1d0128fd3184a765076397dd308e51bbc578a3639cb9c08ab6b5c36704d772b4

Resubmissions

14-11-2023 17:31

231114-v3qg7acf42 10

14-11-2023 17:21

28-10-2023 19:29

24-10-2023 13:29

18-10-2023 12:04

07-09-2023 12:10

Analysis

max time kernel
598s
max time network
444s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
24-10-2023 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
Size

585KB
MD5

f1334ba4ffac39c0df566bcc6b5c5c6c
SHA1

dea070a650abacb26f0a76276dcd501828546b50
SHA256

9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64
SHA512

9dbb7c6e67a03fc0cb371b73ebd454a0216598b290eedbcd7fcd22686c4c26b862acd7af229a595e9c34397254156f083771d270de4bcc67ff0f77493cbbc5d2
SSDEEP

12288:Lp4pNfz3ymJnJ8QCFkxCaQTOl2+U866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFa:FEtl9mRda1nSGB2uJ2s4otqFCJrW9Fq8

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (4588) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe

Executes dropped EXE 1 IoCs

pid	Process
2184	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\G:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\O:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\J:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\X:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\Y:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\Z:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\N:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\Q:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\W:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\E:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\H:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\R:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\T:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\L:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\M:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\P:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\S:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\V:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\B:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\I:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\K:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\lib\management\management.properties.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Keywords.HxK.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ul-oob.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\THMBNAIL.PNG.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\ImportRegister.AAC.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.Misc.v11.1.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrvi.rll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteNames.gpd.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Edm.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Java\jre-1.8\README.txt.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.INF.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Java\jre-1.8\lib\logging.properties.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\xmlrwbin.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.exe.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxC.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-synch-l1-2-0.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msowerrelief.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveDrop32x32.gif.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.exe	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2184	HelpMe.exe
2184	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 2184	4780	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe	87
PID 4780 wrote to memory of 2184	4780	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe	87
PID 4780 wrote to memory of 2184	4780	9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe	87

C:\Users\Admin\AppData\Local\Temp\9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
"C:\Users\Admin\AppData\Local\Temp\9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3811856890-180006922-3689258494-1000\desktop.ini.exe

Filesize
586KB

MD5
ad1bfcae8360e5f8896388e2f62099c4

SHA1
52dfc5a6ceb5b317c59ca4f7fe52680822f02886

SHA256
9a78f2056d0ba623f1221849a45893814db006cd2bddf8e667d63146deb910f4

SHA512
7bd825b8060ca38e0ab772b4773871db4ce1e25ae6d986ed14e352eaf921827f6380c43af712353b70e0e922ba3d15aff13386664c01edfe1f1d76888068c59b

Download Submit
C:\AutoRun.exe

Filesize
584KB

MD5
24ab532cf48bff7e1027ff265711f433

SHA1
8f231fc846e548c2ed8c7cc863d973f13ebc89c6

SHA256
469fc930acf3f5846877f61398c75b757c12f059624e95cfd00262ffe3b90c8f

SHA512
6e0fdc0562ac6253ace9be42426197eb03182b418cd5e70224c50fa251b19b1cd6e556d7e5d92bf9c9485748d6a11ca1ef68b4e792f3f1950ac7572f917b10e5

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
1.4MB

MD5
b97abba00c377d4a857077ab665df1d6

SHA1
91af31b41960ea6a506f82dfca3566bc0858211a

SHA256
e0be3e3e9cd7f65a675aaa8f686c8e0f42ec10ce34904f5ef8d09b10c94e4d5b

SHA512
99ae02e826050550defa57be24d7418ecb4df70717adfade587b709f57cd545d95fc6ec791239207969be9e068dbe067b719906f0d1c8ff21a1fb51af5594789

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8b759eda107f76933b3a6c65b4f5bbed

SHA1
31872343df0c01efc5641938ccdec50099ad9100

SHA256
ce828f145913de573dcc7b796d02d82c20f29961e859007d35e555fec8fdf032

SHA512
8d0b3caae3203b47c4deac6fcc544abf946f7e14042a6587d0229b6a521851d84b04336e687d77ec62f585ac5d287f9da90fc62e7ed855a0b2c8adb23e982010

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fab9819229b074d3825e4d0e8f104914

