd404bf8b937781243c298a0d6fe72eae0b676645d27a1acecc1c26c5cf1af4a6afc0fc6fde3128925b50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f99baeed2e1cf0269889fc9d66499586

SHA1
11df1e283a63e0734a2e8aba78f0b79387c2861d

SHA256
ce9c5d47d6432c47849ee2d4ff62879977e65e2bc07f637a14d4f2fbdd6b8f10

SHA512
9d638ab561060a2471a3ecb9b14350b15fbb1d7003f48615846239a56f913f83b7bba41cd4947bed43cd489c7140d978de32666e45c601a4a9d01defd79f55ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
97dc5a1f9afb277c9f15e04fbf11413e

SHA1
29788d48db2fefe4738916057f4c3981c2041ee0

SHA256
a8085718f00fd1b444607b7afc4d18bf7c870a6cdd9619140a08ab421d275667

SHA512
98b1bb6fe786fcd74319d93b33cef8ba6b0a08130a5f2c3be77c0594574554639dbe0a37c4c2b854bfa256db58433310c21c0e7efee88454f44f33f870f3a09f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b255860a2cccb7a58a9ad81594625dc5

SHA1
73cce6fbc1c6ccc67d9c50cfd2c918fdde1f5019

SHA256
45f4aa227e9645cb31220af93c2299a44967cb38561db19abd5a830b4e3be484

SHA512
1544ad8fce631541b9a68d1ee89900e81f24e4fc45d83ef4beb54352dac8600dc013e82a50db65efa0663c647d1604e01d623ddd486a7078043d653d6fd6e315

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
45dcbbbd65a1dd0adecb4b5e85c3a514

SHA1
f7e09d933bad758ffbbda7205c663bc6289930d9

SHA256
9fad627abc9a028686ef664810b21c44f555624bbb68cb0d73e5532a48aadf8f

SHA512
0aefb7ded7d078c7402d840dc875f01807e243c7e0201381445d421f10eaaadecda83368ca4749bbed642a1b36d7a9195b781cf92521ae2d54b3f4f89ffd583d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
45dcbbbd65a1dd0adecb4b5e85c3a514

SHA1
f7e09d933bad758ffbbda7205c663bc6289930d9

SHA256
9fad627abc9a028686ef664810b21c44f555624bbb68cb0d73e5532a48aadf8f

SHA512
0aefb7ded7d078c7402d840dc875f01807e243c7e0201381445d421f10eaaadecda83368ca4749bbed642a1b36d7a9195b781cf92521ae2d54b3f4f89ffd583d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f65488881e4092191a47389662f4f4d6

SHA1
a47787fd059ed6ba6d689dd76f3eebbf9cb56887

SHA256
2f84fd34975ddc8e952ae3bc224dd73d1764110b32704b05c160d919ed912d42

SHA512
0756520cfc24e5824785a1c93f15f78929f1cff2d5aabecae652b8a43d5a3df562d82720da67c19e1a2ab80caf16255a98ebff46d87e68f534b7ba857e7e6de9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
b29f4d0f7e40126cfa71ac27eb33cf45

SHA1
b424daa0d007595b4226f1f4daf75b944a005b03

SHA256
6cece583bcf2155d0ba436c92a14342c88fb31d658413972b6fc78bcdf20201d

SHA512
f3b4c06a34184ad7489e4cc46d8a88d16abcf03591c93a6f9a01cf8226ec4575174e43e4310bd0327a339d5858474bbb8339696f4aa3a05979c7b05ead5dfeda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b25072d9d7d76e43384a0f81da703f2b

SHA1
33a2822f63f1b598fda3c020fa82a1a847f7ba89

SHA256
0ad70fcc882e2fcb8fa2f06b086fe187ac755b88aaf65a7b3701ceed15b5a0b8

SHA512
170d61a4ab9ba15a6c7a0db5f18a6c25b5851111427475539062ca72b8aaac8eeca42e9bd9a7b1c6409f382a0e30faa7164672966e6bdfd03bf86285edf2ce26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
153f44b1f3c24ead579f1be14050d8ba

SHA1
ef6bf817fa5006e11de326f1f388ceeb9cf08a64

SHA256
9ca868f69bd76225add78566bf0bf490847f8019132468d973259b8efc52dfdd

SHA512
3f4b07392100ceade4b9109f2f734b70d513fdeba5a3592ee060422886ff9fd43586028970a19896cfe1a0fd79319b99242b8e0cb64f4530d4be7b92cbd75e60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
153f44b1f3c24ead579f1be14050d8ba

SHA1
ef6bf817fa5006e11de326f1f388ceeb9cf08a64

SHA256
9ca868f69bd76225add78566bf0bf490847f8019132468d973259b8efc52dfdd

SHA512
3f4b07392100ceade4b9109f2f734b70d513fdeba5a3592ee060422886ff9fd43586028970a19896cfe1a0fd79319b99242b8e0cb64f4530d4be7b92cbd75e60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
7341d5a32a8162677d7b0b1f8374f74c

SHA1
aef7f8c505543ad5eec74878e4f9d5ec3f3980f3

SHA256
83b2e988a325502bcb45709a96adc8aeb30d9599f9ebd93cdf705930ae9c9a76

SHA512
24cfaf9e25f14c55bad3ab077cb454783e163ff822fdd00b5993c17bb639e2a5dcf49520e81c9816d2ae3cdf26a7acbee67a714400d1202f3415b5dcc86a8b83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d03c3f4939ff474092c4d808ca1dadce

SHA1
0ade1dd5fe5c5b9d536f934374045dd1ebd5b498

SHA256
fc150e1eefa5b04cc582f0177bb4755b5bb61d09365d42137e5ca1afa04deb93

SHA512
398461f7500efc829753505e86d4db64493b8bde70b1e29c2efd4588c2b1f3199f94ceaeb2ba2b8cdfbd2f5f75560b3274d0cdd85850decf8ae9f64b6ef347be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
7fbbb7838248a970035941e3e6059b82

SHA1
3981d965a503460de2e82de6b8a03865f18ba0c7

SHA256
c3053c41cffb7ec5b6c80ce279f76c18aeeed56f0550dd19ef9d67f6f289eb07

SHA512
2bdb471439cb03be7ff365500b43f53ff06872a74ee290f50efe1eb2541ecc01fc9445978d6eb4dde36b094305b8977dda4930dfbe096964dbe67181a52d9237

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
183KB

MD5
f0c587794a6f863fe9b185f5e2b8e260

SHA1
86ff949e3dcc383a94c3b18df26df6d92fe0a843

SHA256
757e2eeeb3cc25e1b7b3cebb3db075c7a2d386d277a03f80dc37994e71bdd101

SHA512
1bd2de9508ed521639f4aa5a662ef85dc3dbc96ffc544850a69b5735cd889c5a8a0b910e2777a8849ce272188c7958f60e27b6a17e24633a7a41e9e9be45ecdd

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
183KB

MD5
f0c587794a6f863fe9b185f5e2b8e260

SHA1
86ff949e3dcc383a94c3b18df26df6d92fe0a843

SHA256
757e2eeeb3cc25e1b7b3cebb3db075c7a2d386d277a03f80dc37994e71bdd101

SHA512
1bd2de9508ed521639f4aa5a662ef85dc3dbc96ffc544850a69b5735cd889c5a8a0b910e2777a8849ce272188c7958f60e27b6a17e24633a7a41e9e9be45ecdd

Download Submit
memory/4320-132-0x0000000000000000-mapping.dmp

Download