3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b

Analysis

max time kernel
203s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
Size

974KB
MD5

9bf90eb205bc0d48aef2ea2cb604d513
SHA1

c50b85efe2530a3d17f11aca4520043f4d5fb643
SHA256

3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b
SHA512

228ccb385a9701ff9e9cbbb08cf36990511e3480488426f70ea8978a6c24bbb9d388a19c1ab552e1f2f4d59e8e534622a6517924e73bb77c892e2a916bb66c2f

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe	aspack_v212_v242
C:\odt\config.xml	aspack_v212_v242
C:\DumpStack.log.tmp	aspack_v212_v242
C:\AUTORUN.INF.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

3652 HelpMe.exe

pid	process
3652	HelpMe.exe

Drops startup file 3 IoCs

Processes:

HelpMe.exe3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\G:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\J:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\O:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\R:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\T:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\V:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\W:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\B:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\E:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\H:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\N:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\S:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\Z:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\K:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\L:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\P:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\X:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\F:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\I:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\U:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\Y:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\M:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\Q:	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\hi.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.exe	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe

description	pid	process	target process
PID 3148 wrote to memory of 3652	3148	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe	HelpMe.exe
PID 3148 wrote to memory of 3652	3148	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe	HelpMe.exe
PID 3148 wrote to memory of 3652	3148	3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe
"C:\Users\Admin\AppData\Local\Temp\3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini
Filesize
975KB

MD5
466289c648ecb560eda3f1af8cb7316b

SHA1
ea88be6dade98ca1f189882bce9551fe37e7764c

SHA256
95215b55a690b958ea7c11734af025b364275b9ceb885129db64c65c24e65c11

SHA512
bd2fa3f921099f0cf506aa92944af8a7d28750d2a0a5049660bf5b902396cfbca586fcf8e3ce83cb4a78f01a67e3c4cc0d08b4d0cd17db964097d255d0571218

Download Submit
C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe
Filesize
975KB

MD5
466289c648ecb560eda3f1af8cb7316b

SHA1
ea88be6dade98ca1f189882bce9551fe37e7764c

SHA256
95215b55a690b958ea7c11734af025b364275b9ceb885129db64c65c24e65c11

SHA512
bd2fa3f921099f0cf506aa92944af8a7d28750d2a0a5049660bf5b902396cfbca586fcf8e3ce83cb4a78f01a67e3c4cc0d08b4d0cd17db964097d255d0571218

Download Submit
C:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AUTORUN.INF.exe
Filesize
974KB

MD5
924a1772e1dfb9276a46ce69ed851cf1

SHA1
8915ec953a27dc284c69fe5bbe52135ed9b25d40

SHA256
91206bf32c2aa55734a4ea7aaecb4c2c3214203080d27ce8f147ae474b5f3248

SHA512
dc2761e1a55b280624551e1260d5749c2b12f68f8dba528ce3733fdeebd143796778625017773af8eb84bee6c29c43e4049619387da0587c2107348f19a5063d

Download Submit
C:\AutoRun.exe
Filesize
974KB

MD5
9bf90eb205bc0d48aef2ea2cb604d513

SHA1
c50b85efe2530a3d17f11aca4520043f4d5fb643

SHA256
3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b

SHA512
228ccb385a9701ff9e9cbbb08cf36990511e3480488426f70ea8978a6c24bbb9d388a19c1ab552e1f2f4d59e8e534622a6517924e73bb77c892e2a916bb66c2f

Download Submit
C:\AutoRun.exe
Filesize
974KB

MD5
9bf90eb205bc0d48aef2ea2cb604d513

SHA1
c50b85efe2530a3d17f11aca4520043f4d5fb643

SHA256
3ba702c5569d6e6b76beb010d9ea0e1d6945135ca8699dacb4492c4be0bfeb6b

SHA512
228ccb385a9701ff9e9cbbb08cf36990511e3480488426f70ea8978a6c24bbb9d388a19c1ab552e1f2f4d59e8e534622a6517924e73bb77c892e2a916bb66c2f

