3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
Size

940KB
MD5

1a29324cb04bfb173233cd55e5a9afc4
SHA1

4883104bc47f16c9b078b711e32263640a2b637c
SHA256

3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9
SHA512

cfbe35b37a4412069160ed904fdf154a921aebb92dbe445e2b3d29c9a592f0dbb4a28a8f3ed09cbddc6357e48d7f6d8543e1d48888929affc55bfa548206a698

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

3624 HelpMe.exe

pid	process
3624	HelpMe.exe

Drops startup file 3 IoCs

Processes:

3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\V:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\J:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\R:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\T:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\B:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\I:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\P:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\E:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\Q:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\S:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\U:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\X:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\F:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\M:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\O:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\N:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\Y:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\H:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\L:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\Z:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\G:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\W:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\K:	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

HelpMe.exe3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe

Drops file in System32 directory 2 IoCs

Processes:

3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoDev.png.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2Fluent.png.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\amd64\jvm.cfg.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\external_extensions.json.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-windows.xml.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_PrepidBypass-ppd.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-math-l1-1-0.dll.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vcruntime140.dll.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.exe	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe

description	pid	process	target process
PID 2636 wrote to memory of 3624	2636	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe	HelpMe.exe
PID 2636 wrote to memory of 3624	2636	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe	HelpMe.exe
PID 2636 wrote to memory of 3624	2636	3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe
"C:\Users\Admin\AppData\Local\Temp\3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:3624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\desktop.ini.exe
Filesize
941KB

MD5
3ac84014ea2419428c986def2a023103

SHA1
792b052f5813330769a9b96ab9dd5d93863a3dd6

SHA256
e44771cbe2b88fb5262f3b9a6e60363fed89ce88765f6980f0e10d76e4dd4adb

SHA512
287b4c00dcee3c71878c5678f156baacb81d33f39fc9d3346f5d03e056f96ef6e467b85164195763bde2f959ffe87075e61c5097167a7bbb84c433904e03fa7d

Download Submit
C:\AutoRun.exe
Filesize
940KB

MD5
1a29324cb04bfb173233cd55e5a9afc4

SHA1
4883104bc47f16c9b078b711e32263640a2b637c

SHA256
3b6fb95f4c4e8f78da8c574abf5fb9045547a15864d0e70a6ed8e731f357b3c9

SHA512
cfbe35b37a4412069160ed904fdf154a921aebb92dbe445e2b3d29c9a592f0dbb4a28a8f3ed09cbddc6357e48d7f6d8543e1d48888929affc55bfa548206a698

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
3be093c5543ec8dd25ff79676a73a4be

SHA1
35ba87bd470e92646da0cdd4a8a9b11d25351cff

SHA256
5d60462fde2db64e428e0f22a9a1fab8641c68f1317c0c8962cc19e36b013717

SHA512
d8400cd540f170e849ee525e830282321dee00e7e4b455132749dcf32ecbf326df09cf36752f58338e45266579f997a6a55725e7467b09b7ec2dcc6c19749310

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9ba70cac79a7cbf0ba58c1bb14018ed4

SHA1
86118befacd7564e93bd59fcf74508dcdf4b2e90

SHA256
b059a63782532122f52a973d622d2fe957446dab28a603510e6fc778e4ca141a

SHA512
41787c83d5d24b50cf80a6fff3df7c3ffc6da105cd82217a0497ed9a557a9bd077bfd5574a1bac3e3dc1a2594271671b4138bc7ea570c0e93566fed69cd54402

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
096ad537e9641cd0da5e7c35244ee278

SHA1
74c9d3c7375ac5037172b0d59e8106be3e4394bd

SHA256
03b418ab8791ab58bc82bb4ae8771979671c4926a4f1998c654d3f91f6cd304a

SHA512
adf1ae7e1eadec1ddcbda687d7adec7d4663b26bbbcc615e1b5b4956ef8ff28f87d5ccf89f13e4f508ba58fd632d8ba33ffbf014d63d66d4c14fc576fdfbd1a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d1c85e33a16774a39719e0239dddaddc

