3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a

Analysis

max time kernel
154s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
Size

799KB
MD5

c2f3613cb5a3970dda3504d2d92a60a4
SHA1

76ad3d4267fc8c77d0606160d599b57fd9a2eb50
SHA256

3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a
SHA512

670b115b615eac3572eb60ac62e20d9108220011c5038e8a812562943e56ebe65254ba0acab16252b2e96b60fd7aec10b872f95fa27e7d33adaca4483594c9de

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-1081944012-3634099177-1681222835-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

4964 HelpMe.exe

pid	process
4964	HelpMe.exe

Drops startup file 3 IoCs

Processes:

HelpMe.exe3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\G:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\O:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\P:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\S:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\Z:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\B:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\I:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\Y:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\E:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\H:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\V:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\X:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\L:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\M:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\N:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\F:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\J:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\Q:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\R:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\U:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\W:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\K:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\T:	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened (read-only)	\??\P:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\glib-lite.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\ClearMount.mp3.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ja.pak.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\attach.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll.sig.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Content.xml.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\tr.pak.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssv.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pt-BR.pak.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\sawindbg.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.access.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\System\ado\msadox28.tlb.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dt_socket.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\resource.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jaas_nt.dll.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\vi.pak.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.bat.exe	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe

description	pid	process	target process
PID 404 wrote to memory of 4964	404	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe	HelpMe.exe
PID 404 wrote to memory of 4964	404	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe	HelpMe.exe
PID 404 wrote to memory of 4964	404	3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe
"C:\Users\Admin\AppData\Local\Temp\3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1081944012-3634099177-1681222835-1000\desktop.ini.exe
Filesize
800KB

MD5
2a5de8c21f6594dcc30688031bdb53d1

SHA1
43a4a89f00d31fb1543160805067acee420ad62a

SHA256
691e64e1b0c0c93c9772eebedcd39ae13ba07e40672ac38869c0d8eb69c31fe9

SHA512
7b2e3fe7b0a4e29a08fd74f352a8d558ba1acefcf3a4f352b4fdb3a3ad55c1b752ddf33330c04e3b0b913d515192e4084b04d5bdf40170b975c358fc897823af

Download Submit
C:\AutoRun.exe
Filesize
799KB

MD5
c2f3613cb5a3970dda3504d2d92a60a4

SHA1
76ad3d4267fc8c77d0606160d599b57fd9a2eb50

SHA256
3bbb61ea13ee812ecbe511d32ef43af42bb8199d2ce1ff2f46326591c8e7098a

SHA512
670b115b615eac3572eb60ac62e20d9108220011c5038e8a812562943e56ebe65254ba0acab16252b2e96b60fd7aec10b872f95fa27e7d33adaca4483594c9de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1c5154a11eb32cf18b3b708c1cad3c1e

SHA1
6b4a808bb4044c6942f2584938f8c6b56c7a0389

SHA256
45bde6977f88babae1a55ae0c3d54d81dc2ac3efcc1a859476b1895c4268aa69

SHA512
0a969d0ff33612e9dd82e9103519800923914e6fcab1f5986b4c6fae470b2b5be017f3c3a30bdd778b848f30c6f5d3be78b05c61217cc1e43121c25c2daed532

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
fda16e565477aad39f40620337ddf77e

SHA1
a713814971c1ca4a82e4b080d187653ddb55a1b6

SHA256
2fdf72e6e0b734779c11915659b97a176378ca84fafbd9d3256f79b4685b2c1c

SHA512
d06285166c099f16bdbcda17d854f6534a6724e389a572c467d67b0a1ae365be9097e194db7b9d6a0b7f5eb9c9cde50fcb35defba3f5456ed3051a01f3b98b7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1f2d3f66111be5071c96d04762b6ec8b

SHA1
021e47610856a5ad40fc77f6e7060cb6247f88d8

SHA256
9169e52e6c1ffd937cb5e1b73c7586302bc21adc9c797ae6bc9dc004743d243d

SHA512
51ef0ca9fe0abaaab3d00949ad89cc8e539fca22af0e2d639d082d0a50830d4261e9000fbf1516882647e8cfba871bcfd4fdcc12411febae0926468d2e6e6edd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
8b4d563f9ac0503579c07280c2433b99

