3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d

Analysis

max time kernel
146s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
Size

810KB
MD5

f39c1d7c5cfde8d8b9dcac2678ed7e37
SHA1

0ddfc33907c9152ad7a181b5f31bffe07e0f9825
SHA256

3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d
SHA512

8fbc98f677d43ff38f655edfca786fda04e2db1cede309b01745805bc2bea33d135efe418a93c67553f35eaf61ebc067ff953f1e18d01a0e917601f5e3a5f363

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

5060 HelpMe.exe

pid	process
5060	HelpMe.exe

Drops startup file 3 IoCs

Processes:

3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\B:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\J:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\O:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\R:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\U:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\V:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\W:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\A:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\L:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\P:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\T:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\E:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\Q:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\F:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\G:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\Z:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\X:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\N:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\Y:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\H:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\M:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\S:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\I:	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\msitss55.dll.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\7-Zip\History.txt.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OSFSHARED.DLL.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\xmlrw.dll.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ul-oob.xrm-ms.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dt_shmem.dll.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-private-l1-1-0.dll.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\orb.idl.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-spi-quicksearch.jar.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\WPFT532.CNV.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Edm.dll.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\PREVIEW.GIF.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\cmm\sRGB.pf.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-file-l2-1-0.dll.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-phn.xrm-ms.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@2x.png.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\instrument.dll.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\jvm.dll.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.ELM.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_XPS.DLL.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryNewsletter.dotx.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\PREVIEW.GIF.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OWSSUPP.DLL.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
File created	C:\Program Files\Common Files\System\msadc\adcvbs.inc.exe	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe

description	pid	process	target process
PID 3872 wrote to memory of 5060	3872	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe	HelpMe.exe
PID 3872 wrote to memory of 5060	3872	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe	HelpMe.exe
PID 3872 wrote to memory of 5060	3872	3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe
"C:\Users\Admin\AppData\Local\Temp\3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\desktop.ini.exe
Filesize
811KB

MD5
3c9ddf820ba243f793ce90623475caee

SHA1
58e80c783b0c1069435693c12ddf8c875bd08050

SHA256
fccb3494407b20acca272668a9780c07f32dc53d46a8b4d6dc14737d0cfa3826

SHA512
1cce44fe733c6600845e63c450d3505ef038e400a76da0db6cfe67e11f22dd6a1b2b303336d54ef9faf7be7c1f25750ff0154f5b6331c5ead86d44ef5ee703c0

Download Submit
C:\AutoRun.exe
Filesize
810KB

MD5
f39c1d7c5cfde8d8b9dcac2678ed7e37

SHA1
0ddfc33907c9152ad7a181b5f31bffe07e0f9825

SHA256
3b99391d69a827abeb48c5886c5a7108dfe7dfd79371947b31e126a3a3b5dc4d

SHA512
8fbc98f677d43ff38f655edfca786fda04e2db1cede309b01745805bc2bea33d135efe418a93c67553f35eaf61ebc067ff953f1e18d01a0e917601f5e3a5f363

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
2026391df64a25d5402b1cb507abefbc

SHA1
5e8ce31b3de157e89453cf60ae32afee3f4b0e8c

SHA256
85eeff933cec773b4b0c4c9a0c0081305b75138cee86bc9634a45ddcfe577fb8

SHA512
8854c991d1b394f751b74c1590b9439a9e8d838684e8b3ff7a0d2c33884a5a56e84270e842fd30338c06026e97a47d20940b11860dba5ff635c8b2257f915448

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
58ae728c99e3209c81faecff252881b8

SHA1
e3ad0aeae711ea9dd7d1fda715a9deb406ba2648

SHA256
17a7eb8095a389935082f2ae06084186d03375634d66ae83ecf34e8be8e88b61

SHA512
8d36656b590937b8376387696929037d8135b23ee889b8b463200fbaca2080cdbd8267d3ea9bf346035d64de2f6046d4324d96119eda7d27f18e97fc907b0643

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c63587bc243f84a87f627ead3f04e46b