Download Submit
C:\DumpStack.log.tmp
Filesize
983KB

MD5
3664b2498041c518657a730182283a8d

SHA1
60cf271824cab44b32d5abc9bdfca1cfc3eb14a9

SHA256
850e7e3e299fda973b9abd3852d5e58e5bd83215d37cf2f670fcced29c039a74

SHA512
885893ccb1c5ef51a6c75b9573b2f03ab9c3d4a27194b6b8292d894e929f190b990fcc24be8c0fefffb948a144697551c85bc5f1ea208f04defc9e87d879f3d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
43c8de671a8b1b9bf8154cc22c2ac883

SHA1
96832b040767b42c5d2e820508c1a1aa29c6cc99

SHA256
56d1b9c05ac1e13e42b011040f00f6acc1734343169929b6dee1fc6affb0f05b

SHA512
082073185dd7e9c90a121ba02de4d6dd5e0524c8888ecd06995e486851f4112cbbd1c3c47f673b7ef5ce425f01059a455d078b425476fdd5e32465c6fde5c4a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
ba124b5357e061642b8301252e4e1c9d

SHA1
09c4d3fe1955502b8dc371b851bba3270fe6d02a

SHA256
22707447cf57af3644abea786266a9d9337f68754ebbc5853abd1a2981347ea2

SHA512
4f333573b9d45b1681dd73919d18b434af9dc49d571b222a6da85909a904fb2d4047e4141d9f42f7693c43ab7ab0e23bc235c3aa991d1b1c7f4ca8d9cda0d364

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
ba124b5357e061642b8301252e4e1c9d

SHA1
09c4d3fe1955502b8dc371b851bba3270fe6d02a

SHA256
22707447cf57af3644abea786266a9d9337f68754ebbc5853abd1a2981347ea2

SHA512
4f333573b9d45b1681dd73919d18b434af9dc49d571b222a6da85909a904fb2d4047e4141d9f42f7693c43ab7ab0e23bc235c3aa991d1b1c7f4ca8d9cda0d364

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
a4a4c0cc01fad2e5d57c532da5237afc

SHA1
1d9a2fdc070b79a1f652193cb078a986bc7c1172

SHA256
1a6b3a25dc278edf6ed6f15d6df2a4ed1562c62f71438520945913fbd2c124b2

SHA512
92478b28c608dfd5f639ac999c2f7f96a798b50bda0c32b360b52277c5a7267d4e7af507beed5ec8701a367be0bad41001e004ecdac2668a2a22f607a5352757

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
51d7874568c7c23850db62382441be60

SHA1
39eb1da6fa36b1aafa6db879338333e3f12e44d1

SHA256
d1f514b4a9032e4972a07d382bd4ffd80d970c8b3e1e082e4c38e3d594c7d336

SHA512
7b67f59ffcc42f9161d1150617c8b4a7874eddbf38d3557562dd85b96b3cc80f9a8468f63650427dfda7f4776e86c7242da773716a17a17fd8bb96f3ced57036

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
cb4122b70302bd60c9794fad8b93a0d5

SHA1
37a290ff9e97078d094fe9cc6a0ea73ea20f978e

SHA256
68be18e6f5f080389b2feca7d36858c9ea272bd06e43057a361e2e6aa391337a

SHA512
d0f38e18dde3cd218118a7974b48ec7a0dac35eac7f1be7fe78a2023eb338d7cd9ac2e45735867aef4b25bf77a9fbde37c1181b62e42a4f1188c97c97dbbb399

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
cb4122b70302bd60c9794fad8b93a0d5

SHA1
37a290ff9e97078d094fe9cc6a0ea73ea20f978e

SHA256
68be18e6f5f080389b2feca7d36858c9ea272bd06e43057a361e2e6aa391337a

SHA512
d0f38e18dde3cd218118a7974b48ec7a0dac35eac7f1be7fe78a2023eb338d7cd9ac2e45735867aef4b25bf77a9fbde37c1181b62e42a4f1188c97c97dbbb399

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ff40f8a27218e03e5764894346ac0872

SHA1
ebc99b49449b1aa02920b9e8ece4e24fda0de217

SHA256
879073f06bffd4c1af05cacbc52eb4f5691b5e79379508f33fbe20b14ebd8048

SHA512
fae79b94e406ded90a5d266fb68b4ce0b1f79b3e8984492729e71be568dca008b007d11b0d4fe71097d633d86eb95de607ec57c275e161313fa30e1be1449f21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d0b4adb45efd96a47619782c6413abf6