SHA1
c7bd286e148f4f7b54d76fd1132370c920dc844d

SHA256
93b7cd5e56dbbc9c633c5c4e2b1b5b63359374b5ee869dba5287248e6366b837

SHA512
835025d564cc6369736015c3adc078e7adcd90fcfeecb54769f146f7403706c9594acaee43317757bb4de03c2a48b5d99fb61087499b2a69640444eb37630a89

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
310b768a59bf5f118164f3cfab193e16

SHA1
85d0090cdfd81316852c471a4d42d25f95358267

SHA256
7a3d037177cf674ac9d2e7742a78bc6ab401c3ae35481d103ddfb8d5bce7b7f9

SHA512
16a52ba3d59a202ddaa6396e00e97dfc37fc6bbe72ac62cae77d8725d5030348a5bc5cc4416c7f0f21f5211a363d434c0e6b07def61c5f24bcaa438caf962998

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
25abfcc735015ec50a33b9acb27f1f6b

SHA1
9e41220a0c7446f956200ccc76aacf9365365325

SHA256
604ed404213ea2b0beda2d6ad10b7ec481a00dbd2d25ab3cf2d18ae70c876c49

SHA512
903241a93314488ffd8f5dac5bf93fc5d07efce8b82292697ff74e5037a5c44eba2494dcd928b37b19f9cdc5c0f85d478588b23fb79026bb015012c2e3491ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
e3bec66d42e3590876cde17a9915b1ef

SHA1
c1553ad0aeeaacad39b6662c13b489287ac552e4

SHA256
bd587a0f41df595a15108a1975fb42a924bbdc2bc6dccdf3bddb38bc59eb3427

SHA512
7b28ef7f019c7a9b4955a7e7869e7ee6d45c53a30406dbee2f6e00635f7f344cb44b73ff9c23382500d1d960c8dcbb8cca2457cee5d2352f8e6d1f983869f8b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
9e4710d35642c5b1ae7d4fb0fb5a6e77

SHA1
7d808fe87ac2c336410b1353449d58caee388e24

SHA256
4a3cbad78b9d1f86dcbc73e5e71c81f9db9b576739fd743dd3c738fcb30291f6

SHA512
f6fb664ce1d80632891da599cb7e82c47c1c21cdf6cc98d6fcc9806465ca2a1fa08717c505e918ab5557d087e48f5213c8c0f38cef9c13614bd2764e8bdb48d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1cd95df0d7d1f72910a6e86e4e9c9fe1

SHA1
a4ce1b7210adf8ef6942c9d110bb6bf550316ca6

SHA256
fc1323093e232736ee03a6d606cfe72138e148c84144486861ba66544cf51d2c

SHA512
445441b49d09995653183a381221fa4b3ab82545e2c3376833a36160b07cf8f36d4db132238fcd7faa3a81a9a28c5a900b329e2900c0f6c751b59d372b733a53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
22a0f6fd8f5c222021d6cf200e8027ac

SHA1
36d3fe52c6c01553d613b4711fb5327d7a911e37

SHA256
f52aed41247f10dae099fa8665e7925653eed322f11c41f61f4e9cf1a5efaa55

SHA512
ce89582adb3fb407f3161339cf987f5138d343130ba12bf9f978ef1a8d8ff8129ce6befed7ac6c2af005659e7a453be1a7765c8f6c77644965be9fd0eed93d3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
34b47a92e91f21cea352b37666308225

SHA1
62db379b8d819e049c6a920f3e7b1823029d7a68

SHA256
1f5b555d743957830a649cdf173f6730573df00efd0619d57fcb01ec88441d09

SHA512
672a9eeab1007e5d5e896e0c26a492ce1b09a48ac052af1cedd9f7087f7c20067e201fa70aecae0bb3e90a744facd36d972c50901603a9913669def4f7f955d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
11ec1ed21aad81d64dbce751cbe136e1

SHA1
568283b8593fc8e0a80457ab87d4090909596056

SHA256
804f4056f1e0aa051ac7f6b5645ced5db5d6751d32b5e6ed34eecd9cf82583f8

SHA512
0f813600db92e24bd0aec6e20af87cfd2555b8230c9c32de1cf7dc168e253babb89a4b3e2317f51b635585d680e4e7f360ae40c21cf4e3b3d9e86b0982124ee3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
126b051adc9f882041973f8b36eef997