SHA1
87a3a9ef3299e01894f69c9bfbe860e53c85183e

SHA256
d78a72f1cc16eb7556fc8a2cd56e2e181aad2d1a924f19a04e1d7bf1ab0e3780

SHA512
81c2e49690be66a2f31c1ea96bd08f701cbb6eccd3e2d14c69eab15e88f75f68278a2679df2f482b751a066d077c6c3c9f7cd3de5a5a18c17705c2b55e74ad4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
3269384ff60ad9c2480e1236243d4e4d

SHA1
cc2ba09502decd4176272a4dd800938f121cb00b

SHA256
39e9724277447f2266192106439e324a2303ef76acd091f0f2b7f0bf5b70db8c

SHA512
9a9249d5f5707418d2fbdc5d88b532018a77bc71f785ce3d23a3dbc7d8fc1a5d1a28671d994aec3f39b63f44bc75d83cdbc1e739753f17151ed64bc885b3c2e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
3269384ff60ad9c2480e1236243d4e4d

SHA1
cc2ba09502decd4176272a4dd800938f121cb00b

SHA256
39e9724277447f2266192106439e324a2303ef76acd091f0f2b7f0bf5b70db8c

SHA512
9a9249d5f5707418d2fbdc5d88b532018a77bc71f785ce3d23a3dbc7d8fc1a5d1a28671d994aec3f39b63f44bc75d83cdbc1e739753f17151ed64bc885b3c2e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f04fda83e79161fd0363834a0933e514

SHA1
37dae4e72c6647f52c2c32b176578fb893594cb5

SHA256
108b194129a6e975582d5cfe962873ba77116a9ce50d6dcd4a932afb14eb730e

SHA512
9d6fd583a3900910a99b4ab625f97e5c98556ba99a692e85bb810c9182a71bb5948634f8d890c145e136c9d482b3644852758b2d8ca315a57a9bce399a73c960

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f598f280f1a9e2de85ddbd361bab18e4

SHA1
61449c3e95c3068b4db0ba915a90fa042eb17da0

SHA256
18c952ae68dab2e315f00bde4afc824f7321a1d0115d7df653399a43f6d3b9ca

SHA512
42dac3db1306d3db2ef6f4d1268bc2f4bb0557e702e58ad4f883a7ed2c44b2161f0bf3bdb59388f4252ada5de8b99ad36a23e73cd48f8289c59bd2b218bc1034

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c3be22788784187775291b1424f99fd5

SHA1
d7b0e27d714f91db45a829f7c4cb8b9dd5f2a12c

SHA256
48bfc7e178b60f159ddb1a277b5f32e1a00fe6bfc6492682eb2395e33438c852

SHA512
98f7faea5813a30979a6d8664220266c80fd4c7b9a37037ef8d138681ca606a394f78a84cc8d6c497f5f5953e88c925845d296114cf197fc67e7a167e087c461

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
7f82babde92cea9fee3254202edffe29

SHA1
97a12dccad89c9674c6470dbd5c3d88f8e956075

SHA256
e29f8c490229ebd413c97fb2fd749a8bc5ca5cd2d24fdfb0c043c3ae29cb761d

SHA512
f17f007eca6241a28973bf3704427d8ff57f3bb2d3945e1c8e0969a9b9d0f35a0da10e27d5a38d6884b3f34bb3eef08b3ec49ac3c38b0710e4eb0da181f74052

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
827dc09987237cfd23b7ed48514fa6da

SHA1
0fc07b6cf3fecc2c78ad83b4cdb984210895bf5a

SHA256
d743c5b5160cce6e2f55671eec28b831ad3fe084f2cb785d353e6c6c23b9d826

SHA512
c7f3dead0b7de9fb367c881b6f407e7a34089f3beb386310a5ee74553d66b58e82f477895c45aaa7d0c2b30cdc18f056390c90bb7743862008cc3009c0b8f550

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
662a5ceaad359bc7e10fbf5c36a818ea

SHA1
cfddfaeea71966d95009b53dfd13597be7b2cc1e

SHA256
6c2abeaab0b02a5962ec47bf56d05a7d380159dba2981713a3af703c5a6a69b7

SHA512
c91b75f3e5287e33277d29e36656032e2d952e4892a6158a82f8053f4cc6be43e62366a7e6a3603bd1f720aea1c640e02571013ac050fe6de5439e8236cf0523