SHA1
1d3edf00a3833718a781d57825029f8d76fb0a79

SHA256
c1183055c7f8aa23cf7285b607691224056e7b39de6ab590e06f4c3c3628f251

SHA512
8355f8dfc0b99c171a388e69f35efb670869d87e51a109fe253389125c53bd56b453184428e384eb39f4be581da0fd027b63aece9d9f33d25ea68276560af698

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
72bd579711218064e3bff9deb39b11c4

SHA1
2e168f42700fa429fe20be19e4aac9349452aaa8

SHA256
d8f98e7551f6b5c47530cf7711d1ba20748c53fd10f1fbea3e054975f39f486b

SHA512
f62e2c574e948b280e3da382d9c2f5f5807359c313c999a6b3ec654cafb28345de8df20c00f23e6f4466b18e368fcc5367ffd62e4f6ba2d1a7fc4e703c023fd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e1124cf3840e837ea83a8db8be0a64ab

SHA1
85564c07d125bb096752442c2da9622d5886f70c

SHA256
8ed8f97d4e1dbc6cfa3a19d3f2a1179206916eadc2dc999c47532959414d5965

SHA512
6cba9544ebaf18cf2111fc82e3464d03462fbb73538508a4b17ff4f98bf88b2c5536c99de3d6a93a24d644c93c838ef3dfc8fe2ffa635fdb9c44c18485db9f5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9956f9426b26befd6c5cf5d19c9c75c0

SHA1
54466dc6440bc63508153f30eb29e41106c5b938

SHA256
25c2b315cb67152133e3743c59279e3b5472ae83b0a8067a8fa1044fb235734e

SHA512
fe063d5fee401bd2efe6f3117ce8c348649da609ff4fea7d3730cac38d4cf3f4383ee52345e28c35d0b775738479b48356d4866d1b4885ed3186c4b02e103aff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
83bd32c7e8b534cf41fd132587cdda7f

SHA1
ad8eb78d5ec1c394e7ab20f85f357762729c5bf8

SHA256
8b34e2e07b06dd35fff488bef86a6e52bbd5bf7298692b773ab6c1801d45a636

SHA512
9ef18d11038b99026d2628c309a0c623387f040d50eb00ddddc4e6d2089ac5f3a2c78fba1f0ee11654c7d4ef6df7c0c4f4f09b2a4d7819286f28364ad6b1444d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
74eee01eebc397846161650f9f3ddd3e

SHA1
8a283ca94398a12ffe320b2fc035ef178830f437

SHA256
1e10b7aae0b970c533c86c9a0e1b6acdfaefdc27df4c39c11e146835a93723ef

SHA512
5a904ae9adf396e68544a1fe17d903c97f3d01018ca307df5b0d47a778375a311d998e4bc068764c0fc34e3a3d304b09f4679ca531b9a8892265c28c0a8336da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c01b091f0dde3efe9071b5649ab72e1f

SHA1
4ce3849ee5a1563efa064476b62e4f7e9d64fd78

SHA256
69c0d95d43a052111b94e7be863f505bd87bb1bd823eabe01c8164abd5f2189f

SHA512
7cde19030b41b7f4868293cdf338685764d59f5f8ef23f20f11664336eb382e7a994fca8629b7f0fc8c3dedf20ab32b3885917646a151c3a09e106991f358ee9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7cd918c4709c2ea191b626440f369c43

SHA1
bece9cda46831a52209c978dc7b25b90aed819af

SHA256
59d947fe7c86ecd00e6a7b25d435e07617cf02d255d04d0594028b007f989e91

SHA512
26b7af6bf417e9d1e701b64e9c935c2f7a9994d21f9e32a5ac11677051e18fad2ebe33807e4121be9328f4c3875e94a77bffb783ed99274d0d6b6aa7bdd50640

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1cdbc61524a166b0ad6ddc8b25520e68

SHA1
df237bc825bcc26abae3453ff6cfa472b19bd4ce

SHA256
ebbd972747c6eee85ec7de0a5e7cb1bedcb96300719f6bd6649c3567ac8e5dd5

SHA512
c288310c66eee2147cb6e6a26d717efd24a33d49a254bd036a15c97c1c7e859fb7149b77d7da706841528492bf9cadaccb50edf9143efa48bbdf8853e114d356

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c17704f181f2610ad5eebfa760d61629