SHA1
e066eee3c79b3f8dee6d2a00d76a3d71f52f4710

SHA256
7fbb4ff1dad48840941d5d9ca66ad21b1c9f7828091a0dc0b8c820c50f3af8b4

SHA512
638a97f1d2279b953d0ef5baf0361441f163c27463208c6ccf16e52f715a34f46d5458abdb92f87bb134f5c9268191191e5a3bb87f9bb51986db5b19787600ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
537c2e13ad1a76e937bb41ebec151c84

SHA1
820ff2dc9eeef92c870de0a536672de458f54d5a

SHA256
8dbffd26d5007a4e12be64c82b8cee4cea7bbfadee2d6a0d9c2ceb7d08b3eaae

SHA512
751c6de47353a323fa3807d52a44d3d32884fa636f87463abb97302ef82b7a5ee8fc0658048d7602217fa0ce7f628005545cfa8350b191d6450e0330d6ddebed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d6563c3a1fb6f94ef357f679dd5775d0

SHA1
398e07c0620bc02c7fcdd97b31ddaa3a4953fa62

SHA256
56efa4b67dc3b9c0a255bd1c9f707d4fa35ebbcee2be64335304e8305690530d

SHA512
8bdf3d8f7a02de2dde628fabe018ccdd31f6fa8db5d76acc77f6d6272bf65a98bc48aa06fdde406414cf5e56422b89b02d7cdb3ce82c64c8af7dbd41ba160e8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
46dc00adf1104d56b034bea4bda37001

SHA1
00fb3087004fce9cc20530ee671b68dd175bec10

SHA256
45f8bc9d58a6ed3d86533bf8e3869eaf6b8b2b989445858e19b2ed253a38fbff

SHA512
3da7635d42cddfbd5d791968cbb9eab4aa544804a3630733174fe71c9f02163e29ec763dd2c73323abfce7b4e86ed5ec75079cb469f64df056e4914abea34b61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b4be83c80d524a8da50f84639ccba936

SHA1
f0dbca9b7c172b93e146e15ac7a77adad155332d

SHA256
2ed15d1425665b104475b42fd58fa112cced77e523de969ca5e575c95d218a17

SHA512
6442d082f339bdfb4aa1a305101cf1095c30a79ced683a1dca387af3daf34d18b7cd694dab05e358a8bf8ec2881f08859d1d66c4cc3c899e7b9c78cdd08d9578

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
4d53a620529b921e660c0a67039d6376

SHA1
0b4228640c58574a0b9d5daec8d961efa98aa1e7

SHA256
e667af37f01ac3c7193dde10ad4770de17f6671919e2bba05577953e16fde4c0

SHA512
7beb2b26dd8910b435923ea1c3b0be8cca116bf29ae79934a00dfc8a8b6edc8037c052919c24840d1075676d37d926abb796635ea91988b2a30b3beaf52a2202

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
6609fa5f0ada1475c67f45394cad345b

SHA1
19625d972fc96f824829b813ccc8a95e859f5f84

SHA256
228c13260be39552e0540d0dd09d308bab103e426f1e9286e7a8caa16d4d0494

SHA512
fef979913e618cd19c560dc64f5658b25f2f1d99949e94849ebbd1706d6be9d187badd707a927706f69f0654178f506ee528044c775e0c7d6b8cad7ccb4e025b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
6609fa5f0ada1475c67f45394cad345b

SHA1
19625d972fc96f824829b813ccc8a95e859f5f84

SHA256
228c13260be39552e0540d0dd09d308bab103e426f1e9286e7a8caa16d4d0494

SHA512
fef979913e618cd19c560dc64f5658b25f2f1d99949e94849ebbd1706d6be9d187badd707a927706f69f0654178f506ee528044c775e0c7d6b8cad7ccb4e025b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f2c62b88f5841fdec401a16bf50f39f0

SHA1
a0ab7adf1fe1de29d5b2201926351b2bda476a4e

SHA256
630922a8e5aaa56ef844064301d1bd8d28bfe6da05e6d51c5e049381c5ccbd1d

SHA512
9dcf3fb148bb33f56e9135ab13be89d3f33f8be971b14019c45652352fada1b318a60e6bb6c23627878db7c8dd737d32538ab180d865a47d60b9fa16ba73899c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
940e26970b81316823fad7a9c4a88b19