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
64e8ec89655a6f3d329df0508a38daae

SHA1
8f4fa01628f5b34d753a6fdceccb67d84af51483

SHA256
29bda5559b2dd899804abdc35102092f6c3e4852b4d031f823f7b9414ccfae8f

SHA512
4d9dd472bb6925d15fa52378973cabcde12e59a2e066c94e93618d2a0bcbf6669924858564f745a1416a255cbe043c29b5c672ce0a78f2ddb3e5c18ddf9b84e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0c803ee7ee524b969378d865b79885cb

SHA1
abca157220c0f211cf49df6f4e69c220d05c9bad

SHA256
14642cb6cc21efd24e28934593730a06ca67d506051aa69a40a4adbc92eb0efa

SHA512
03643e00a6b539db180ca1d1ebc7f9bc2f08237e0f1f3e8247e4c812d54ac64f4dfc307043b8eeb82bc46b8dc274c3e125c11edfa79b1bbd345109e4ddbe0161

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
6e755c275e7ff81bdd570e8c962c84a3

SHA1
41c9b81a7fe131f55a1c721e5a1c66f1b824a2bb

SHA256
20eae70002d854cf96a06ff4b534d610180614f6eeb6ecb45fa0edced37f745a

SHA512
db332802cc91ef3406ca47c3e305ae4768fcda19679494f5c74063b25aad7bac81a884de32df60d6625da3de8f7c5d9e2ff274f03d20de91852b96ff2c7ca06d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
49f72a64f1a103d9536a2e47de9bce01

SHA1
c2c8ce84781089e5f040cdd3459f75edec4295cb

SHA256
3bd69d987b0509e9ba1efd55874a1006cca4ddda9bfc6e43bf922a3e5d9e64fd

SHA512
a2c130e5a5f71b598ef776cc2b7531da261b969d088b2ec205030588ec95181123e5459982c1a62cb4c658a6dcaf63934e2c45504550b6849d5d5f02950b33a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
fe393dccae5d7787fc8d9870868b767f

SHA1
a21c18de983b555e14afb52d68acd48c07b5ce46

SHA256
5e9debbea9569ceac7d6c97ec09c132f60bee8dd6fb266bac4818fb4ff2fd305

SHA512
17d2f39a7037fb83fdb191f28e88aa866e55fa1ec97303c215c24175c1acc2fbe860ebd93157e84b432bc98692728dce6a2fd937898c0ff944d06a005c2e1f40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
206097cf734d6f7c1ebbe8c3fe5b3015

SHA1
92f30443833ff474eaf31ada30eba4f11d1ba580

SHA256
1c7cb199b535fcb1310459206195d64e3a53458203c7bc29e8b43e52c729bf0e

SHA512
0a3e67b8da592b9a6c46eecb32a0ce2611df69e96698ea6880887e3e47f05e57447da8dac1dab35fac43da376f8fc31604931ed35f782b8f1778025bf40c7708

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
00ddfde1ead38bec65192d874cd1e5fc

SHA1
ce144b64228adb3180773d10924285d440cb2a5f

SHA256
9411b5ef08f567b1df4dd4ee38300aaedba753a2a80d7d7aec98636285584e91

SHA512
467583a3f43d9b484e6d89670f785b9f32d5484d5b2a43f22e2ea774961fe5e19dcdb39e83c3b8af7bfe64bddac68eccc36aee8524d7efac02243950462e468d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c734680d1622ec3e5fc6aca6e1b5dcae

SHA1
68a66013f4c53683c55c343ebcd14f93eeec1c19

SHA256
123db0e8b7ca323de31135d1fcf683fc443447dcd7615819a3d2b09d6032fac8

SHA512
955931275a289ab4ed785146518d0c5af270884016a0e5e02f2f68aee21beded2369199bf4d953025ced964daf8f7dd7c20e4eb3ff7d13b4a7fd14aad96ce7b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0bec49166a045f73cdfdb393e2fb1630