SHA1
3aa275e0a7308e901dc935fe3b60291c16f7203f

SHA256
99f1354aea1c8c3699b136b437c19f725c570cf30b7356efd28895b2e36a9790

SHA512
f0a91713c550943f16a73a72c3718c0e55bd26f7ae3febc7ce3c275fbae9cbb44297532cca850b3ce1759213a1af2c62a131b1a963f92d6f0210ab1eff148445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6cf2b8c4bef077bf1fbbcbfccaf96045

SHA1
c0f552e8de662a95f07ce0567daf5cf89f02a0aa

SHA256
e761d8cb2ce323dfacb6027054cdb84232864fa63635c84ee21a5ec465470606

SHA512
bcb3932b6faae11660f63c3602bead1454ddcd9b4c2118fd07a80a7abf58e1041602cd837e30c995d1221e637a059bfb01d9ed514406e384962b50031f09df46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bd02761a8b51d28abba58b573af20dd3

SHA1
fdeee1ebefdf9f7ae732af006ad33be69b4b43ed

SHA256
57cd30a94627e06b3660fe7b7efd7e9cb3243764287a1fce077ec2df373cf49c

SHA512
b656eb04f5ccdd46d6d6c779d8001a37d5e4ea0afd846ae805bd974e867c627f0aa953cf7aaa0e319faa80989aea8150ee3fd80aa7e11fd12cdd11c36285a43d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7ddb9f231747fb1e18c347f19586ae89

SHA1
af0d554bc4795f7df27aeae1cab93fc07a301152

SHA256
4f51c93c880b961c9c09e23c30f6cb2354699e73be0f0bc188e8320906596c6a

SHA512
37ec68d67fd88afbd807a88fade74a4198b804ca16cd25530d4b3453e33c3e61152e47bc1ad004fcbfafb3ab6c4844bb802c51e0573db6f2722f0fb2b1c985f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3dcc4e68667198e4bc95b1ea389a7eed

SHA1
d9cc0daf19ddab24a58b36b30de0abab59257c02

SHA256
cf27dda3aefee8b24838598ffa9777ef0abd1912d652a58403b2a084fbe81914

SHA512
26a1af353dbd92be7c3c5f7cc51e132e98c5984f8b6695e5f7efbd40f02924c8dd6d378cb929a7f77b792ebc3488075b01603c06fd1fee3129ed1a16408078d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d95c9fd0de8cbfd7187eca2952d71826

SHA1
863c43a0f51505961436e4459c239dca257b8676

SHA256
53eb79f2bf4f85dd230ad2ed3ecb5f5b0d7d3417f91055be62773fbefa8a1305

SHA512
0d1bee62679a7ec0e676ccf5fc9116c6b11c9385e18413e66e1128132a020b6944294d390b09839b7edcdc4002a7de0c1d23fc8f6a22a2b7269917f88c96d2e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e47273875fcacaaab41c62fdd236f1ea

SHA1
c80a93b8bb45efa1cf90de8e4daa3c77f6ab2062

SHA256
3c284095d4e100d87b07fd881ac31e8bf5539762a3bdc5ac288273300c6330c7

SHA512
f3f069d39c14893889874964ef02f9b389177093b0ac2979d653e8e6895b7114efdbef5c788e3f5c156cbd0d36e7c6fab19db4716c48348d1c1d26676c9fb3e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
85efa480ff755d9a0f46a1a7fd2d0e34

SHA1
23063f0d62e2dbc71d9def2d539071c9b1c0f2a7

SHA256
8e00af19f60b5fdca1f9d7426e899ef9f7c1f1963afa395365699d189b91d27e

SHA512
d2d3482fd16a2b6fe15b1cf232e333d69df37325b47d3b4175861ac8603e8398fa60c52e6e79db900aa6f41c19b36c1bd3780b55e65940ea0c08aed7149d201f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cbd3319de08943d628871cfb6386f20a

SHA1
f71af96f1e4cabc2c7118cccae0c1e1a5a8f3124

SHA256
8be073ba5603cc7348fab5b5e5f17c974e99efc91ce99f22f9826c14b580c67e

SHA512
af48437ab498308a205fbf77053df41ad23141ffa43346913f6571224721b163ff1fd7664e71437383273e751fd28a535ad22907a4b657c9c820bfdd6af61fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
cf107dfbdf747332c30648ecac8a3a0e