SHA1
1e1ed3dfbe02463ec2b78b1c72ddc56298ec5e84

SHA256
7cfa8f909be671b3832d31b0dcef98526d8d26a56a99b3eece3e0db68966049f

SHA512
d705ea27c89a43c287cca5ebf71e927a5fc0047cdd6706838f568f22d00017b837bd123c77b955e2643d52d1b4db4d751e18f3240cff5c19887e804e682831f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
76ee696de29666822564837929ac8206

SHA1
34561d5c687b2575b6aed49dc167dfafa82042d2

SHA256
53850a8071c8fcf1896e3586a6b950cd538cfb5d18e4f9965dd4475bd083d5d7

SHA512
9bb3d9d8fcb46d75c7222f18885386f8420e1f663f8168ff569b90e0ec8201d87da8870ab52b6cd6b55185d1793f3fdfe0f7bb875a89603f86d68f10d9d2af2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
76ee696de29666822564837929ac8206

SHA1
34561d5c687b2575b6aed49dc167dfafa82042d2

SHA256
53850a8071c8fcf1896e3586a6b950cd538cfb5d18e4f9965dd4475bd083d5d7

SHA512
9bb3d9d8fcb46d75c7222f18885386f8420e1f663f8168ff569b90e0ec8201d87da8870ab52b6cd6b55185d1793f3fdfe0f7bb875a89603f86d68f10d9d2af2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
bb5aae1fb20716484dc35474dba5fdc2

SHA1
8ef43cb27ab6a922d025b269ace06cb4c9c8d454

SHA256
e7fd30549cbc4f17e451aefc8dc5eb7c7e596c7429a461e5f3d3d05498d27b47

SHA512
557b3a1e14a1d5a7eff570e07e67e606b716b3db04ac5bf47856901d6a5e1d5ad84dcbf1af850f89dad230224594df4860048886cff6a4650effba6d58e7c3f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
da5bc6bf6cd772cdf9ddd0d47330c687

SHA1
d596419cdca787649922f6b06778ca2eca2ed94c

SHA256
84776e3e56970356c1f6683a3f443828753ffc72315d704d66a73006aa68a719

SHA512
66a91a8652eacf799a98b6cdfaeef85bcd3c7f116da08efa5bc7041ce53290c2fd5e0bc1a2b4f55efa2f211154ae3cc4dc7712c6f8abe00e17d17bc8c218d2c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
da5bc6bf6cd772cdf9ddd0d47330c687

SHA1
d596419cdca787649922f6b06778ca2eca2ed94c

SHA256
84776e3e56970356c1f6683a3f443828753ffc72315d704d66a73006aa68a719

SHA512
66a91a8652eacf799a98b6cdfaeef85bcd3c7f116da08efa5bc7041ce53290c2fd5e0bc1a2b4f55efa2f211154ae3cc4dc7712c6f8abe00e17d17bc8c218d2c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
742db28c7cfd49f8c3ba4b9f64348c69

SHA1
6376a04747cca5aaea80b593dc12ba03218e2ae7

SHA256
aaabd88e63b6648198c25859f37b935ae36e9f9607125b973e51d5e93fd518e3

SHA512
22e0bcbb04a33123f2103e0fa2fb8e3c9103aa5b22e460d4b0545a43290d6015ac9f578dec755e15e00dcc4dd38c3da5c7f766832e4b53a517768aa5e760ea22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c6d5853a4eda40acb9c5a7e505274ebc

SHA1
93d15444675b5f696f02d9d4175e42b0d4312f48

SHA256
6cb3a06d890e3ae671977997d3b43aeffe4475136c43e0d4b3716914865136be

SHA512
5f26ffb029cdfafde6bc8ee3cc6cfd6a816d51559e656a698aa2e1652d653779b82ac06f55ea517f8d84e9a2d86aa3571e3a290c8b5ac2cf34f3ee47613ebbd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
3501789f89102f900d7c999b77bd13a7