SHA1
f6aeca56167757a6ef827950e32c851422287306

SHA256
52d77e01bbadcad3c78827a6c86071b0e419c1efea4c6ecd9f7a1a8b206ecc36

SHA512
e7115524fc5f2f05b5644954e39961a7fdee1b018c7b61519dc23a6023eaea21d1dbad49679857d7fb9597b32125bad6996c3524b65bcd15a8462636c5d2c60c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
4074e8aecb9d37e59b3366a3179b4fd0

SHA1
dcd0bae6e30bc1b38a350a74ed250f252c94e366

SHA256
b52bc4234ce2c720132eaee10d59ee966af635b436b933d511915813672a9c35

SHA512
4d28d91f0125d715638a5af432e71e15610330205f39c0973ecfd820ba98a7b3247827f3ffd2d7e34c2cf1a29849b39cd58b408783a0dec147dbc901b58344f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c360c7c4d0ec9d8415d0db15320604a5

SHA1
300c09d63310110d17fa1e6921f1a3915d6b7075

SHA256
79aace466ae7dd1b249e8eeff7724e58560d299020cfdcaff77351b05ad5c7f3

SHA512
3d79ee292af4bc972af0dd03119edb0ffe39a6fee314a66f86f773ea9c03ba4de6de2f4904512c340bc4ce9c09af1ad33b441af2f7c3c9b1d79bf71fe6fb55f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e773ebaa3d068bef36bdc55d1d2139d4

SHA1
63a2b91603cd3f757ed3d9fec22f03176a4c9d54

SHA256
9f7234c304b9c2d99951b1565b86a1be2e581abedf9684be543870ba6923043a

SHA512
8ba8d5b736c96cf111ad3d2e0bfb3e51b45256bce47dd160e87e8cf7c79aec3e33fdb58b8d1af90778560d93d8cba5c6de332bbdb655eb8c352a1e349087cb7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0ea6c49e0807f543348ddafd84003b67

SHA1
e2f0acdc2619faddabd0619dbef5262113f80621

SHA256
e615d95fb249baa33646bc8b3490e30e535ed3f827c3e557c01259a11a677f19

SHA512
835825df54a2287316ba0765769c7a6e8aec47fb96271beebbc61612850cdb82d2d36483ae432ae3a4d9dacca52f20fe869bbce8e560e21e2ca30d0595f65f25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
8f6e714fa9af3cddc48bb833e627cd00

SHA1
10a0a0142f6dc45fd126ac9817fb2d0c41bde5c2

SHA256
06674bcc13bafcdb23fd7dc2e3aee380d8593270ff842da449ab844c44dc1739

SHA512
cb7df7bc250f858ce239528821d8e850a72ecab21f1f7fc48323d4420861e79e9301c53ab12366abd188d7837ad167b70c0b766c51e350d82005cebcc49ee087

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
02ec01b1fd437623eadfaee89ed6b62a

SHA1
7e7cbe840d253b9dd613f3767df138dabc428f7f

SHA256
bf926175ce28c4133998e1da425933186cbf329cd9c1fb21132da7dc985b8966

SHA512
efc17623d0dfeb71a06971320421e22de8d04ddd91fa61ca065c836622f64eac42f5d92d8e0a25708351c0cc398c03d68f2ef56c67dccb83ae44c1c2da8532cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
02ec01b1fd437623eadfaee89ed6b62a

SHA1
7e7cbe840d253b9dd613f3767df138dabc428f7f

SHA256
bf926175ce28c4133998e1da425933186cbf329cd9c1fb21132da7dc985b8966

SHA512
efc17623d0dfeb71a06971320421e22de8d04ddd91fa61ca065c836622f64eac42f5d92d8e0a25708351c0cc398c03d68f2ef56c67dccb83ae44c1c2da8532cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
a7d9d39138ce7230e5bcde4d2f197f50

