3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17

Analysis

max time kernel
152s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
Size

947KB
MD5

da7f72ec43188019a4c279bef8f4b0ca
SHA1

4f6fc481cd01fea0c261fdb83ac663bcfbe2a753
SHA256

3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17
SHA512

bc96cd25cd21f211c34d53b4f22b6ce4ad5aef1c30a6be10c7d12c634158d73515d9af81fe3aa528e7a539b5a3237287090ccc8d2196374a0bf73b9ffb10b622

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HelpMe.exe3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

3140 HelpMe.exe

pid	process
3140	HelpMe.exe

Drops startup file 3 IoCs

Processes:

3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exe3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe

description	ioc	process
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\V:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\I:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\A:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\G:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\T:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\Z:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\K:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\N:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\O:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\L:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\P:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\R:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\U:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\M:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\S:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\E:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\Y:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\F:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\H:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\J:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Q:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\W:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File opened (read-only)	\??\X:	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

HelpMe.exe3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe

Drops file in System32 directory 2 IoCs

Processes:

3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

HelpMe.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.exe	HelpMe.exe
File created	C:\Program Files\GetCopy.M2V.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jfxmedia.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipskor.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\v8_context_snapshot.bin.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\msvcr100.dll.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\dblook.bat.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.bat.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_d3d.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.exe	HelpMe.exe
File created	C:\Program Files\Internet Explorer\hmmapi.dll.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_iio.dll.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_common.dll.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\sawindbg.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\mr.pak.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoDev.png.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\he.pak.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_font.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ro.pak.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\th.pak.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jfxwebkit.dll.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jsdt.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe

description	pid	process	target process
PID 3236 wrote to memory of 3140	3236	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe	HelpMe.exe
PID 3236 wrote to memory of 3140	3236	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe	HelpMe.exe
PID 3236 wrote to memory of 3140	3236	3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe
"C:\Users\Admin\AppData\Local\Temp\3b9a7563843e7ad41a68f3e91e85eb711eb25916fb9d2781e7f533ba4e6aeb17.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\desktop.ini.exe
Filesize
947KB

MD5
0a47c62e3313037893b436c4352895be

SHA1
fa01a73c9c3bb68d2ad4c83a433aa9d136148f35

SHA256
3a99081eff386dfc6edf8bcb88011b6be005bcd70859f863819bda8a36de7fb7

SHA512
bfbb5214204fa8be706dd43dca417649c4358982f1f5659cd65ae9ed7df9ef855b7f7bf0e2d6c95e58e75f71fc5a2f5009b95a8a30f077f29bff8ef1125ce17e

Download Submit
C:\AutoRun.exe
Filesize
946KB

MD5
950a578da2e010ecd35442453be24521

SHA1
1d036dbffba6cf4a89bd4fa363b68f874530ed29

SHA256
020f42fa502e180ef726ba7024165dbbf7fb5886e5f46ee493886d4ae1982e3e

SHA512
d9823430c544595db1f4eee121fc0ce1ca35e025f3e78858e59cfc51fb8fbcd94f993a19c1f8a3042020634026db12301cc2f095755ec31819f43a3318f90ef6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
138f505362538ee2e6e3a99d73302cfb

SHA1
5738d01c01e8290466d6ddfc28aa0523f8fe9826

SHA256
a198ac78230458d398214c48c935195e3e44f892d6ad6560293fbe8669b5b15a

SHA512
8c4135be4865c5e4ec73b61c07d8a9c7edd98ac3289c6bbfc7e12a4dd3a0d8e89e989ac75285a4771f7a7c4af508101bf836f8573dcd02f97f0ee837443b1d55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
4f00bb8cf131bf39d32ff04e32e050d1

SHA1
786ee131952a5a6e4fb68ddf524c200b0c71f656

SHA256
9337fe13c04ebd2422f9c8bff124d62ed3d1f119b27292cf277de643b191ba1b

SHA512
accd1fcee1a5061678508c686adcf2ab8af4c6714b90f20f8e9206c1da21995c8ced8e8415cbf11fa4429835f76d114ccff6707b7c6f774d8960055603a15c62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
29c88116ced89ccee429c653e0ead530

SHA1
072c38073d27c61419ac61e78e7eaef88845f93c

SHA256
4539c7051333775b8db809d94e2c107223aa8798384c1a64057755b184dec500

SHA512
9a9c6045d17036d9d97a6e8d66676280a4c7c9824a0abb821e4d6285a178078bb1524373160542bc5f95a6c5899ac3e2f61dc0db48935180c461df96c41e3c2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
5f61b5ab86606fd343b2a455d362b72d