SHA1
7beff0cad78eaf92ae1fbab559325e177fb5e060

SHA256
28b50cfccea7f0df6df25ffec20937c356082ce770d9ea67626ac45eebf234e5

SHA512
af58902e4bfec0f85788e03d072bab564b5d431ac9b605f23438b6d81e83d7e7721046ef4acc3b0fd86d89798b3b7e9443899aeb01f753bc4cc5c95d6a4f1764

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
188e4b0f886d6a11e243e77a436f4fc0

SHA1
b8b2efbc519ad6d0b2cc58049844fb8311104583

SHA256
d02506aa6a5094f122af83f4f4770b91cfa17d3c3d64ccd3c5c7edcbeb120c6c

SHA512
9e8ee044b27a6f819e5a5480e9579cf20f5aa4fc42dd7bc9328440af42f81d6e5c04eaeb666b5178976e5e4d5cf13ccf7d84efd1a3e0e0258395dea0b61107e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
7bb587ff62d2810bc8fac897495a2ae5

SHA1
590bf67b1052746b79903a036324f2106f1e468b

SHA256
9298c49e35ee1a70821dba1690d8d78b11bfe1746fabf54bdbc751c4b75c00b5

SHA512
a165102eef497d02fd5326622d27f8ab797cfeca43d3d593e20de96db569db72f3c2bfbaf20efdd58c46c8d09872a7d09e9d81cbc8bd460ed91d6b583873505b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0820d9073830d09578f29b9f7663b26f

SHA1
48fa470c1e575a023567b4b82670f8bfa3f289a6

SHA256
cd397f2da8ffa6a2ebb08280c21ebec74232a8bf366aefc50b1fab2d3cc34e4a

SHA512
8c39313c8904fdcd674988a77d1bc03d56921259ef34f9c4ff9aed8013b953d7e4be718aca8c7a2e001f17396780ac178e450d60eb1eff78d5a698221cacf01a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0820d9073830d09578f29b9f7663b26f

SHA1
48fa470c1e575a023567b4b82670f8bfa3f289a6

SHA256
cd397f2da8ffa6a2ebb08280c21ebec74232a8bf366aefc50b1fab2d3cc34e4a

SHA512
8c39313c8904fdcd674988a77d1bc03d56921259ef34f9c4ff9aed8013b953d7e4be718aca8c7a2e001f17396780ac178e450d60eb1eff78d5a698221cacf01a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e2d90676da02b6c8b9de5f073439a36d

SHA1
043c0966f139618a146b07d483ce46cd8bd6875a

SHA256
dfdfd9383cfebe48f28597f9d07637822a7266a3453c60b43bd8254c746fe8d0

SHA512
44ba1874b7622bbcee22b599c72d169fb6637fc4bebcdac345a5568bdb709864bee24fc713a2df7aa887bb044f8eef6e5b58650154d8e07cf5db801ed3b2a2f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e2d90676da02b6c8b9de5f073439a36d

SHA1
043c0966f139618a146b07d483ce46cd8bd6875a

SHA256
dfdfd9383cfebe48f28597f9d07637822a7266a3453c60b43bd8254c746fe8d0

SHA512
44ba1874b7622bbcee22b599c72d169fb6637fc4bebcdac345a5568bdb709864bee24fc713a2df7aa887bb044f8eef6e5b58650154d8e07cf5db801ed3b2a2f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
61e55c2f094ace26091b8ec9f6d96fed

SHA1
a78971db41e7c829edde7a2a4967f277f2d9c7e3

SHA256
9591ed3311d07d85c9d0dd1f60cd05061a89208d7311f2e0652573820f8c7e43

SHA512
9d73a8b1682ab48cce4abb3b7fe386acf49c50a0add1a1d44af0875201f3fec33c6126203e3ceeca632bd8a7b6b5d2a6d02bbcef83e994c60b5c00fee612c282

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
01f3102707b3449842e26189b06ab88a

SHA1
77d7636da4fec414aa75e9a72bd534f36ac62ec4

SHA256
c9f9581680db42f972a6d136cd360ea2b923da67b7b76d61269d9807bb7ebfea

SHA512
6ace21a8d75228a41f8a3c68b0eb3e7af41f364d907b62184b7c0fd211a84ca255c1a5dbb6b361acfc001d4f988e726e7a321642e80dea116a786033465ccf3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
e8eb610414f3a2da524d8fa0a07da566

