3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
Size

960KB
MD5

958c0908a5bf3c08105bc71e54e5fb1b
SHA1

a472b13b5318e2cdecc87cbaec35df5d6ef645c5
SHA256

3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5
SHA512

e30d937a8b935e57a48dbcffe1f28e78b7d2b59ca05f7b6c138c9a858acf82d728e720297cdd2c62c26341ac97005fee4c2efd8fa6683b687a28ee059efa50e2

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HelpMe.exe3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

1044 HelpMe.exe

pid	process
1044	HelpMe.exe

Drops startup file 3 IoCs

Processes:

HelpMe.exe3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exe3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe

description	ioc	process
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\B:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\F:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\M:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\S:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\H:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\J:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\W:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\Z:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\P:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\V:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\X:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Q:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\E:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\O:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\R:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\U:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\G:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\I:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\N:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\K:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\L:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\T:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File opened (read-only)	\??\Y:	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

HelpMe.exe3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe

Drops file in System32 directory 2 IoCs

Processes:

3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

HelpMe.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\it.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\descript.ion.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.exe	HelpMe.exe
File created	C:\Program Files\BackupMount.crw.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe

description	pid	process	target process
PID 2440 wrote to memory of 1044	2440	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe	HelpMe.exe
PID 2440 wrote to memory of 1044	2440	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe	HelpMe.exe
PID 2440 wrote to memory of 1044	2440	3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe
"C:\Users\Admin\AppData\Local\Temp\3c0b18bee9c6ad38c7d786f83e5e658691d89f72699e4b9680de14dd09e2d2b5.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe
Filesize
960KB

MD5
7b5a034481fa2f7cecf86e56800d1c9e

SHA1
918c3afa6f87ce0abe309e6ddb52dd00f551d646

SHA256
686ca30f7b6d92227cdf356cd8aa5edc750688e769a5e7200bbd4d27b41d30a3

SHA512
54a695abbe03d9f442ace6466e09dcb4cdce2bff7bf7395fd18ee74795ab163bbd86c1abc7d001424fef4178aecfd10218c132752ed59db912aa061864e91000

Download Submit
C:\AutoRun.exe
Filesize
960KB

MD5
9780c064bb1bc5050753c1fbddaf5d45

SHA1
9fc37fe35974eed450f98df2d71bfa8192972d82

SHA256
5a4380262db457e8b7f78f15862299b859596daac9c80cc26cfe0ea9953c43b0

SHA512
8a59eee5b3fe44ca6a82c0b8a6262456c8d26bbfdd892f5d5621e36f985fd30d70395a74ca18ea23ba978dfc1c8734ee5322dcc20a946898033579fa814b70fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b7c7d5c206683eb8a0b16f502d551442

SHA1
2f897456a1db2a77f6524b9b80364680c3e96bfb

SHA256
c81cdd83f5d9c168e8b359e1dc517cca5708e5ff23b33e5a3c8915f7341906a1

SHA512
4d8438d044364e726e8743344408892c74f74a22533256bbcff7e42a7af56a6adfaf305b7781f60fea4155d20c86843425aa24f4510b9b6a7aa397db129c0a8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
fd8d87e81b88fc03a874789d66dcd7f9

SHA1
604a7f15ff377f34e6de4181a54437c45d5ee93f

SHA256
4744723f444523ab0d6f401dfc7f447bad4f0ac3adaf1fe087d95d6895d8c5ce

SHA512
961579f74e7da569e32277d4b510aa8bd01ef41cb16f84a3f9274fc6d4f0ffbff65a6e897e8b797f372d8b25d3fcc70c2c08748eb4fe6f0d75531c030afb256a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
979b0c5c1b3ce674ca955369dd6b37fb

SHA1
8284a5460159113f2f8f5671fbd211d8a8b7a2b7

SHA256
43f0667649ad9a53c7bd227e27bf3dc33bee447039fbe61422c00767fb52fd1a

SHA512
a4c23e86bc66906c2e9f2fff6bf6dfb2f649b3eafc35e5a6adc80ee6d774850ec91d99c78c354c431832ab6d64c2a6f4a5af6dac24b665df2e6100bf06621e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9131d406e281d714d0575fb34c2326eb

SHA1
d1f7df7af2751318dad3a02e57efde4b8125ea72

SHA256
450b206379264b73c02c765f2de003eead421c571fbc96256b49200003a86c3b

SHA512
25263b54f7e25941690cf4d677485ec9e0fb08c8fab8383d4a4447d2f3df5c7d63f8b26e583df630dfbbca7d7f5d2b1a78c6edcbdf3b084bc12e676740f7e231

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
44e320423219137d1b49715e7683bc01

SHA1
d5b85fa92b74d9018dffa9ae297945f6976756a7

SHA256
1c17d9b08a0330668028dd10248629cbe9c4e9825a32732bc2794b62546cb16a

SHA512
326f5564ec941bd232ad9390bed6358bfeddb817aac8a6560543748d01943facb02619c9cf6dce998c5ca8742a201daa932258f7de364bdc0796e27d4ff8c22f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e6be569ab42334f4a2f30a23954f2e4a

SHA1
d1a12b2f81933eaf36ebb0de47ffa1c4edfd4b84

SHA256
a2a846456259a3cedbc5166cf36371381419b107512407028010ae7a11287a65

SHA512
65553ba71122927e9145d1ce5d8d2209b21a2dcce8e50e754e998991ffd541263e91c36e244b696a9af5e3256a514ee672dc2fd41d9102e78bffc70a7bb23a43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
8d15140377d94628edbceb57ac465687