SHA1
e9c80b7999e1e87581aee8681272b3fb40c13ce4

SHA256
e800e198b270ab265a8900fc2312421a15b9a6812cfbe01266a4fdbef340fa2d

SHA512
d0ec5dcc60000ca05d009cae40671aff90e2c7932b12685f1fe005891068d985cafa595a61195bddcdfbeaf0ae1cf30e1e9085f4250ff2b54b96f01b933e6832

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f2405dc41443b0a161283fb0decdd81f

SHA1
a5c5eec1b592ffea83abb8e26f009fcc461cf496

SHA256
1bc5f54e046b0f8c9ce864901ff2747235023ff4bd603248753b09a1a1e22d26

SHA512
55f27b22a248790546a5b2ca1225d8a59df6d67d1844c8c4c3718b49ffaa2c57ce625cf72c30f3b484faf6d948177a5071202a710ee3f9877da10052e01d8f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
54c7da4e719fa1f8067c9d8745308d69

SHA1
f78ce9c88efa05078185fc8d0d9e0112326f1186

SHA256
f1ae6f6cd9596e6f95f9ed97939feecee72fde049698eaef5a168048d6b55c3a

SHA512
a53ff44abf5a7d918066d79813ea940b40b9ee8cfb1694b5fbc896d45337289b76b9bdc528087448431ac29279ed6c3742df3ea0e1234d0b8fd7d4f5b4d43888

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0379d129b5e1f901b3062916e7f18e9e

SHA1
c9689b78465bc7f987a58254d5f2e9dc4c4fd4c7

SHA256
d9e6120812b0f289fea8edc349e750e566a4b65e5994af8cd40b042f744f75b9

SHA512
a41fd9b7252e9cb26d3aaa6a7b0697bdbea443088722c312e63e119e6b9015262f365955dc7d54292654bc0dd34debda7e1c8d795541fbe166a98b2289c29c9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
bc720adde1683accc6204dacb6a1e561

SHA1
3fd911287fa5071b7e85abdd3dd54f079e2b95f5

SHA256
47c2d8bcc992e7446f538b6fd6cfe586e0787e8954195d1e1e79c2ff866eb60f

SHA512
5155611e67bec963d152c52d9fee58401a60ae36e84ae0302bfa2a12413b21f271c37b2a25a8d44f2c10a8fdfeade39cd007349202bf498932044d04e76dd957

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
65f877467cf5fea230402f482de42bce

SHA1
9881e6178f3692c28c909763cdea99320678719b

SHA256
59d952c109824a98d07be109ca62a6011b48dd2fb7792627d243aa63ae650df1

SHA512
935dcf00fb857ab3384d5d23f9a2a78d9fb19effba71ea60e5ff633526725b3c7c76c39a723762a23095fa2a8034b935c5fc80675d3af44a9b1bc519b1468ab5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
017d0911e9d101f635cb8f15b52d1bd8

SHA1
1c5e37453e76985dd61fb26845b76be999b0003c

SHA256
b02953acc35fde82afe76b5857ca18e0bb4ccfd0e46eb0051b71d7ff61f181a7

SHA512
64857b6260da364dd52db959a328d6bfae101fcfcf67484825d91dcaf62c76813a169fb994998805daaf56971dc0f30d64cced11c775c3628ca8b90ab463ac27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f90e81b28e0fdeeca26b01bd8efaa127

SHA1
955f86d6a5a1f24095c81cc2512f71fbb136f1f7

SHA256
a90ee5a92864b2ee247826c28ecc25d56f0de161ebc14f80e133b2705d3934cf

SHA512
0d66fe3f9b7576a95fae52ff69fbcf16081ae9107df5e05a8d38ffd2866642266041d1894caaa76bad5458942a41add8c6d1e64fe0fe19ac1db1c9c614600267

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c63752c97d0875fdfc9f3d49469a7c3e

SHA1
d29a2b772b6152e5b21785447b547d1e310be954

SHA256
903f656487639c135c4630ab42557d6a9a5a5aa311ca11a90ed6402294df27c5

SHA512
6779cc2dda2c253e960245bb942ad8ad9e28c6becb849c7933f545e2f8811490986f116bcfbba7d02547a074273a836af225a2cc80e66b756c2e4e87a1742039

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
95a17c6da2fb3332dc0134f027c5f6d0