SHA1
82f65d0e72f3caa33f5be45404b7e56ed7d18086

SHA256
e0a88974e88ed5b9c786dd170aaf1a5d51de513e7c7138efd9fc31952e0b68fe

SHA512
2faba9778410420d47f5f70cf101352106ad0fc752e6fdad8640afc3ff605bcf00360d21dbebd15c48701bc1b8acc4e891b05a6f20c7c14b3d4808413edd6ffc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d7391efb15dec1bbfa851fa3fc6bdd05

SHA1
a6f90652c48b0355e44a06d8dd1389c665bd121c

SHA256
34fb0c16e79d6c66631fa2579095307332f5947cd6ce13229d8d678a840a2933

SHA512
81f03c812c5893a5aa643aa96ff2ebe16435e0ee0cba0ea893354de98e2ebe8e0f53fe3104bfafce0ea55b3165a4fe9b199d39386834dfd2d454bbd19bcc1ad5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
cb1babcec3bac18aabea02d8842b26fe

SHA1
eea5a16aebdb72385e0c778241bd578cf8e024a8

SHA256
96de445a07835b9d3f8be385cf49250fcc3a540bd7ae96c704b313dd332ff780

SHA512
825d8e3e755c0b57df9885e99bb36bb4d4684486a87e7cbfd16b78f219b6596735aae427946a70c801e2a8be69024021fb2b0a18b72c167f934395a97dcc8fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
a28d7b5f4e5155e58423db37f168b9a9

SHA1
ae8ef6910098febbfac5f63212324e7613e78eb1

SHA256
a68f6d4318058767fe9e15368400c740c2dd8674b4f1e4e4515c1b337c75e471

SHA512
ab1847e3bc540e605c1f9f256278eacd6d0c4bcacb1d799e25a9c7a940c4ace7daea0e5fe2abd4baeba82b60f6a9b55a4376dc1f0ca4cfb724dc1f867a2fb87d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e3195985cb3556be38a5125855477aeb

SHA1
2900363947d426ccdd6e1b84f267aaad5775126b

SHA256
ad29d88486c952d41fab6467518355c22214da97856affe0239c06589f738e0b

SHA512
17deadbd2ce824d6259f97814a45291630d7eb63f883d029a56a4b85741f829dfffcac8f845eb05b38cff16bb724ba04b2d170179d36be04a0dd647637b28fb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f2cde9cd8127c3464d128dad7d336774

SHA1
4e28a9f51dc25484781eee0f892d19abc2ab5d01

SHA256
a21ab87603f3df0f32106e24803ad77ff8f6dd0d146466829184a768c6fc81f8

SHA512
938893491b7e35e0ebf7094bd13b54c844f5a86bd0c4628d74625a7387c9e98351d2d31f5d8791a27c459895f8fa9d7a748425522e04e669114311df3e63fde2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d8ba856ab49b22d294ba9ecbe3df570d

SHA1
fc6d86aa343905413da2a3b49b302c59a743cbb6

SHA256
d3bdac2e8c17b188fe38a1aa5e1329f26d8426187cbcd676245114ccc515f3c2

SHA512
844a075d43884a0b28573b65f975b09cde9e3cd0bca011e8f879066c1f6d5063c3ff3762adc7d05def32e05e7ca25f356c4703867904604ef540b097251d23a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d8ba856ab49b22d294ba9ecbe3df570d

SHA1
fc6d86aa343905413da2a3b49b302c59a743cbb6

SHA256
d3bdac2e8c17b188fe38a1aa5e1329f26d8426187cbcd676245114ccc515f3c2

SHA512
844a075d43884a0b28573b65f975b09cde9e3cd0bca011e8f879066c1f6d5063c3ff3762adc7d05def32e05e7ca25f356c4703867904604ef540b097251d23a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
a668f4d52830c52b429bc776ba253dfc

SHA1
38a08b85a771e7b43c04c8250d1a74492e16c571

SHA256
33d469d4a650c8e3b412e9d14e0c20590500ee5ba2d54cd15aef65968657981b

SHA512
74b6bfa3a915c355e6e59fd30794fc641492eec2dbb823dc35ffbb27d39030b95f6b92c95d368ed81c4603a835f088d9a966b64baad298b9a13a3b83aa2b3cb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
3ea98ccd86077508d9bb0450fca9217c