SHA1
fb30114425727ce49c010e77ec0d5ce18c6353fd

SHA256
d92fb71b59d411aa6765a0d9fb7a47d54be1fa4816b93cdec99081c5ff54f522

SHA512
6d35dbd216de270114e6895587bfbab001e74d237e4bc595c9e3d9b644837707ee15979711c1406fe9e2125238e181f034d9b67ad335c89f610f99f9cc84adf3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
73b7a7b62bd330d655a1abadede1c2cf

SHA1
d04ae97d393a6c680ab057d5ee62d85a9b452e3d

SHA256
cb8c534d0590a49195904095e5d5c2df7f3768a5f71439dda2a3529277be6163

SHA512
6cce7211e7edc15592767a7496e338dd8836627fde7ee0f14903d850b8f37b27559620da1810a1b7635b528adf058907cec9f0d23e00542d829ab649d007e51f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
07111cc8e1386d8ad287028067e7599e

SHA1
13f3cd1ee818d0fd9676b041ce5d3d916da175d5

SHA256
0e5c092f22696b41fb52fe26f83841674179925094efa5876e6bb10c84b99feb

SHA512
581cd3fc8274d57d61b7be5432e2cd8e247e5f58eb8fda9e21b7f478c1b0c019145f93c51c01b655ef4eb691b06717ed2f18581beeea6d793d050d5d32377242

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
520f53eacf7ad68cb79545ea1556c1fe

SHA1
8a6cb3cc9e0b176ebefd09b3f059d12e3d61ad2b

SHA256
a49b3ad4e9d723f932f419602933f12f2d76b812db322c7403d157116d900a49

SHA512
c32f471a133c89fb0d1b72aa7960a5d6e2f32e1e17d69f3809c040b54177389a7eef78f212cee29b36dfab27cf5f15c955fc150eefc99035d5fd403bb452b867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
520f53eacf7ad68cb79545ea1556c1fe

SHA1
8a6cb3cc9e0b176ebefd09b3f059d12e3d61ad2b

SHA256
a49b3ad4e9d723f932f419602933f12f2d76b812db322c7403d157116d900a49

SHA512
c32f471a133c89fb0d1b72aa7960a5d6e2f32e1e17d69f3809c040b54177389a7eef78f212cee29b36dfab27cf5f15c955fc150eefc99035d5fd403bb452b867

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6e422d9e945987d5c6aab250c3f413aa

SHA1
d4d062450a9d5d010311e14defab8e213f59f8eb

SHA256
55ffaddce76f78692e68b1dfaedcc9211ac43bf4662945eac179020ad1ad5316

SHA512
06e30544c20ea6f1b552d945d6a3bf75702dad47573a7237110319b9f0a2de17269e6bd498fb5305bbd1fbdd336001df03835d90a9ff0b587f9a6fc88c4e1e6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bf0494108f5112ce1c208eed0a9ee612

SHA1
89a52945bdb1d9fe6b9e560bc4513f4a411416bc

SHA256
5ba20c6d4d206c68d6778323e425ac2f8a8ce842621cb6043255b7f98d5a7461

SHA512
5dd5f80ea0bef22dcd4689e2aea996868869a23aa0fba6cc053e9003230c3270d9030e69be76d3d33d89651c2195e9a8eea672f938c7307b2e33c3839b6d2b3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8baf92b129c7f3b7ea539f45e62ddee8

SHA1
826182c8cc342542003163a9d695ddd1d36bb3c2

SHA256
b241edbb7dada55b2498bf607345684257e99ecacce4d43a3f58c22c624e4916

SHA512
9cfcc366d27c5776eebcc564d267e92fbeab35bc81feaef401e6527273ce014d235c32afb30ba0190b8c3c5983fc2bdc206cec1b7a6e42841e4a11c340329042

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
89497067eef0cfbbb49b99ec4917d120

SHA1
e7cf1fa08323f2f5b3839f35a47d7577b28e7b63

SHA256
3ba498c2b3b85a80acf2e1d51f7dc4754c0e6e6f9334aba905912915555585bb

SHA512
0369a79d43490710cd0e8afc962b5c25d1b07166007817894e6557c82bd743d2c225640d4d9bde05151093e981c7360acec47556e4a2782de3f062a2322fa43e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a5145c9999f096029142ecbc2935b0c3

SHA1
9570b51721093dcac9d0903d4e0f4a0951219c84

SHA256
d2097b9c6852b106160c0317186fe946978de454377fb8f9b4ad341f1f271c68

SHA512
75bccfc8795d8224569c0d917063e784e4a4bca1d93d05a9fdeb106a051a952580ba0c002b253f87d0437d1d8809f87fcd27c520c9b0baaa797f1d96d748d550