SHA1
fe9176b7c68e37b5bf676978aca70124750f663a

SHA256
c2f598129b3b7b67ffd6fecfa5e4ed8d9fcfd2067bb81f043d807cf4f1911e8e

SHA512
e72230cde6f8bfa9aa9a0ebe00450e5e6913ca97462c244527141b53f1b8bdfb7bc9283a54b458378b8a9845489faa758340cac2eaa458d7849196c3b5d99e14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
24057e94c32a17d23d9775af0084d1c9

SHA1
2c2f526ecae322347d90b60c0f30790790146253

SHA256
dc88fc6235593f877d92ca05634cd6d792c58bf40ed042a810bf0d16c7ad0faf

SHA512
6c7d35a3c2edb6dea559ebab5996e263b733dfef6ee04570f5324dfee9f9b8635020a63778d53a0e4c2bcb6f1de98f369eeefc0591221a89fc55835c6c30feac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
aebeab63a01669297089f77f9d6ec73f

SHA1
36c2a667082614d69e64c2c8d90d92843c6b5d35

SHA256
8b521058cef3f9b184e44177a8c70e6644c3562e95da31dbb00811d058378680

SHA512
1ccb98827d34e822f25a5c82dd9ae7caec3c8bb011e1c13f679dfad867b76ffb6597c3a4e058a7b8754c3c9c5dee295ca26f8a0a04065887552e1662334f6dde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
bb513bab508146b710c47578050e764f

SHA1
84c7f0864754755ef9b4cccdb22c222c9e0cf7d9

SHA256
7b5a8f13d3ae5bf4ecd32dd0376f47475b12f98c3eb4bbd4e7e8922e46412fc2

SHA512
e3766dc0911bf01a97b0857891b9dde706f478b9da77d4451151847b8d693b7f5d0a544771f526927486ac8a183f57168193fc8c4aca8a82b6a781a5bffd0ff9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c509899c37b69dba3463b09ed957493f

SHA1
9181ed88d53eaaacefd1abd610f6758b1c145ca3

SHA256
ae3c571b70e9327c0668cd187642fb875780e50d725b37aa5026d12326637d44

SHA512
ae7fb5d73a46343fee6da81d61fc4d7cf0ef065569938be972c14c4ce9e3e9f2d2bf3100d725326cba2ad30f0c496f3f57fe7c850e200184bace21a1cd2e1363

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
dc2014ed95d1059fc1bc5290fdb792db

SHA1
8eb7493a61005e56f54b74adc6aac110acfd9590

SHA256
342d3ed174b9d11f03409d317989f5642ca30a23728bcf20421b4e4d79b8180c

SHA512
dd3380903a7e4a8d19ad56641617a69ff878d9606f61e94dca61a4f1ed882d55e2d59b5c8714813058339a358c44f3415059667e3b76290849e1ab3cb7d47a67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
50a314ed7eed4e6e41597eee46ee466c

SHA1
d1159ca3fc5ce3b05888d9479bd4914a8f65af83

SHA256
f9898c894c3fb1af616ab08f616fb6dbbbcf2c24b28c92e9686865a45e674673

SHA512
3e44c3b494d19e3e52efe240ab42a7d612d073a2271d18e3ee79ac080a615086bc68919d7c13a60b1c23b5284d96d4d7f76dd28ef2b7660b7a26f9b34540ddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
4f3ba97361f04a99aa5348d4441aae1c

SHA1
8844f72c7b652e8f2a2f87f5a0238d8884c130a0

SHA256
32c11a0b1651e3f6b5ceff3c9735b16c9cc1b51a0c9165de6769d3347081b262

SHA512
9c1ac3fec39fc4e112e89c9951aa709202f925dd128a6d1fa82dfe7c7a62a1503b491c9d604490590288b04af4855072936d95218fcafb4c158e303c51eae63b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6a31e8e315ebdaddb74863b2f87bd551

SHA1
0f4f878b285480f4728dae1aa78f520046ae4a47

SHA256
9b05b9845c82b4750b51ec7ce9553944bafe2078765284fc596bf934987850f1

SHA512
061a94c83cf6579b0dbc2aff807452264a95d81a08440d21f89099ed2bbb1868c71ad940fe4c0f0e2c8ea1c0450e6a7584b44b25159d220fffef374e09651b51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d66bf55579d9934ec15aab337cbd010f