SHA1
64e912b98c26b2d91606e8e6ab288f93f785c639

SHA256
4f19e57dede5e9d28fcff71347af28dfd2e4791ddf7ac80f68c3fe477ea0e29b

SHA512
ce3fd2b50413bfcb9b0b0484e6d848588495a57b5f84706d0ad0e5e46f71923e8b9a46bdd99c681b489b6afe6a76b3180556a15e54315c37644f7d6cbc99ff83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f31e09cc9d063fbf6956db51accf4a0d

SHA1
5239d81af2945c6c3134e9f7fdc9482a2fd9e9fc

SHA256
fb3b27ff9d1a360b5db319a3f29dc2e06e7097f1434036c683df1280784e22c7

SHA512
363d5ae923b5c06e5a207236831c1186c70762f60ef512ef8940b39504ce24d818ed05d38fe4975458ee573855f9344fa7ea24ca2bc172583a0e00cc07c5734b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
aec989eb7bffc94e42c68977848fd7b5

SHA1
dd84f342f675947386afeab9edab3e03f97cc7d5

SHA256
c04a1af176d921b0fab4e77d36155cdbe2eb3c25ab2b0567b3866e975cdc5fb2

SHA512
6e1301270f10609ccd42748fb24c0b319f461af5df308c568a99ef2380b2038563fec8f6753792e36fef084f2a9435991dd6ccb5073eff6b3b521b76e7666455

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
b9adc69b1feeabfe28a6851eb95742b9

SHA1
7a3a03648380658994a24371d7b8de79c0e985c7

SHA256
7d341c5cd3aa01a07e90b694a632b886d875e1453d627fc23875ec176ec163a8

SHA512
bfc19307ca244589452cc190c3f5e36adb155f2f71000b6244b62d36e15499fbab6a8f99530056af6a32224c190363aad993595abf6dac5217172e4d894ed70c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c378db31c3f4d016c0b2547cffb1de32

SHA1
705b6d854b3e073544d2173ff5f7e777291c47bd

SHA256
64edf39d104ca48c39f168099f360f403aeae8457ca06df5dc9217dcdbc9d1c1

SHA512
78f8bec27050c94825ea264001c2026584fd60e30a3593f272aa3a73ec520081ef729e113d84dba36ce4fbb2d97ea9e9d2a39d3dcf8011b7e2364856161abeed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c378db31c3f4d016c0b2547cffb1de32

SHA1
705b6d854b3e073544d2173ff5f7e777291c47bd

SHA256
64edf39d104ca48c39f168099f360f403aeae8457ca06df5dc9217dcdbc9d1c1

SHA512
78f8bec27050c94825ea264001c2026584fd60e30a3593f272aa3a73ec520081ef729e113d84dba36ce4fbb2d97ea9e9d2a39d3dcf8011b7e2364856161abeed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
de9541f2f7edce2f5a14ae538b42c54b

SHA1
006a53b9e16a3cc25f42c8122e8574b88e0ab522

SHA256
c3f535b483363c727866df6b72e5ee5a16f54f1551de5f24b0911bec382c8bf9

SHA512
bac5db21371e55f8734c491c56e01e7fe362672d6a5df306e25a31b4da5cd7469a96b266d47f3e38bd9f4f0f50b1c7509a7addc0fb12a0be15b505d518c31997

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
d06c0c67172a93b0ff5abf23d93cca07

SHA1
fa2e0bacc633040bb217e2fbeaf77264595246b7

SHA256
7bbd2b56620c7dc088d172930176e681e0ee1f048cd378e22ec7956af371ae2d

SHA512
e0aefccdc095b7263a653674ceaa0dfe38f4f103303a8a1d4841c32bda20ebb13ecc02f48a9cf2c910af0c5dd4fbf397600bca1ada8083b08db3201fe4a41730

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
eeab7c2987baf8f01d9c9355a1e67a62