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
85ab1494f8cb2d5979672b00bfbc5095

SHA1
c48a7e949e835b4335801a74b4be55b32cf6596d

SHA256
1d4a18e7ea5f64bf84a2f60158ec75c2648279457c258c8dcbd8b0cf0dc2fb1e

SHA512
f0860fbad35f01b2080bc749d16f698cb15f3476f76bd25bd06c7b8baee741944efc72f215f0fe49a0f1ab6a59b85ee2f975482808c7d14d4d0eb119bdd0f02e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
750950bfdc02067dd5fe61cdbbf33e14

SHA1
00903e3e8b4e974e6da7b321f9b8aff8af0ae62b

SHA256
55fe8954014650f2a275b8f34e73b1adfd790c7e6a4046725242591cea722c0c

SHA512
218876a1b3e1e26e6579fb375cf88184e7f0d4aca6c9f1a1d5e9801f5b97cd5fd2ddb4296ea76a1e11f0ef786562a571cef617181d8ae5be48aada4b3740b086

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c6e2189c67e956b58d73fc4a1b8d72a7

SHA1
8ad95ee132f4815be95b4a3feec536cf8ed4b744

SHA256
74b0b1d5e811e4e5d881d3f2414819b6452bf70530b4d1a2c6de84fcca31738c

SHA512
4478b942282f8ef8e0da98313529561dcd07f55ce4b4cd016ad6878c833d7ba5a95e8f5fe12eddcfb528f3f205bb58ff14641cbdac06648a469cb358594a5303

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e11b6160c37bef0b9adf464d00a9b501

SHA1
6095576c19793fbec8475f30532ba189e0963ce9

SHA256
a4ea08845aaf62703cd056775fa0cb1ce732ea81bbdcb7336e4ade8160432d74

SHA512
dfe1bbf07d84ac6a3571218c98aea2713294190737e553cc4b706cc57bc5f8831ea0c39ca57a10b17bfa0af709b08618e2d8999cf17e3400bbdae456a08f421f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d78c732f5b67c4177158d76fd7cfe8a3

SHA1
6eed7c7fac1511875ff235e90dd07ac797906362

SHA256
20a695c4d2aa02b9250a9a54cc203ef5626d9cc0739e20c0479de073ecf30417

SHA512
3c0b3df44b27f0c7734738b7bb05f04403188884b50684687861c4638199ce94e4f39da544e37c416f19e7de700404a1bd80b6339c8a8213324c9533245f429a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7ad1f85a74af5f1432e5715dc2b3eb26

SHA1
48c4cb5d7e8e60187edb0b824e198b7b480d9348

SHA256
02271643e4dcad1a2664d8cb1064194e82415aae47cbf9c966e303857d18fc2f

SHA512
dfcee80ee4c6ce68c476771bc0aa4683cedc181a87e5d9a277a6a6c521422396608357514ae2773d2486762aea4caa20579221ab1a35ad2c88fd372a60a290e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
da58e0afdbb18bd01805a361b9c2372c

SHA1
0cd38c183a374605671090c657e3017799cf6d69

SHA256
c88c4fefda783e7180b046dd89d1d71dfecbac8d16aa77d258f363ec051942a1

SHA512
da546e35012eac3f69454e47abf78777d2f245d6fce1f77c59aeb98c02dc746d92a71867701f732147886c30d08c9ff99d084afa0b65dd033c263f0531c47b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fb82dabbb65a762d59568ba22146413f

SHA1
0d99c7ae16040af145dda20f83f0b656f93c55b3

SHA256
7cb33a7f6828c45062b1c45af9655017621f0ef58c528c441cd6f8b6a2a5e835

SHA512
4fcb6914baa07dc039413cb97f9c5e57bc5300e7519d4c0b3f9aa90eb48b7bb9e692f5115c2d800403aa6326508ee2eb28ac770fbe55d380ab4002b5f160e8f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
090d04452da0a54737f727a2bd862f77