SHA1
b40618d0d5bb71ce1da8d0e1b3052f8ac9eb72b0

SHA256
58183728a14c421471340aa24e3c07f8d703daf0d62007e51ea9ec2fc8fbdf09

SHA512
96c1ac8cf82bd9c4bd56da6fbda9afe4d8bbab44f37d2acee4aefafd3ffc6ff3fe1b617648c9742bfb74eec9dae4b864c3cbdf8106ff63251f8bcd67a57f3cd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
e28457098e9dfbb4e967f84151b1f993

SHA1
09cd55e25e9f5e03beb98ec5c6107a15f0f3cba7

SHA256
d198ca28bf66da61abd022e7fd383de83cd36c5903f6be6296c1ab14f91ea34c

SHA512
5295d3aaf62a5279d8142218ddac536e5310c71085f3c3e1b10f09d743dc2aed5ba1fc407b7dba28755d1b4aa030e5f45ae6ed7334bec64a537fa153ef352d1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
1bbcf2c851619c305816d06889f51508

SHA1
8d004ff9ccc8ccd747e9cc79c46cb507b4f375c9

SHA256
22ba15cae463068dbbc443ab61aeb754e826f990ea3002954aac5d165aa20df7

SHA512
dabaf59adb0257bd7a327d9d8a86e300b59c0504613214d4fa9bcb0c4101741b5201787e5d5444d0adb42930ecee8f60cdcfd0208c0eeb1db2e46b31bf92bdb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9450208306c246275570d543be2b3607

SHA1
f854b41cd583d935794e8fb650547d17284274b2

SHA256
f0616d886e032c0a13d40ba81403441d25b34a42051fa4ad7593cdc8812cd4c6

SHA512
291bf1d54e847a762cb46b1ea4ea81be7667eecdc5ce7089f6bf16359bb7881ca1df7366db72d2f2779a2c54cbd8cd122b1a92c1749bab99931bbcd9c95def96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0934021135a0f106e4ea25eff5cbbef3

SHA1
c35c7729a180de464e669c027d99fd9663f34311

SHA256
39228f4b063ebf50fd64bdc1e530583d0dc34cd2b9df9124d3e5d9b562f24691

SHA512
0bd73f32678640f65310f63123155a640e8e10959ee176128591265387d4c7288cf74d6650e57f3e78cc67e3a3a954bc57839efada8040603f19fdc62e48c32c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
3bdba2a91d27789aec26b441a7121778

SHA1
af3aa387c57d9e4bb86a600b05dd8ebfa7bbc615

SHA256
6db3d966013a85f204f7629a54fe3d2eb743ee0355bf4bdc2ad3533df8dcfd3d

SHA512
bfcd08908d46a56bcb67fd8ebbbf3c69ea1d8e840bf98d45b2ccb002adc18cfddaa904f8e7aced68ba5eb273433e2ca2936b3b6e919922556d55c5aae8f0d49a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
b1584c73c4892e2fdbf22d849dbbed93

SHA1
03c09b7b9d43b3423b74dc43610f7ccf31c45c82

SHA256
65489040eb40b135c6ffce46b4c2d2c7a25b9f53e3a637920793bbe0675dbc4e

SHA512
cccbc935ec725097200a3931e23818c1af974935009f694c0b3307ca9d7906f32324bf64e619f583f1649bb846a0fda20d94050543bfe42cc9b434c8e7189bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
86975ee23791951fd2e6fd931a8318c4

SHA1
380ba8b43353c28c9dce8859539c7ae8048c818a

SHA256
51a8f9e00fb18810effb7b019e2f9afebfeef7c8888dc5507d1d72453b938963

SHA512
90b0692a638dafa6790cbea7b5721fbe94bbd616a12e044c71d5644432be743da6c56ad732b990821812949a15664984d1c1e81f3e92396f6ec657899a2b39fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
667d937e707be9f4247e5df6366a060f

SHA1
c912e05a839a3c025dbcdc2f7f014dbaa37076f9

SHA256
1117381d330e91579cbbf02b1342624eef3d0d71971a3a94fe5e4a755844fa64

SHA512
f24537d3d3a013c4b41a357ad497625e9336ceb731f16a6f563d290edfd4cf1f6684c7b7bf417595cc75e13ddd7240311ac382719f1ba4e8fb078c403f0eb4cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
25311a0823bddbe67ea86d5f973cd725

SHA1
434a339efda3a5336427ab3008ba24fcc15f0679

SHA256
d4ca4ce12dfc52d8cb59efab4414924d96a518867a9b63f3c715b0265e58b8b6

SHA512
d8e1ae604c19bc26e6d06f4dff45368f2ffdac6b7a74240bf8849f43f7cc4c5df4985f88c9c8350382b293f186ff09560bf27b880ae4236021f189e112cdb56d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d9cb5cfbf60fef41aaf31c9101b8f9fd

