3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
Size

545KB
MD5

ca0d7efeb7516b6a873e5d6e20960b9a
SHA1

53e368a4481819c5ae532280e45efa690e80b7d2
SHA256

3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85
SHA512

b6aaefbf444b9e4c4e3eb8eda8377706544bf9fff3b0894b9ff07cb9171c8f977f3b76d3ea963a657e6d75cd986a236cc8a16a23e32d2e283cc61fbc43bb3099

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

4596 HelpMe.exe

pid	process
4596	HelpMe.exe

Drops startup file 3 IoCs

Processes:

3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exe3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe

description	ioc	process
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\J:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\M:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\R:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\U:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\G:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\W:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\E:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\P:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\V:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\A:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\F:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\H:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\L:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\X:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\I:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\N:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\S:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\Y:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\K:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\O:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\Q:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\T:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\Z:	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

HelpMe.exe3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe

Drops file in System32 directory 2 IoCs

Processes:

3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\hprof.dll.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\cacerts.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\BHOINTL.DLL.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-oob.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\EssentialResume.dotx.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SEQCHK10.DLL.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\EVRGREEN.INF.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.INF.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-localization-l1-2-0.dll.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinStatusBar.v8.1.dll.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-utility-l1-1-0.dll.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag@2x.png.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODTXT.DLL.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIF.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ul-oob.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.INF.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODEXL.DLL.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Client\ucrtbase.dll.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.exe	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe

description	pid	process	target process
PID 1420 wrote to memory of 4596	1420	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe	HelpMe.exe
PID 1420 wrote to memory of 4596	1420	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe	HelpMe.exe
PID 1420 wrote to memory of 4596	1420	3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe
"C:\Users\Admin\AppData\Local\Temp\3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:4596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\desktop.ini.exe
Filesize
545KB

MD5
c6218d60ca90205156570a6374d16686

SHA1
a11d4645ec146c7fd8167fb2c3b41440f57075a1

SHA256
c4ad2d0f1a5b55485830698c8193354dcc445aa698624672ce18dd591cfdcd83

SHA512
ae9824ab1a464576a9902071f63353a5184691cc5395687695f2477b25a78159b5c9216582f2243c3d40f4e1e45dbca11621d4347feda9166cf357ca300d3050

Download Submit
C:\AutoRun.exe
Filesize
545KB

MD5
ca0d7efeb7516b6a873e5d6e20960b9a

SHA1
53e368a4481819c5ae532280e45efa690e80b7d2

SHA256
3ac86e632ea4f45d287eed5d1f7beb7d5b505b98d2dcdd2e4ed60cf4595cff85

SHA512
b6aaefbf444b9e4c4e3eb8eda8377706544bf9fff3b0894b9ff07cb9171c8f977f3b76d3ea963a657e6d75cd986a236cc8a16a23e32d2e283cc61fbc43bb3099

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
83178b66d4adf98d9d57d705c02d4ddf

SHA1
39c2571beb6bb24bcede60bd4fea61c0322de4f7

SHA256
891239cc90b6cacef26e02e0fb57946dcc32f8185605407b8be79a91e9076992

SHA512
3f9f0bf39945106aeccabdbf89192e91817b2b64c028f1da94b1fe689f935a05cf60c6139dc18cd1f42e65a24445ff706099c1d1a0ffe17e6e8981f76a6ae7d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0b26b62dda2800a150d8b4573d7864e8

SHA1
a8c1df06a7f6ecd7fc1b09998acfed221fce80ae

SHA256
47179f5800d6e6cb1c061acb69968b136346e11d5d1aa298b771cbee02693bcb

SHA512
5bf82ba0275a995e1883bac550b6dad5dd1a1cd9c77df00827a8fe9ea06dbf000e663cd9608a7e4f4bc39f6c0f928e1e1b7ad9c206ce005927f3cb7f5cd208ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b61311a5eaae29b75b45109a79d3bd14

SHA1
06e205ed7f2b51c0672ef6c2e288398bf4d100c3

SHA256
79209c46193d3a4578f33184f26c58d29f07842034c863eabb936a309cbcddd5

SHA512
d9659ba4a368a6746d14a1847063f9a6788f26af2b8ce23597a3934cf922737ff8a6f67fe8f6c999f2af7848327d0f8f103e184640086d55d37a77e1f833998e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
1de9c025bda56033e2d5a322cac13b26

SHA1
5f149925f131d2016170d94695db38af20c1cb3c

SHA256
695a5e538f7dde53c4b4d75b4067630ce422c0fb26564e376a6c8838ff551b20

SHA512
88580c5297d62b9ba80c398defb0ed0b2cc0fee630bf6088086f5b67338a6ee3e2b169a27d73bc6abd17e7112cff00a033588df51bd64e608c34533ef4929977

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
418f685119c28105eb908e3bb0bb7782