SHA1
db92900a9e91be218478e9e41afe9c858683aa1d

SHA256
9a75fae6e6849bd64293c33bf368321a81962d710f4b6aaf173604a694bcbf2a

SHA512
ef2f841802a87e4c8e86bb65d91c46ab0b20f40d6b734dc87dcaae079f626e1ab69c082231a7869a1e90d95e28dca9ab3180a454d7e5983e3aa57ed3236e2480

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
cf0e5b7c31af0e1b7e6526f7c67b0b9a

SHA1
116cc2fdcdf4aac18faa164368f0de6b70837dbf

SHA256
60eb6051d6775e63f6be1f3a5584d282b52361fc0fc3ec1771785f2c71b60b33

SHA512
4b272be2bb8cdd59e378b07ce6a7502e318e5f420040444ce18919a2517dff973c473407221483b842b9b13bb2ae5f15c234102f45813d6942fe7d2c0bf0d579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
37f6aa2198c13af8f5a5477e7f1ca384

SHA1
708924dbbf44059a6b0bd284db2ed7eb5090df81

SHA256
f0ed825bae1244c4b67504d4f6b5c986e04dd7c8e0d32a5d29552b48a33f7c28

SHA512
65b4f496d69e68bed15a2a7525f01cd648fc9d64fe0b28ec0f4c08da27090c80cab839afe6d23c2307606671d0d8e2363adf34b7e70e0024dec2b5f532d7704e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c0cdf8a3e64385a6371b18d827775a07

SHA1
27f55f2fb828ebff0286b0f4ba5a8b88868166e6

SHA256
9c7e9713d5f895802612fc533249649ce69ccb1629aec9ce7ed3a967126626a0

SHA512
b51e8c7b06968a67bb94f00cae414d9ef408081fb7cbff0837b70354a75ee4bdbf1231e49de9966708ca320818200b34a6f5ca782c0cda9b3b486f0c1b8fc641

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b0f5c9931cc92f282e48d814c27893a2

SHA1
4f541e2f87eb1d10fd38cf46d926983c27f96a7c

SHA256
dceea5caf7dda4cc3b848b1753a73d6a3b3ef3d8dd6dbaba8ffe218ff8ae7f64

SHA512
4d2193a9ef191845877f6cfa4cac6acce7ed0e2448f15618119c9b1271f421cb6209d2cc22b62daee279e07213621545784d5f82901f04fda7b34a29284d0e61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
02859a8ac27b4d877f34410cecfe4b4a

SHA1
c1faa68f8749afb133153e9a2120b40cecc12a38

SHA256
1622f8c6fc70629249635f6c984e5555bea8701c4bbadea9884d56231bb2d993

SHA512
96d246d5a425c03a906904e5170ea91739b992f09974518c5daca10752fb64405ed420fe4b558a71f9126ba27ba1c763ab678a8405d1410f08e10a67119b9d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5966b0d11eb67cb05d1cd4baabdf12d7

SHA1
7baa9ea7b947f8766e7af6729bc2d870a9aa204a

SHA256
310f69f68a6a6ca6cd5f39b21cd73b06b6200bf79a4331463980c4cb8d25e12c

SHA512
870808bd2b3b454e04eba5c4404dd9739c5771fcc7e7f5b06512624485fc165a18d92ef7b2b09eaef8edb831dfd0b40872e0880ca36aeafd5a4feb2bd754d660

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
dd9c5aab60b71a89d4d091b97ccc329b

SHA1
453d294484a81e3736fc55cf2e898fabe8f5bc12

SHA256
d46572f0d65701e25804322dfdd73927561ace39cc137d809518e18c57dd48b3

SHA512
dc96a468b73ba931f3c52b78dedecb5171ace3efdbf7ea86835e478d8994447028fe5da8405a01919253e4e941ae1f36dd2789bce2409e7708f513f2fe5d71ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ac035cfa5fbc114a82b1dcace9aadae9

SHA1
1299e6620656d3a793b52dc25b61e49a169811ff

SHA256
960fd28024b3f0a7107af8c9eb67128861c86f8ace69c51cc9a7fc7d1d7c946c

SHA512
056e8018d441ecc90374fe201fcf20a499b23cffba51faccbb6b4cb44fdd502d7e3a1a80250834ce945f6e6d6feb5a6680b6139ef267e15a8ee97e7e9dd73b3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
15cbfb89f73b4c27a06e8298fe5eadaf