SHA1
3f287e3e76fb286331fb65d68cb226b296f87133

SHA256
b3c650db22378dbd9908e29a2bfea9d3d607be9e9f5d97f2dd6d60fe912462ff

SHA512
77e289e55d02320d7ec9ac25fe9622f03bb55019adfc9e937b4b6a9341441e39b7d98a1f484ea75e7513cce84f93e5b65ee2cbf06cda642cc898ed338278c856

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
aad7618742d8a313e8864d15faf971a7

SHA1
d0ec8abbaeddb38fdc4a4ddaa61aa0cb2ec55c99

SHA256
1e87e646a572e624db097f9b69a11a8a4b1cc0d838298eae2fce6d1de9868093

SHA512
e43543d162171a8be50e268cbb8ab63ff0b2524888a66315492a4a171338705a98baed265141b072385fb15feb9eb88c3b2c991ee2b2ee4a99d61e5c8b9b771a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
aad7618742d8a313e8864d15faf971a7

SHA1
d0ec8abbaeddb38fdc4a4ddaa61aa0cb2ec55c99

SHA256
1e87e646a572e624db097f9b69a11a8a4b1cc0d838298eae2fce6d1de9868093

SHA512
e43543d162171a8be50e268cbb8ab63ff0b2524888a66315492a4a171338705a98baed265141b072385fb15feb9eb88c3b2c991ee2b2ee4a99d61e5c8b9b771a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
29a6a2388565ce4b721159a89d7efb49

SHA1
1c63af26ef4e484dc2d2b2eb42ab3f2338254ee7

SHA256
214f8899cd3249a2c7ec315deedc03244499d0d74d0d597c0c8e374bd4cc0ab8

SHA512
7d5bf586f0d3a167545d23224d4a95f0f3f5fcb9ddd089f9fd795171e42d0e786f25e7c75bc7e3534eac4989201dec2eb58366181ff489626891d93f2ac9a83a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
3bf7438ba7e476af8bff67d1127f6270

SHA1
108b2afd1f4a076a4d071606d782dcbcadf5e2da

SHA256
b080bfeb0e40449808f348b0a45b7337aedb2da073a6d1cd7e429cd3d37f5f75

SHA512
b6224ac0f60adc782ba95760822c57d8cf93e645fd0e95e393317dc547fac5ab59aaefe5c9c7443def4101df8475807ae5f292cef202fe05ed54126f9e661578

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
43745bc6cbccf7f7610b410098e7f195

SHA1
c5c2fd91cbd613790be46da135b002d5f467245d

SHA256
0cd51b81548049acb3f87f9e63fa3e3674a663e9659d296c215556a4e310057e

SHA512
814c49a965d28cdf0c5d3a3c6d8fa434315a1fcc65b7bf30448ea32ce8c9b660b2b8d63ebaf8c775935fd214fbfc4694dca731b8c92da0e4364d7e5cb736736d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
8153e49833fa6429bacf280e930efc73

SHA1
87871b5024a71df01b5ae73ebe35ba00ad648a4f

SHA256
01ca0b92670f2065d0b4c5dc3c6a4069a3a9c59297068765e410ff11baa8acfe

SHA512
2012d260e46b526ef1cabbb1338b06ff8cf8bac4738b30be78edea944df0fe54e617a722fb0841eff1e9f4bd8e0f9cc2c4dac9f79ffb0d4e877aa3a79621ff85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
fca531f957a34f769e8ddf2ba1aac15e

SHA1
11113e67fa96e39aafa34b63f1436e38bcd46cb5

SHA256
7ad40554f37ec5b38069ecfa37622365579a1e3d33e7a63ff2eb9816b2101dee

SHA512
0ed9350855b8dc537173b5d8a88eca631ed5bc07c4f314c22d519afac1156c7013924eaf4c983bec2bd57510578ec5cf0374ceb4f459272bff4390a869ba190a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
5ddf498cf37c38e2cd9264af00ace815

SHA1
50e78961f5c3f3f1251ee039cccd0bd20bb3298f

SHA256
f783a335f5d18a291d58083ee4fa9a6a4ae8c9447ed2cdba9c2a7d49163020c1

SHA512
cfaaf42b062d87eb53b6159ffd5df519e896130bd15e7033ee141f70824bcfc16e127e557d47bf4c14cb880470ef3096cba446b71033c07127c37282f3845fd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ebdd3ff3b8256af3e02919b024007587