SHA1
a738c219af37413c6d6cbabeee7f40883810b0a2

SHA256
d3d5a4c5486b0b587ea780966d52041979c3fb7f5971f19a08a3f4a1bc2b6d32

SHA512
cdf444736b5041214bdc045c0516a4114881b1869eeea33a30dded28587b44e245dc01ee6229f76ac44dac3e7890c0294ee09cdb7d358ae2f2edc82bbd27318e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
47a7d193a4eecfef5466490f1b0bc578

SHA1
dee49c06f3b43b8bc0feb09030706ee9fdad07ef

SHA256
d3d4c9901122b4b2a09b48373d43f57ebce10c28d34dc754a08b9aa933c946a4

SHA512
5eed188fc7bac36c9a27e628b47158a473fafe93116cb968e97803f67d5034280c3a7f11f13f3122bde627f2a385dcd8c32eac79ddf649d01aebd4f0489a05f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ba8085a33d73e058774b63efd4fd7bdb

SHA1
ca2db331bfc1c0676b0efc5a1941b1b927eda333

SHA256
6fc39b5e13227743998ba28b899f341d6dfe57019e6439873745819f5c569cf3

SHA512
3e2f32ef359e5229e9c414fa3cfb99849b6e3b3bd14e750cd018e4c13051aac784e6643f21c58360d0efad6de872a99fcf11b1e02b2543b8248ff98aea905dab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
3c105656e52d5be000a14b24e3d73f9f

SHA1
cb628aa8a733db6c8e6dc2a0af266f1d5fdfc2bb

SHA256
6c052f980417353ffc0a6d2121a99cbad89a415843e0027e3ed4c8958e8e9a49

SHA512
2a7167a1aff8775a7c64bcecaf76064809c6e4d950b19200b73da34b8f25f01c2f1c97783821cf624d5a39df00135688cbd511efb21cdc900848816a34f579a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
10bb95b8b3ae1dec9121c676d73fcba8

SHA1
1dbfcbbc76ef144852016e78dfb9cb44004205d3

SHA256
bfeb69f56df37e9fbf3e712822b73889056a6bc445602ddc794aa9eee5e97d4d

SHA512
f2bb9eb4bd8c7791c88275a9b6daa29a355edcd002a230136791916d6e16a493d803dea46c7c9577e5e1ff05bf8ce930e5ec1e002b82ce45152def94c33b250e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
3fa9578d727d0e7e7ba65a2c6cf9ab3b

SHA1
5ea878455f8e0500417f14a5692cc7f6690aa403

SHA256
3353f742e2996feb4611ae41c91e095b44d4bd5d4205cd39ab506890dfca0168

SHA512
e249709291401d9d5f5658dfae6ce7b8c6e2d66d2cb9fded8872e1c2bd4b6b4cf9eed517dc4220035c7ae9cab0928de406a525de9286947309dcf90786a78957

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
6991978dffffd54cbf7901e2de249f90

SHA1
08dd8b362553cf98161fc276dea7f8826b90356e

SHA256
a0100e4976bc161585cd51b13202ffeda327be7a28569b88b079b16b2e0db794

SHA512
09e6c60229eef7ad4041f39c9c904ccfadfee73db0baace50d02f5505f24bc4ee9e01bfefbff61633432b2106139fd655ed4f62aa8499ba50aedd2db1c5e0a42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
100ace840429542159cc4095ac8cd6dc

SHA1
052849ac925ff2ece45c49a95bf3853b942bd236

SHA256
883e4ce856659d62257796810361ae2b09c1d71269efa87a1757d120adf65ce9

SHA512
e6d5970a589c74ddf95ec833e8084a6178f712165c8376205572446796fc9cb66dfaa7357289e4c80ec7836835189942d1aeb3e493d96ca2956bd2d120c849fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ba8e73572a5176cb790f5912206c6876

SHA1
258ed5e09ba6f0d0ed2a5f2a35c9c4480fb55b8a

SHA256
bd2ef6632d82924206ff596149cfcf3ec75c786bc6ec14b36cc18a6ddb7f2cbb

SHA512
64f7e968b30bbaddd2b799282e2eb640cfcd6d7aef82d4d9378e7f957630419976235ee14b73ec2169fbb5ed2ea137a8cb41eee4fabc3a23c5189f657e99b27c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
74c837377612c7613d109613511eb1f4