SHA1
43775d7c6219074df2e20b475f19b3df703be14c

SHA256
dbf1fa96c10e3cc305f1a9990d1c8c2cbcd6b62b21fbe63040dcc41b5fdc766e

SHA512
7da280debe9e2fb98dfd49ace27e6e0bb9862e56891b6e78351d22ac9e452af0083cf8fcf2a0d77fc3c6d740f8a2af140f94fcdc84e67b0d1fd98e9db2193c9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
29fa92e2ecda26f8be25dbe2d3e644b1

SHA1
f709353199b4e7766f6203792c3bab152fec7c4d

SHA256
73b295543743447f65779d39b739bab64cebf79a3937c64a3a8979bbca69680a

SHA512
3441434829d44ead3423e5d1b57166700a0c07de72ac53b402e243cd011c99ef982f013ed8c059b7d7d0dbcad95df36101bde990cf9571a9baf473b1b6e61114

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f60427efb4f4302d25c8d8de0056e142

SHA1
01c6e8fb3031f51629de91093b3be2b2a2ddb243

SHA256
1bd4b2a27059e9a5416827e6daf4cda559edfbc6ab2da5cd70368f3cdf20f900

SHA512
eefc03b92ea484e0aada6624338a19eeaaa35c704eb8f59c61c2a3a0c3013492b21e7fc20f9cc9f67b2087571d2863d6e901f4a0fb4e72536eaae7fdd2657a42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8af2121ae3f1b585228b779081a1452f

SHA1
5313705067c9c8b8dcb7762a0ff184fa87e890d6

SHA256
0707b9fb05b11d472b48232a3bdbdf22a4f7005369fd8e9ac2af5af46c8376f3

SHA512
333a1588922abb35f45fcd641c6ecc2089b5fd5ff6d394a78a281ec232370aad0421644958b79dc580844dbfcb1a900e6d4ec548b4e18ee8eb7d63075c08ea17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bc4406b5a909ab69a6c8896f4347e919

SHA1
0db4b8dca71ad94111773941c479e0764066e2a6

SHA256
a22c78f93a069fc959fb3ec483edfc9dc6c747787624c54c39fcc93ce5af19d7

SHA512
eb0633f2610cb00fb68230737976ee0deffb330d9b6761b83153e87170f6bad59ea5105c461271507bdb470b973ef3c4179a9ac8877516607b7e851fdcc0c03b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
561d2246acc6286651e76f95c94f3e7e

SHA1
205167e42f4d2fd69e8fbed7a939fc5d2a16c4a1

SHA256
7383b09bd16754a12eb484198834adfb169bd11e7666dabff20c1d1110e23055

SHA512
30426f5a4320c95a018d495ec5bf23c0c5a6fc9ceb6dc4e61500c53dd885aeff0b20cad9870083a75bd6b6254b41d87e42dab8eff3f282c75143f8efbe314ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
46b659a9344da03d8da4591b5da3137c

SHA1
48bdca0210f7364d43db289561cd41196d033766

SHA256
39361f319729c9f2ee0c3d5159652e5d3fa75adb1c88d74d9231f4a752e2295e

SHA512
5ed165d79e7581b77f8e27e9e556f9112ecbf7d81f9ba98d3fd8390018344beb76adaa15f78627a47bf5fae41c445d97e01dbb23e3c524b870b2e2dcff8198aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7a5f5ea61798e8a540482e9f0b0b8da0

SHA1
48e093e9dffc626a75f75252484e326b5e569a63

SHA256
0310fff10081e02f2e222243c13fd7359c5308b099bfcd02642ca43f2a65b96c

SHA512
f5d61c042428c845f15460d7b0c22f1178642aea066a8c253badf7218624ec7bcdce76ceeb13cf70ee6a6b375fc7150e0ebe76263dfe0585641c454a41638e69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
78ea1843365f7ad11cfc232400752db3

SHA1
676e853fc4210d83d581e79487f205f115647c56

SHA256
475b46ca6f953b467b3281313f42ca7bb6ad2edc0021cbbfc47c48ec021019c1

SHA512
15806b6fde0fa6a8ddf1230f1d0e0dcbd3150debac75c941d0da6ab010492f56a2d1059fadf827d1aebe5c725db6d302fadf0b6de1413b119e243f413d7c3880

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a4b2510e34d689eb5c6e9d68633d8953

SHA1
049f4ae0acb2657da56e6e6c1ed238bd22f0abfe

SHA256
3807176c78e8e4bddd91bff3f64883951a4186a4ee1203deeb04765043b11a2d

SHA512
3fa555d1a163bf1494cd3d604b62a232fb5c6d33e761f7a3338d28bc75263889c8d8f7aa09497e2bb29d005d8a15960958a74a0facefbaa59cacf9ca5d8dbfd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
510f994502435f40b61eebb6faa78986