SHA1
838774a9b1fa0159e8b3ab8438681b755bb190a7

SHA256
92507a7689ab5982b1ff7b997f23b64b3bec945a7cfbc3b17a3300c3d5b62de9

SHA512
499b9b58f6816d01b6ac70f616eb2a14a8a23fc3b507bd45baa510b4188ebb0b9daf7e328a9f72a7204a55d6b399c3f622de0ef5e12a836088ad9313b39e4ef9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
afe8b2c14a38efea153283ff02e51b9e

SHA1
224ce87249f4236782e3c63986e8744b33d69497

SHA256
1c232690b01646298d5f0171dc77b78f938f6546b29feca8ede613afb9cd7508

SHA512
946d2872e89b99d2a05cb49048ed94d6c709eee240bbcc3fad64e80f263a3ae2b286eba9655dc6fb77050bb29a732d66e69d8d7003695a18d5ad5595c7c1bd7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
b3a4608d0fa6fac3adfcfd9cf9e3b87b

SHA1
1da123ced4aa133cc77bc81649518f3cfc617a2e

SHA256
2637a02f3619ca02dcc50068b69e3e1a61a01405488604d5046e03caec940a64

SHA512
279f5b1cdf4d6acad74d7d33c11e8abbd81566c2e3e07d68f35e2993a2b50cbbf6d0e6be327fab9c878d5434c64f6130d61dfc163dd2364c991153bdc88d717f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6d2acee961ac621557a442bc1bd99d5b

SHA1
f5d8b08026410616c85f4c44226a07f1c4ea5e89

SHA256
f294f670944fbb1f3ce8a8d3e38b1e6e1bf5b0de4eec8f0ca17de60c1c33733b

SHA512
9b81a13aaf90b8ebbfb65969e724f72de965032a3d934312b868d78ac3a5745d71ac28c5c718929de17b2b055923d7da3159a2242452532c5bb4da11dca818d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
ebec2199568f0bcc78edc7b51542f5c7

SHA1
54e542dbe8cdc2639c4a197db4505437c9a14424

SHA256
4cbd935418b2e1bab5fd83a97297e5cdfb3230cd066150af4a98f25391ad71cb

SHA512
1c379c0e3793e5d2c37c8d5ac30a8a68c66eb303713162286c11a78aac35e1f9eedbdb9a0555656b1502762187799de9c2c24508c3b68b8427cd2b2adc6e33b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9d6dda175964b4be6593927931f9041f

SHA1
f9d7f3095023b3a4d3ee18c31fcfe132a61d04fb

SHA256
ce4a1b2bfada33c578a09584af0c814d1fdc7bef31a675a9ac897e3fda07df0f

SHA512
812bb4f6a91ae6e65fa9883c9fe0f3cf3d0e0f1daae8845a4c62b14eae070658f794e336fcbcaad0412d52bfed506642dcad0d8a2f4772389cb00cb3809ac65b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d8c6ab645e5e636140f4dbda0b900db5

SHA1
d71ee446ab2135efe7e0c2b16dbea11903582950

SHA256
57550b7040131677cd97678c542933428c733f99002992fc01a653cd93f84fbf

SHA512
64b140eae14dccb5027bbcf1ff9e14dcf309ea577e946fe018a2656311e1181575bf010070261d9d4a0138cef3d38d80bedbeae874ad99942944faa045db2866

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d32d2d8cd98e89060b5aea40eaf714f5

SHA1
9354a1e1bce94ad7da6081ab5339c214a6b9b1ec

SHA256
47872aa57f41885595c0151bee41cf4683c28cc74bdacc88760923172e2503ff

SHA512
d8799d5972c5c16c4bad8ef1fe13e9043288854a0ec111574cf613ed5a39560e6ee1ad196bc428daf5753ae43e5c192a882368582974051a63a296aaef65dff5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e6f76f536bc3c57768d796f371ed7e85

SHA1
8616e27dab530147e9118b992841053aad722c69

SHA256
00f460f54f6dd75b2bd37335a657a1ab21e163021d3564fad8d981d6762a1e1a

SHA512
0a428fbc6e06c70c57efc417358aefec559f12ab847e1af76c81c29ffcf8873517dd4227176e485cd10ae029a55297fa45293f0e0b7ce087f6fc200c685dde28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
755a58f2c278153623bda479452eb11b