SHA1
cf7f927533306f9a909715f2e7bbda3359752d68

SHA256
e8377eb29e10703e748a3dbfa3870da25f396106340df99322d13a020eed32f3

SHA512
980bdd2c66090e288d18d9c9e21a301f32d643609be29795003acb734263262e361610915146b423cbdc65c1b26595366423e475e9aa69dc84f79a2aa101bb25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
81a5bba15fa5149105446dfac1772d27

SHA1
4938036d15b731d4feb45ee739d5530f718851b4

SHA256
2e2ac9c4374fd5ccabde7c88c86028339afff9e6dc1617249726cb58d387a57a

SHA512
75c7f65550f6e23c4ed80781cd6f350e6c7a22b5da7037dfd6ddca6994767a1b6cf5f0851689b985b13e4b688093dd7d47fdd22417f7c8294458d5977f23a713

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
cf3baf4b0e040a62110c95d4459ff72a

SHA1
2601856fd3e6c51a2539516a92faf88d99f2c5aa

SHA256
4b885036f8c95a7d80a57ec01c0ea13f1e06c4029fd11b123afad1a2d479e2d3

SHA512
f88af3787f37c5b5809afcffd2a05490ca7f6146a4221fcc0a7fafba1e4b1f5de6120e6562a2310e03f6caf9cf815e137dede0da046507175a5ad048897228cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
593f26989a8e30914217586488d9dd83

SHA1
58fcdb58018c8aa20c2a3e933df8b9ebf4365e6e

SHA256
f4167d2f87c64432fd64eb8a0e9fb58a8ec62cb46b147f5968d777fcf763c230

SHA512
510381f265829569bbbd8b7b9da4fffbac0be3f7dff66767ca8bc380a1b6aef533e163ccbff04d9d2063f42d0145e944e46c59983874f2783542c65d804b1d18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
593f26989a8e30914217586488d9dd83

SHA1
58fcdb58018c8aa20c2a3e933df8b9ebf4365e6e

SHA256
f4167d2f87c64432fd64eb8a0e9fb58a8ec62cb46b147f5968d777fcf763c230

SHA512
510381f265829569bbbd8b7b9da4fffbac0be3f7dff66767ca8bc380a1b6aef533e163ccbff04d9d2063f42d0145e944e46c59983874f2783542c65d804b1d18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
4b8a29a74674bc658cf8b60cb190ab56

SHA1
abb38aec9e63e5c81bd95295147d82c0701661d8

SHA256
4388ffeed1b68b68ef2ac8386e879bb9ec536886cca8e994e4382d1385c389af

SHA512
7c430b216f674b76a3dc641eda231850e5ecedae26df9c3a523f6aefd8c57bcac7b9df2d09b2b6198e84fc1d655693d251acaa10a4c733ba43caa32b5d21815f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
e4812d2a543f3f26bbab69424af71cfb

SHA1
59e3442e89dda2f9b7384610d16964f340850081

SHA256
f707509ff6ce05f944336fa14e17dc6d70e2146c3516915342b1b0f4a95bb835

SHA512
aa9e1dacf2bd5313bafc4a0f2cac37e744931b3cf2f4cf6af0250d81e69b3ddcd02476bbd8c0434852ae862758f7c7975d567f3a68de55104a9686020fdc3a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
135286f18c44b52355048a2963d8b5bd

SHA1
0e002a886a1effc0fe941ae299a013126c494528

SHA256
dc241c6edd7f3b84f12e36abf1875583c94a499c314f10f25996ea9bc13f034f

SHA512
2fb2b87c30f06c553c9dadd8e8960675068253b21d2c17cc91f87c704ca5c24d8f18b48e42f336338ee0c6035b1eb3f9ea5786bad8f042fd98a59b2c177a93d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
135286f18c44b52355048a2963d8b5bd

SHA1
0e002a886a1effc0fe941ae299a013126c494528

SHA256
dc241c6edd7f3b84f12e36abf1875583c94a499c314f10f25996ea9bc13f034f

SHA512
2fb2b87c30f06c553c9dadd8e8960675068253b21d2c17cc91f87c704ca5c24d8f18b48e42f336338ee0c6035b1eb3f9ea5786bad8f042fd98a59b2c177a93d9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
960KB

MD5
9780c064bb1bc5050753c1fbddaf5d45

SHA1
9fc37fe35974eed450f98df2d71bfa8192972d82

SHA256
5a4380262db457e8b7f78f15862299b859596daac9c80cc26cfe0ea9953c43b0

SHA512
8a59eee5b3fe44ca6a82c0b8a6262456c8d26bbfdd892f5d5621e36f985fd30d70395a74ca18ea23ba978dfc1c8734ee5322dcc20a946898033579fa814b70fa

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
960KB

MD5
9780c064bb1bc5050753c1fbddaf5d45

SHA1
9fc37fe35974eed450f98df2d71bfa8192972d82

SHA256
5a4380262db457e8b7f78f15862299b859596daac9c80cc26cfe0ea9953c43b0

SHA512
8a59eee5b3fe44ca6a82c0b8a6262456c8d26bbfdd892f5d5621e36f985fd30d70395a74ca18ea23ba978dfc1c8734ee5322dcc20a946898033579fa814b70fa

Download Submit
memory/1044-130-0x0000000000000000-mapping.dmp

Download