SHA1
76ba0e560d3b8064de87f1e4e162742bb2960234

SHA256
4f0cbd9f016f6e717f7e101497de5eeea6e00baabbbbc3ee41df23f93aa9bbe8

SHA512
33040593cb144de903bc269d8ecc8219480a0c27f81ede41f431ae905fb47f3a55b3437d3dc655ec324b5792c1be502e2348b974b7472d7c09a1d61ece8bdfcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
418f685119c28105eb908e3bb0bb7782

SHA1
76ba0e560d3b8064de87f1e4e162742bb2960234

SHA256
4f0cbd9f016f6e717f7e101497de5eeea6e00baabbbbc3ee41df23f93aa9bbe8

SHA512
33040593cb144de903bc269d8ecc8219480a0c27f81ede41f431ae905fb47f3a55b3437d3dc655ec324b5792c1be502e2348b974b7472d7c09a1d61ece8bdfcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
abc4da3af1c8eea85020734380d0d9fb

SHA1
e4865a9677bdea5356986ef3e5f2ccf6f963c02d

SHA256
fcc5f4a8c3225f5918b45402e217a18b403a0947f0b8e8a5763d980059d719a2

SHA512
2fbafc8622473c7e0046c6c51e0965d525c2fdf0da3acd68a4315f5d34e5f449abf2922b49fe2d880a1348406717b206098de2a55e0eda49c5aa1131dc3d91cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
7677c726c9c006b9deb3c253bf2a5625

SHA1
f437ce5af2d637b493a823c0ab576d8fb34a3b47

SHA256
68738eceac5127f54d7e330d3523a0bc558bb9536c6c79c059064eb19fdfb414

SHA512
ffe79f94754c114446c3c5f89bf06c3debc8250324b54c12c3ae67d00218a39f2c86aa65abccbd7b48031e3b6e9ef69ae909f55b1e3f2b0a45dd041f1c8c7f08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
520822126bd37a447d968b7becaf3e00

SHA1
85805d74a228bd54e325c673d23b763cf0de9e98

SHA256
a9e5b976728752711db4f7a9750e15741d0df6eb26f64da11bfb0956d9b8bafb

SHA512
001fe5940c4ad97c875db747a346b16cddaf3eb2069918b69b6d6c0267ba2982dfd9429b9bc0392f61f77371da86d9b3ad6a2eb7b3872c6db0c31fec1d13a518

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
e93fc2f20e4d2c4a397f4d434fcf3de3

SHA1
cd194668297b494d966cbcaf23056902c9334404

SHA256
b314a13bd2a3e0c449bf01ddfdc68e4535ad141de8e17ab430e8ede7e5d70181

SHA512
96b2c72bb06d27a9cd89e578e011ca456929d2b2c3891d10edf51e30258360cc960320319a1ce009fc6027c556d55f58be23ebcfe64ca4580471cd4475154f1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0cde0058c964e50a1dd090c87aa6ca9a

SHA1
c019b3a765b70f519d6bf2ecb33910d1e4a90eda

SHA256
c10377f4f296e5030a28c916ea6333c3ebf940b2b18f453b9364a7f81a8d71da

SHA512
f99288176c60d60c74bed1cbf952c03b7f23d12d5d2abdec37fcd37b334969b73c42f07fd3b31474dbab546d136cba4a3e90d478f5be3ede96ff2eb6d4f0a4f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
24ec2a7bbabfd3353f00d35080284247

SHA1
11b070464c407f82d2282ecea81b4064303248a2

SHA256
128a86ac8b285ee15b3b045db8ec54adebefbc55eb46b0a020902d08e1ee82b4

SHA512
4b48529c6290888ec277e4460bc3347821c4d46d1147ece37aa5c9672fe1947b055a283fc979bc21000238f1a5bd49d5b65643cdeb9d8d2ec86f92cce908b898

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
36f79a32faf8782ba3ca930919b832ae

SHA1
87c07682e9b915c0acb590710bd939d5c30a9970

SHA256
02fc89f2f8e65c3ea6014e2ead4f1915f172994dcb11417b7d86c2df07929f4e

SHA512
be097b90a9073f1d4af6892c2fb92cdca879b5a8874887c2366c57042b42bacd022384bf88a4b0cdbd46e48a3aa24885f2e70441fad258947844cf91ed4da591

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1212efc61e2e3393d900b4d30fe43aff

SHA1
33dc4580d29004ed687a07ea41b1deeabb25859b

SHA256
14fb05b862e3a68aea1cb1fadc64c6ef6ea974d49fd490475aa237860313f921

SHA512
a8c6d419932b4d77604776137dcf272475c88b9e539b550ea6523b635b32f71e90d7433f5f8593d89d31e1c6919d82df3ff5497a7e87d146ca6d211a6384af9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
e463029edd4e5e3a8c52336c4a9dd22d

SHA1
1475b6c8d306ca3fe544ac35208bdfbce54594f3

SHA256
605dd4086bebcbd2140980db7bd62ed36a308bd02b65afaa9f43673fc3102373

SHA512
11fc61772fb1f783d7ef142fe709a9504cd22d19dfce46d44bbde9ff73201884a896fcef1583f444e659cddccfada83d49168cd46e723080f4e30ae484ad560a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
285fc7b9441fd39efec15cb98fed46e9