SHA1
52b124411851661469deaee9b4e47f5a75c36d20

SHA256
dd9bb3375705715f044474398598fd87a4213f0bfc56623bfef91f07fec4d879

SHA512
da735c083680e2ec0a37b30653c0f5d45727fa920f27a92c1cf949d5fe4434e743b0af4314f8d09c46e7904a747e0ac9541ed5d63a9dc22111d7699a3c637d9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
22a2f9e598f18c5b95a3101b3ff66c77

SHA1
88c424158d3bb2f73e68275caf5210fe5a909daf

SHA256
1e36bfad3d462a151712e9be89a7a580a8de88839a4922113b38d40b39629f3b

SHA512
4252228fa2c9daece4dd3b25d512306c6cbdc331ff2dab619cead7c0d087d87dba9d079e7d18067a6d000e73a30dba3087047ca98e28479440b8eae7cfc7e239

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f1432b3f31cd7572c7b62a25c1995d85

SHA1
221b39d1f839501e0a56d154278478b3091d2a14

SHA256
0a352e5d38307e9f54a1ac2249c424e0f14788246c631c673e418ad9dcb2a6f8

SHA512
2636ee574180a51267c325d22ea273bab47dd841de3c8adf0eddf6331173bb989e32513ad94f30cbc77841cc932a53fe41fe192c0fb5d56b06c9e6c2edec8431

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f1432b3f31cd7572c7b62a25c1995d85

SHA1
221b39d1f839501e0a56d154278478b3091d2a14

SHA256
0a352e5d38307e9f54a1ac2249c424e0f14788246c631c673e418ad9dcb2a6f8

SHA512
2636ee574180a51267c325d22ea273bab47dd841de3c8adf0eddf6331173bb989e32513ad94f30cbc77841cc932a53fe41fe192c0fb5d56b06c9e6c2edec8431

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9ef30a6a6c735f9b08338fe488ee2f31

SHA1
5d30444c5835e86f23e673a49627cdf18e6a9780

SHA256
cce09da239daeae701f39753320bb433110f538a04eb568f8f81e5cd7069d272

SHA512
a645926db473708b349d48216d394904e83fa0fc1e1c801c23ab674f0a72a4fb74755fa5d8a4e268e00118ee9dd18ae277dff302cac128a42553d657ccb26715

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c5986aa11ab66d872b9cacdb2c7acbe4

SHA1
5046ea2f7308261dfd48c487a611edb1ba467b6e

SHA256
11839c961aa8b7e249d8a4ab4470e1b8018896e0003dea11e971303be57d57d0

SHA512
2d11eedbc3afa1bb3debfd8f746db9ee33d3c1df548aa4939f7c15be9b8766afef40803a1966a55a7a220a8f274faccdfd7d9a7b659edf745a6ecefd552978bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
ceb84bf9e922f96f9c75ff4d311f198f

SHA1
647540c149ce0bbfd63a4dbcd29bb55d801d5424

SHA256
a950eee3b504dc1d1bd8f740e67d57eb627fc064d884db5ab53d67a81fcefa3c

SHA512
c5d6e6d369073f35f7b4a2568d7bba5e74d9d6d43fd513e11c805634a41d5ec49239a0e089beb8cb9ec4553c66925300f0eee9266ecec5c651f714fe63b306ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
831529e666d1f755f2b6eb679597baf6

SHA1
37b2c4050359044280d229f11f908d57d10d35d0

SHA256
3e5726002bba06547d04e864a9d7923095e8e718df96efa41c4858ea4b1bb78f

SHA512
3ca11cef058110e502481673975945a4e1819c1f3dc123d689a0b9f73f8522f14516a15d97286db5d060d8fa006b562e7a2174bbe8a95aac7b9213b572b2e39a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c4fbc28f2203db336f2145b82c3669cd