SHA1
f2b7f58425557ed2f73cdc999328fdb6d0ac98ba

SHA256
ddc7a9fb5917c7c4eb6054b4aec5d973b03194d8381d2fb60ee0627bce920dac

SHA512
16ed219fc491d67480afe625307e53acaccc755753b39ccf3bdd578875b8b8e60bf58745dac073778672d41406f242527a26fb25b214fcfee26d8199e2957d65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
939d2fe10d65b83f2bc587c9b5c5fbb3

SHA1
959f47e3a927a7cb216e3ab5fe3aada767d05b6e

SHA256
257b966b6ca12a3dd4eedb08eea399e4ad4fe83aa254dfc2f292e57f01e05204

SHA512
c25ef670af6e07b8e010039fe226eb39cbb77a51713fd9d301bd45b7e47cef05fe3d6386cde4832dac5c393e265ae6dc681cdd0c4ad1c9be92b8790c536e8a71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f340db4ec5d395960b0de05a2ec59641

SHA1
980db32e1bc8cfd7b68068543e169c3981a383da

SHA256
18dd598def5a39f1edceaf99af09482d6245a9e30b8c8d14281473d86956e5dc

SHA512
0c9a5b357afa6a865767095bc8f154cfae020948d5c34daf8fe8a17ed56416e9c2a2d16b7c4bfa581c08f04dc70eef8332ef74c9a0482c404014a9c102e40d9c

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
584KB

MD5
24ab532cf48bff7e1027ff265711f433

SHA1
8f231fc846e548c2ed8c7cc863d973f13ebc89c6

SHA256
469fc930acf3f5846877f61398c75b757c12f059624e95cfd00262ffe3b90c8f

SHA512
6e0fdc0562ac6253ace9be42426197eb03182b418cd5e70224c50fa251b19b1cd6e556d7e5d92bf9c9485748d6a11ca1ef68b4e792f3f1950ac7572f917b10e5

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
584KB

MD5
24ab532cf48bff7e1027ff265711f433

SHA1
8f231fc846e548c2ed8c7cc863d973f13ebc89c6

SHA256
469fc930acf3f5846877f61398c75b757c12f059624e95cfd00262ffe3b90c8f

SHA512
6e0fdc0562ac6253ace9be42426197eb03182b418cd5e70224c50fa251b19b1cd6e556d7e5d92bf9c9485748d6a11ca1ef68b4e792f3f1950ac7572f917b10e5

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AUTORUN.INF.exe

Filesize
586KB

MD5
a1a362a2a5632b586914286b8d62d938

SHA1
ed5679dca91a0251e362254426d6df56b2f5443a

SHA256
f78011e71c2d882a777f769a518123c13877cf79bcce3c2a363aa20f4a77eb88

SHA512
f350c0960ed6e453f171dbce60223504d1ae43a582be6f711e00ac80fa85dd97830424c606bde1e7419741d04e4638a4984e75f3bf902d58c2bf8ff29ea9c6ee

Download Submit
F:\AutoRun.exe

Filesize
585KB

MD5
9f18a76b4608000edc33bcc05f9ee79f

SHA1
a5e8d5d84d468cf7ac6d9a87fc86cd80e8fb9c67

SHA256
30f6ec96866ce0ea97e87da4aa5dde2156617a8ecef9091a5623465afaa87668

SHA512
67efa1f59ee67756d847d5a745cacc6a45dd70a4779c9d9f4cb57ec5dc73de4d17ac594018449884d329c184202e9ee725c1ea7d0d7c27569e1a5e56901a007f

Download Submit
F:\AutoRun.exe

Filesize
585KB

MD5
f1334ba4ffac39c0df566bcc6b5c5c6c

SHA1
dea070a650abacb26f0a76276dcd501828546b50

SHA256
9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64

SHA512
9dbb7c6e67a03fc0cb371b73ebd454a0216598b290eedbcd7fcd22686c4c26b862acd7af229a595e9c34397254156f083771d270de4bcc67ff0f77493cbbc5d2

Download Submit
memory/2184-6-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2184-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2184-287-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4780-19-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/4780-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4780-1-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/4780-18-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download