SHA1
929d86f438f749672ef6e1d38de41e391f4c186c

SHA256
a49ac289ace8f71584ab241296045c8bcd84451695cae124f325ad2c962db0a4

SHA512
fc99b2cd4e710e1a6e2c9c747db48d969f85886329c5e7ecf4334b52a42892a931538c447f12e617168b332e0177326e09f7c15b9c58883547cd11e339d51679

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
e2a85c0c49151b26b556930b778b855b

SHA1
1e4b10451079bb30b721ceb76ef41964ab371d3d

SHA256
35b14f2ee920c636c2314bf6f3ad15c4ee43b396b6930f313c8a35ed5e07b7c3

SHA512
270fb695d01d20dd014500dd3ecb653df6586b0b2823e987c97209fad890b02e161ac650e78233ea48abb8245b6a7bca7239625824acbf942a0fe0742968eb8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
4a3541d5bac05346f1e63cfbeb2a8d7c

SHA1
561d7c994700424e915d8b61a8effa950f9a050d

SHA256
a4ff2a27f81517788b605c8e466c882c1c96019d2fe1c17bf512fd44b35db032

SHA512
5383913fdc43c4c2c6f12bf430b175b4bfb1908f82887d4a1e8a264a5eac12bf716314377c29c9afe623aac4625739d88040ef92b40910bcd0b35d97f3da1388

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c7b668b71df31ddb8b10cbd6a586d367

SHA1
cf539ea42c72f423ae84e7f063d28fc59347611d

SHA256
4cbad8076e7e83363a89b1ef7a8d418417f063cd33a4ba1cb28621a8897b0c8a

SHA512
8f7797ff119235858050fb951ca9c3a8a76200afd0aa62e59b9f9e7f57ff30e86def2ecafb5848160c97c9ce5beb4f92c434e66e51298e7d4eea60f12de4a90a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
6777009c730369fb6f6d698cf593ebf8

SHA1
222716775b62bf9737ffc16af12bda801ba6f885

SHA256
89620f60d481017ad5aebd1c9f3b69107058d3b1a518239f195e72c59fcd3f75

SHA512
0cb27f4b5ad4dbdbd9ce09aeddda34f1a8c84f94fa04117b35693ebc046063d97b0b3bdfb374089a6e7ab025fec60b646e7f2026fa7f5a2f1e92218e3186247f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
6e9a1a9b6705b361abfe2fe1969ccf32

SHA1
6f32856369b41ab7a1bbf4fbbf3a0f83aa5b5e82

SHA256
c398a64a615c0b9f0ec4b04f7c2f6ec35ff22b247d1af4dac512089dd994c7c6

SHA512
9ffb102286ffeda81f6774219a43f5241da1992bcab6572d84f8db8ed5ca1cc6a7c999cdcf4ceb4d195c828c9923a2747a00689ec58e8245532c8f1cac12d8c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
5fa2697c89692875ff9c3c952ed26950

SHA1
b02171bcaf3c514ca6d8b048fa9c366b02da6906

SHA256
017fb046a0a48e2cd9d05880dc5f84722f427d8612639f0986d565b7264f8b51

SHA512
3fd3888d7e56d8a4d159f7678673b38f1128a88ca6f05df0b08b4e1bd8b089d41c3412ac9248984736646a46a61d9955a26959a9dfb57a43ff3548ef3bf0e45c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
814cc9c97819af5d4602d97e053f0c6f

SHA1
d407cdb9836e4741fe493e1ca9d71b30e65e6658

SHA256
3147a61aecef9599e89e20bfb55a1fa279ca2ef6c7640b804b53f4287c7b8bfb

SHA512
592a7b207e0aa4dfd20f6c787fc63d19d041591e6bc85e1473adb9ec9e4179d33d0494de7cb38158204b90c568c21657c3aae66d8361234b5d8fa8a2400e52a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
6d7583bc513c9d09d16f00e831ebaba1

SHA1
d2c8641e831412830fa74fc3cdd12c02650de4e8

SHA256
4662f9a8f9244ce454857747052ead772c254ffeb81dba4b5fb0ef33b93c7127

SHA512
43a71145701578101193c7dd1469e610a6b9f224f5bfb47879da3d134f316999b6c2c5ca455d067d14408d6ecae1af30820f9a42a5286da1df044f68a0cf9a01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5ca08b8e52e056d6fd8f0e4c21ad75e8