SHA1
173517f49e0f0e67f9755437c8c0b7bc7c54323f

SHA256
9f7e22ea2e19b87201b990063e62749dd05082d934bb6a5fe6ef40d9ff818206

SHA512
a3ba92a89b6c270c4fef31915516233148a02229456e28b53b03367bf983115a1c52f2031e39c8ebdeb7bb1747572c388cf966fc3194fc82629b3c5b99844925

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
8e68e948b9423c9881c194b4f1968852

SHA1
ffb6af35b356722ed89c661a7d112cc11786c958

SHA256
d13889fa723246ce7e6bf6cfe524bf244ca1d657c497cf576b133ea3e84d79ed

SHA512
70da44f431a611493d85a2ab269b92e80b619bb0cbb25c0c05b77798f81dafdbdc2f695792385022bd56fb3eac278196f8d102ba3efbc32d786beaab1266ffb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5860fe0b13607797f0ec6e3af773a9d9

SHA1
63539c5f2fd35565ae4600e2e0f2569526b96e3f

SHA256
7f0dd03c738d3e627345ff4daa3a6218ebaff9e28d6bdcda248b8a0c5649c310

SHA512
6d1a3a19a841a7d1409a3328c06f8207115f57a985f18f08a255843880825e5adea2dd53ef4d0b42596099dc62fb8fab5bc77f7ccc5b9bbb0331af11292c6312

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
046c1241360bb0e47181ff111d3f02e7

SHA1
398fa30b4f0a8b1972766dd7c8ce30094072032b

SHA256
03d77f0eff62b603043fb5ad09ad4667e3e539b9f84278a4e76e8d859a973117

SHA512
b73b5195feee9364e758d9106200d79e461d7ce6ca8550b76f2245380b616b7c1a49ad5d488251147cb02b26d6e56a8199b9b33d3f24f991a20e8bdfc2ba62a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f65014f416610f383ec047aee7c266de

SHA1
534641eed7f0ba19aa2ba0f99a7658996b70f58b

SHA256
171d8eb2ac3ed5c4d1a5c3f4ba0b976683d83d88e03d188afaae5a908cf57436

SHA512
37d48375adfbed6a7b8ee0a15e0ed084cfd309db455e5e0610b5317d80bf045575390f470ce5eb60610fc6d1a21b252dc50cff53b4a27c89af0d7f73203d695b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
7f7a737ae42102a4d019244ba9ebbbcc

SHA1
1de375043d4be956a61408d49c8479559db1800d

SHA256
a140e68dd7eb79dea15a6889a31c3f08f2408b7f13efdc76225f2fcdb38b8962

SHA512
7e87de2a93298b3fbbab94a724f376dceef5db5e4c71b5f8080ab9539cf9cf96c4876ddac7875fa09a711b89b20a6f8ab376ddb70106bd471d5e2c62f3cf1866

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
869b22babadff943830a82b42ccbe49e

SHA1
8761ade04cc9c9ce1f40cb63e6e4e33836d8d3ec

SHA256
0e9f3eeea9e0e39306639038be85c2e98a3a41fe1161e69feb1811634470cfcb

SHA512
440d6dce6a13d218298bfbbab468818ad7de641a3c262bd36ffa22f600fe6653865988bde3067c81f5af33c60c4075b8a527f88f7e4df38a78ac3390e49ae382

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d18cf8f60a04e137ec32f0515e5c476d

SHA1
18940aed647513df5a0264d0a6ff4f80e317114c

SHA256
bdeca6c6eb1e948430071fcfec439c7154f710e924655bedea10b19ca671b959

SHA512
f87e880e5a365844537863da44d70658c7bab3a971bdbe74e371757d05f5e604f0196e47f23395903cec6a528c7d6792770583f8a1bf100f2f2ae0a9a71e10bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
3bbc5cc6d6f3371d817143c419522857

SHA1
42f41036b92c876e3eddfeed0c23cfd4d81616bb

SHA256
3ccf467e7a5e531c0597d0b499d1e0acb8368a62467a658962b710eccddc1cd7

SHA512
c997c5bc6e9f62a953bbf0c961abf7d8ba8c2519a5d299d99b1838f994d586b76714d08c186d4aec570c89a018ba6f9dbb7bbe6901becb3047b319956646090f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
1a91955ca7de8c3b83d095526e8c94d2