SHA1
7360b4e56de18f24110bce47c128276d9ed6eacb

SHA256
6f37fc53407f51df5b55596862799e67bf6301d6cd0048fac52069768976f556

SHA512
aa113788bf866d66fb85c6c81c6b60674988ac514d6aac1d3b4b32bd968fd22767ac1e08be7bf02e604e61c6c01e695f8b4acad5eb21ca57654f5b853a65ca38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
afed2310a61d9f512709b566227691a2

SHA1
cfb2e6eea2b4d0946d2934e34a6dd0f3a16a4eb1

SHA256
a860a70a1ccc7fb57d55ae48761563d8ce5320f332c3afcc82918d0bee21a2a0

SHA512
819378e134008f13ff54ab4a5711d90618a727dd26c89ea948e7c667476ed4be6094bfdfebd493bd13e7bfe50d4e1eec986c031f283b9b40fd53f45d33596189

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
703f40ab79b015c15461a457bca69c50

SHA1
5aa0395753d113a93335e2bc81e94da34b8ec920

SHA256
8287892c6109b7343ad5b5e840cd55e1a0d348875dfbf054d371e79cf0c30d10

SHA512
c2a66ba7fbb242d46d24c5fb0dea4c22cab9cc86b17a42672e2961537d46d4e7919e1e66967476c607d3340b5164e82142407fc6b9f580fac4f8b8118acbb18a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
473ab6f524841872d478309208fd87a0

SHA1
6e11538a73bd7edc2d5440fe31b4f49ae9ee8d9d

SHA256
2bad213da76bb8473e7479073fc3e86fc36a9d1fe604a3a3732e07361d50cf43

SHA512
721cce3d19bfaa8311e1b819df2eb9d191820334e1103dfb70f162aed2d58e0336cfb6b026dad1d007f7c055c66cdf3efbd637431916fb9e82b3d5c36635f4f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
cde6bb0bf7dfa4cf972aada55309b360

SHA1
8c57623f2244f1283e9c930ac311f07a5e696bbd

SHA256
4693d89b9808a7b5de0a570e6030a3fd8f6437f8fc6f8ac7d5eaae8a84b880cc

SHA512
4b16d8a0b284771b661e65719626c3a77d5665310f76ea571b72195aba80ff0769308427a50a9c430f37c35f462553185e76a83107b451b3bb0bc17927f3d2de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
864da5accd1966190997ee3acaae465e

SHA1
5f3607f40fa3b1f8e547baf944dde3c712610f78

SHA256
50ee896e7e1383439f475992abdd032122a1727202b8c894fd6170177d7a1ba4

SHA512
7b6d495d216c86caad07caa7c2623f42929f182d32287539d46ceec1422a7681aa9f579d066418ea8b55055163dd2e42c1acf07098eda55a8c38a7c8d80bb54d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
cec5d6c26656364c6935540b478244a1

SHA1
679a99431d314955e87a94368e7fdfaf530440b1

SHA256
1530595db18efb0daa6cd6b3f9af5b457a6d12158ffa1fda44802ab34101f522

SHA512
44ad4fad061694f2dd8e93536730a85c5f3f872814d3015ecf42c7f33b30bad39362045c90a676add28fbac538f673273daf2355821657a7075095241e780d42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
797KB

MD5
75a07836dcd639567c45f38857334c27

SHA1
28c0145599c1f492af39522a667d036fe00b88d4

SHA256
d870587355cf072dbd502e8a76005a20142d734b653b6d5c581c6501d3306db9

SHA512
d59b6fa47ed333a4d8086b144e6aba7b3b166097dc6f3180eb5ab7f90324600ced16d321464980e72ee117443ecf8f251bf1b76b4ec3b845ed4ccd0b3536a7f4

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
797KB

MD5
75a07836dcd639567c45f38857334c27

SHA1
28c0145599c1f492af39522a667d036fe00b88d4

SHA256
d870587355cf072dbd502e8a76005a20142d734b653b6d5c581c6501d3306db9

SHA512
d59b6fa47ed333a4d8086b144e6aba7b3b166097dc6f3180eb5ab7f90324600ced16d321464980e72ee117443ecf8f251bf1b76b4ec3b845ed4ccd0b3536a7f4

Download Submit
memory/5060-130-0x0000000000000000-mapping.dmp

Download