SHA1
045bea8712f8e0768789fb3068d6bb5f6d1f6620

SHA256
49ea830aed0cdb1da41e5dabc49a049ce7b5c276ab0cbfad562fa9f829af89b3

SHA512
11b71912f7b9e06462bb5d115acb1551ea3fc28ff5f77dc7ab44c8e01f54075dafe95495b833fe6c1df2c56f96899de2402c09026bccd639a79943db1d383094

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
78462d24f833b010782a2aeedbdd0c53

SHA1
ffd336fb0ac5b0dd42821205e5995619c689fcb9

SHA256
4bacc6ae37a0b9cc62b267733ebd7a3d51617a2cb6be621623c569730ce8a88a

SHA512
5e3a192efa1b674afac641b4bc7b3df65f036b04bb3ddf49165b4e05f4a0199032e77acf14ca2d5d83a872614ba73bedbb06ea5144a00f23575128e07d8cdbf4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
ec988d575eca24289c3d1ab11d959f85

SHA1
b99e0f8aebab012f638b98faa47ca4201c4ca306

SHA256
2ac155c220fd420b67c9073f43eff51d5b3792aeb2e6e20dcdaa0acf7c45ae4a

SHA512
f11d6efb53762245cdac4161ba627b0f6a3c82b98dbd12510956cdeff66b3ecc3d7d2cf923bd52fe92e09888cc419481cea7edba3a4856796be3358171c6c88b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
ec988d575eca24289c3d1ab11d959f85

SHA1
b99e0f8aebab012f638b98faa47ca4201c4ca306

SHA256
2ac155c220fd420b67c9073f43eff51d5b3792aeb2e6e20dcdaa0acf7c45ae4a

SHA512
f11d6efb53762245cdac4161ba627b0f6a3c82b98dbd12510956cdeff66b3ecc3d7d2cf923bd52fe92e09888cc419481cea7edba3a4856796be3358171c6c88b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
58f110b4453979830077eb2aa7f56e26

SHA1
f62feec9b4f3246298146bca48d095ecd2082741

SHA256
609f2e733d8e64e4987c6f8187e152b6d72a4d5cc378ae4b923880b9d8bed614

SHA512
cea44b3065f550c0c6acc830548ef2084a74f9537bfaebb197396a12dd3ac9a53f96f37066e2a610c1dd641427c8b8cf0a3c9175ef922c8eb48c4c58287044fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
c8681c3b09ea1f65851281164af94008

SHA1
26960e59c831d9a29c360e891c6782e9fe2e958a

SHA256
09f115587c8406af7bd44bb2f4f8f4dfbbeacfc5fdc24b98a53aef5c83966edc

SHA512
d0bc9fb07632981fc97255e9558fdbd13287ff43ba09903fee462b3756eff5f8031b91dd864fcbdba453cf544a85cb2cbedbd7149cdee732b0a00e945a0674d5

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
766KB

MD5
bdf5e11083db209d351609d1ce6a4a52

SHA1
641c10b94223172dcfc89607b2d0bb79b65f83ca

SHA256
98d1959150cba4aa818579062b6bac5af1a40566f7bdc83ef0ccb392c30b31a4

SHA512
c6e1a723d286a3de4337e10f24de37cc3bb3153084ba0f9f03857d0c1d497fc673e0eef61ba186a37cb2ebe5d34a6799de8c61ef258563ac1dc4264b65a9c001

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
766KB

MD5
bdf5e11083db209d351609d1ce6a4a52

SHA1
641c10b94223172dcfc89607b2d0bb79b65f83ca

SHA256
98d1959150cba4aa818579062b6bac5af1a40566f7bdc83ef0ccb392c30b31a4

SHA512
c6e1a723d286a3de4337e10f24de37cc3bb3153084ba0f9f03857d0c1d497fc673e0eef61ba186a37cb2ebe5d34a6799de8c61ef258563ac1dc4264b65a9c001

Download Submit
memory/3624-130-0x0000000000000000-mapping.dmp

Download