SHA1
e9146d49bd0171ae174af92980e60dfc17fdeb99

SHA256
49a4cb28afea8d2dd7123808a0bfd143b0d52994a2c3eb74ea32af134a9926de

SHA512
fbe8de0b99ddedb8216cc8464c56e2d0af9151e4e103018c7cdfcb001da26b572c5fc11cc487933d7fd40a67ce6821f1a5abc862311b99b42f2b8e920f4fa9a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c639c512f5753bb665c1542ff70f852c

SHA1
bdb86df540a06c8d75083f5a9477961d9c16b788

SHA256
f40ed115e2a4168e4274516fa94ecc88a1676a5fe42c88dbe261738e3d8f4c2c

SHA512
518bc074bd07220ce99baee558fae135a58104a44d1f0c68d95b97d309133860816b02c324baeacb368c570a647b9978d5c02bf271eef2bb96602cef9b2c6712

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
fd5b338e2901960d1502ac151356a613

SHA1
b45ef69b89673caa82147cb0d589044d6804bc22

SHA256
a8801f1cb80b59e8571c3554de01ff6e6d6582b72f3f17f3c2db7fb6d2776388

SHA512
74dc9fd6d3bf8d1ad0172e935acf84c95dae7db06587350c0514cb814c9419d7b1caae6463880ff50ec4446d1cceaf6cde691c0cda0e85dcc0a257f3e92fee94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9488f60f09b8dba7b19a0cb548573afb

SHA1
c985984572c5e1292a0e7fa48eb56d217e82d1a9

SHA256
5c3d40ed3f2c7ccc535bdc9bfc33c9f90f0c7341cb29be60e52f33068321a584

SHA512
c46aa27076b1dad171009ea29b0944672a7290f6fc85b90bc389ce1bd01bbd896579db8eab98fad795b13619df072416400718a91376b35e661e281f1c7c719d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d4d75565cf4cc9c893a044f70aedee48

SHA1
84025e6b029ee14ddb374f6287e1d2b968e55f55

SHA256
e04db8d19ed536e9a6b034bc27ac966a3adbcec3ad1cc877d7a6f41e5492bea2

SHA512
db7c6680d4d17248f913c71652af9dff93f56bf510ba4576f959b26bea51f2f9fb62d384029e987aab86c5d1d82a853426ed87fea976f877345968cc08f8617d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
e13101c42de5ce9fb7e23648a438a152

SHA1
1da4f04a95b27b073780ccc705013ab4dde3b5d5

SHA256
7bab4d46676ae69badf0e616dbc518d71b77981fd70963aa058046294662e2f4

SHA512
5797f92387204a4aa3e718b5c8ba762db80e44f60fba10af6d174fbcec424e638ca997bbe5b4d49a1ee74f21ca95a7f583366ce9849c3f94b00a9d23a04aebd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d3e95a9a0a1fa0c54b68bef6383776d4

SHA1
42ce56100f894435d6622de5e157dc40e21d6704

SHA256
46ec010a6178c05a4cbefadf547b20ff9208035b869c9590ff19ecaece755ffc

SHA512
c607d11f8df32cf4fd5e575c48828f0fb0c177172b5c9ed66a460ac0a3e5b48dce5d2ceb390823632f7d0f8111f61a6d7a3009d992c3d55e8b52b8cff6716f23

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
606KB

MD5
f5c291dc4372f6ee6ecc385646272888

SHA1
92babb62ad886205ab7b90d458ba5487917bf055

SHA256
245106ede064726e057bb953c719ce01b8f32782db4903cefc0d389683c129d2

SHA512
9ab401ad8ddd888efaf72a359f528677f633c6aa74ca60a9186ef0a4a8206d720275b09af9ecc16722ecd7fa3730016cf804a97215544781182f0d267c08f474

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
606KB

MD5
f5c291dc4372f6ee6ecc385646272888

SHA1
92babb62ad886205ab7b90d458ba5487917bf055

SHA256
245106ede064726e057bb953c719ce01b8f32782db4903cefc0d389683c129d2

SHA512
9ab401ad8ddd888efaf72a359f528677f633c6aa74ca60a9186ef0a4a8206d720275b09af9ecc16722ecd7fa3730016cf804a97215544781182f0d267c08f474

Download Submit
memory/4964-130-0x0000000000000000-mapping.dmp

Download