SHA1
1da7b660a6d431f81e2acc5f39921d73c129c755

SHA256
39e51d48d7dc7ea7c0d7fffaa48984ca517aecde3e3a89bf0f839b4faccded8f

SHA512
b8c5dfa40a047eedae20c435a3ef52e8b44e35042890bc117b3b326db4b8e2e9fd4f5e7a2a7ccd6ebd91dabe893f77ed7fb49aa40bcfe8d5a46f5516e914cdb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b7ae5cd8939ad1c48f88867685e53cdb

SHA1
0608b1bca68d4ec561cbc3bc68343303ac7e1f70

SHA256
4e5fa86a48a770ba42ed8b31442b1fb5824159c121299926ae296611144777bc

SHA512
92e6877ae81e07ae0c2f53bccd00c956ad8c58e2964fe374faea30036572d860435b87f1d54c70868651bcd486c914ef1ec97c34122f6aa1412077a0aa90b4ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
00e4b21f8f4d34d739b834d57c76e8ef

SHA1
e01cb2a913006bf96af64432b24116ee16215045

SHA256
1b4d5460010210482b0ac6ef24885ea011d56ecb03f92f4f1bec35f8b3ec8101

SHA512
85a841b26ffbc48a20fe6402b564648046ac59b4aca165f4db56b4173855ec580b7f16c19fda067bfc88398ef10bf0e2683f99b87a38ed3b51d6df6c93a18d55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c5895f8a14fb3123f8eb22e05d9b4de5

SHA1
bd60f7df6aa0cae96e5eee71612be582d26a6a94

SHA256
8628514db4279e335d18e723eddb1b3849e263dcb7420823d1627e505aae510c

SHA512
98ef8ae4619778fd78c922a548822b64af593b3a9266bf2a0939c08e020d04ba15cbab0c3087a5759802647d0cbe6fffd4f0bcf866b21c0ca0e9f1b0db7b7c05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
2fd57d897de7ce65a3b46550c94bff59

SHA1
3e1c06615274a194905e0397fbf0be49099490f6

SHA256
50212b9fd63a19012fd6e23e8fc0cffb1cf3d58cd4b8a3c4d79dbf78073e46e2

SHA512
237e4c28bd3e93fe2567202c79b73cc04c681ba3dbd2dfab693746af99f8faa64686cbfc25346de00fe12d05afb5cbe8526c0f36f3d217cebc2180e9ee2e94e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
974KB

MD5
d64e3a3e79bc2950b8615374c464ff3f

SHA1
2ab15f394722f836475cf4a665f2664a7ac129b1

SHA256
6bcf37275d2cf513490ecdeda2a32577eaf8288aa5d0e5623a49313e0b9caa7b

SHA512
b06f6b4fda66200ddddac96732c499da847b9c4ea0f0c32874fcc7651b0d99716233963a7570ee3ade5b7bd88669079a4a41d90821f9dce58e9679307a64bcc2

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
974KB

MD5
d64e3a3e79bc2950b8615374c464ff3f

SHA1
2ab15f394722f836475cf4a665f2664a7ac129b1

SHA256
6bcf37275d2cf513490ecdeda2a32577eaf8288aa5d0e5623a49313e0b9caa7b

SHA512
b06f6b4fda66200ddddac96732c499da847b9c4ea0f0c32874fcc7651b0d99716233963a7570ee3ade5b7bd88669079a4a41d90821f9dce58e9679307a64bcc2

Download Submit
C:\odt\config.xml
Filesize
976KB

MD5
48be1aaf51daa5f57abd926b5c6ac343

SHA1
996323c1df023117cbc032e82cdabfdddaaf62a5

SHA256
eee21a1579c60fbd94eb3a9c27ebcaa01e752a57d2d56f878ab008d4421f6548

SHA512
67faf9087fd710b1bb93ea1dc1945172aac2add0b64e0db1a0d9b1b1ffd21135f99c6f88eb5d2b37d0c5961ee341918cf9c2ccecd29c925c62368b1a004fa216

Download Submit
memory/3652-131-0x0000000000000000-mapping.dmp

Download