SHA1
6ff82c38e7484c07eb6c3023df350ef36cb13fee

SHA256
24f7b1b323eb946cbbba9b20ff8b0b4bd824e173cb78ce2e8a7e8fa07756f390

SHA512
e7e4a7b977d77a490fe463760a069db3baa1bb307372d9377dcdbb70a22e2c5b6c0c03d102eae876cac2f42de4a4e1841c1dd95ae88aede54ad691e390c7dea4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b2838545598e3d904e9535a84e07387e

SHA1
26dc50853eee46c007f9230c4ba39b860b3c4664

SHA256
1528cad4adfb18e0aa8c16369581a5a19fefade6322d98aae2a8c3ecdb3a9c07

SHA512
79f35bf9b5daa1634735615c5521bc3877e8ca83a8b96fc0deab41caf72029ac97c127429febb8f4d1018071386e2315f14ae33f7b616666499545a4ab535fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b2838545598e3d904e9535a84e07387e

SHA1
26dc50853eee46c007f9230c4ba39b860b3c4664

SHA256
1528cad4adfb18e0aa8c16369581a5a19fefade6322d98aae2a8c3ecdb3a9c07

SHA512
79f35bf9b5daa1634735615c5521bc3877e8ca83a8b96fc0deab41caf72029ac97c127429febb8f4d1018071386e2315f14ae33f7b616666499545a4ab535fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
c5ca173017756d5bb5847450a3065793

SHA1
9e6ff0c9e9237e73e75cf31f99ab214b6c508fdf

SHA256
234e949db53bcbcc979bbdc6a1b3ada0346791bb92f70ed1218872c37e3af352

SHA512
4b80e5b068a94438fe5d8f2a0d82d73e09a803da64742a7ce3f75f2e43b3d81debdc54bf6b5c6c182a5a2cd7f7b0fa0beda1cf774c809ed7bc8eef8fefa45093

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
dee7e066e96be7738dc2c70c2ccfeaaa

SHA1
3638d3b799f2be96e30844360ba04fcf0d52bd94

SHA256
7fac7e53d60ecc523297ba3afa7f9fdb3de6216322cef6ee27dd70f63ca2a1cc

SHA512
50fbf26a413c42c428ac7d3cc8bf30eced3872a107568e68abb6a35862ac89ed2060e6abe807ad168c1b77751f5510b66d316ce0cb8d0eb56aeb261ccf13f1db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1019B

MD5
b1e77c3d58e1bb8e1fa9f65cd0352a97

SHA1
3f125a7361ef33b02e45319a773ad58610b25441

SHA256
496cdee02b39c4491b44b5016c0de1666aa19d0e2c334b3c131b6598ccf9c57f

SHA512
b95702cab1ad497f63d7ea07dfea4e318990739be604f5996ad9366f4aec20b98264dfedfdea1276123637dbf75bad798669c87845b0bc709a119fa9f4760e19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
a4b1469b15b84c8eb1c87738c547bbde

SHA1
f29ad2d92cdee3ac96f9c6cd34d4d93186fe69e6

SHA256
727a3a3b776f836ee1efa2af5739c03af0c04b07558c847f11f8ecbadc7303f0

SHA512
fc18334cc38732d4c69d2e2d18602bbdbeaaec0dee8001702679927b2bab70702d5ea1d1a75a69bcd1fcc086c5ad32268c1cf837bad005a591ee6b4307e6e706

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
946KB

MD5
950a578da2e010ecd35442453be24521

SHA1
1d036dbffba6cf4a89bd4fa363b68f874530ed29

SHA256
020f42fa502e180ef726ba7024165dbbf7fb5886e5f46ee493886d4ae1982e3e

SHA512
d9823430c544595db1f4eee121fc0ce1ca35e025f3e78858e59cfc51fb8fbcd94f993a19c1f8a3042020634026db12301cc2f095755ec31819f43a3318f90ef6

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
946KB

MD5
950a578da2e010ecd35442453be24521

SHA1
1d036dbffba6cf4a89bd4fa363b68f874530ed29

SHA256
020f42fa502e180ef726ba7024165dbbf7fb5886e5f46ee493886d4ae1982e3e

SHA512
d9823430c544595db1f4eee121fc0ce1ca35e025f3e78858e59cfc51fb8fbcd94f993a19c1f8a3042020634026db12301cc2f095755ec31819f43a3318f90ef6

Download Submit
memory/3140-130-0x0000000000000000-mapping.dmp

Download