SHA1
502919c46ab8646c1dfc6ac96a242bac8ba76c5c

SHA256
9f5ff2a096486adbc402175997cdb22d8fd4f0862564dfa1cdbcc5ae53aa1098

SHA512
b88f1c0afd269eff656465f26b9507c0540f66747083662268d2f4675e93eab7c840ac403ab5c7c2a528b6e6f3e8740a90a58ec30288d121dd3fc270f9eaf838

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f20a940f66ded83c1d61401ce37ce231

SHA1
56a2824665f7172934cce32ce906ae535b729047

SHA256
8ce8571d9e2884ae827c9b3ead54728bf67b7dd6cfadb9593cd9c50c74ed929a

SHA512
6f86732240ed1ce2e9194aad554a13770417d09e6fde44b735b30a7e5bc8f710c1eb22394b09e0272eb33e343da8b1e318171436b51e5084489c899a87c78834

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
f20a940f66ded83c1d61401ce37ce231

SHA1
56a2824665f7172934cce32ce906ae535b729047

SHA256
8ce8571d9e2884ae827c9b3ead54728bf67b7dd6cfadb9593cd9c50c74ed929a

SHA512
6f86732240ed1ce2e9194aad554a13770417d09e6fde44b735b30a7e5bc8f710c1eb22394b09e0272eb33e343da8b1e318171436b51e5084489c899a87c78834

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
7a1b46032f5b1451f18db56de33247ca

SHA1
5fe4cfed4021b146fe3e7274f8e26d281af3f980

SHA256
0d0a15f8a72fcbc6c66a3fd5569e743ebe3e041940fa7b02c6cf5ebd5cf618dc

SHA512
2640a9dc64e05e4c3a42bcfc39919f41d63490f967c2b76e40ae24e630597d4c741e09b6d90608e9da9260467df5e97b270473f8e29bab94fe08b7a311f34ae2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
726b82d1f36dc9eca72d34b7fa641be7

SHA1
83e083fb5ed16ccbaec46db9dc85ec4dc0efbe4b

SHA256
657345aee3ecf085ad90d9a4eeb58f93b1d9dde291a0f1c80dfa85de75e9d175

SHA512
765c184333843f4cad7b10e9ca00c27ee70228bee4f0991bc24508e61522e1c32977ce2635f31408fb3a3b1562aa88d48464863173cca270f88d771281f06114

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
256ba28dadda4d9fdd0fd7bb1643541e

SHA1
4c16fc6cf9c85977ba412b9eec067d29f7f6bab7

SHA256
24071ec696298d07b22dc1e3bdd276a51f8721a4e99a91637877da6596ca0bac

SHA512
96033ddf956844c9b89246cfd1b5dd424ed3c0bc383790ce067c5dddef97322858bddfc9eec6c5f487dae4b9087235f97fdc2c2e6ee722d0cd1734f5a1d3d3c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
256ba28dadda4d9fdd0fd7bb1643541e

SHA1
4c16fc6cf9c85977ba412b9eec067d29f7f6bab7

SHA256
24071ec696298d07b22dc1e3bdd276a51f8721a4e99a91637877da6596ca0bac

SHA512
96033ddf956844c9b89246cfd1b5dd424ed3c0bc383790ce067c5dddef97322858bddfc9eec6c5f487dae4b9087235f97fdc2c2e6ee722d0cd1734f5a1d3d3c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
cd0709682bee157de55d672e0af21b60

SHA1
99e91cb8dcf8d511cf2151193740490beb6f510d

SHA256
bba2ef385375a7b838a035786e0cdf826113502ccb03cbd88e380853e9740690

SHA512
afac9fad2ddf0057d61d99189d09ff654b6408b0acb0b7f312783ab3ccbca9ebf87c75110a68b8b8d81aa4dec84490c6faf8c3eb09f9629a785653f017d5467b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
35ab152652389889a5a9a41a50b56c66

SHA1
96ab7a7e44176e93fb696f8cabda6ffaf35e2bfa

SHA256
75c58d9ffbab14a63c67ca8edd941917f4b561dc70351687a1739cf2c6b70fb8

SHA512
e63fe558db9cf4e1ed6ab072d92cbddfa4d576f558e65dcbe29f04adf57e5df0c7cc35b23f27ab9e98facbb4b90d7efa785f271cbee0eb61a94403f3d68963c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
77b2d16c827091db8c6b454fd0bfbb94

SHA1
9babddc7b702b481047687808f1743946067f864

SHA256
70d95d22fac18597ff1fa2f5fa00b3532a19746d0083614c548ad0efbc49fb84

SHA512
1001d77c7579cacb3f2abf4f44a57951d07a95e020fa5579d8fef3338cf3c53ca7aa3984f02d720d3a0416f1cb6fc3b00da45e3bfd5e52755736818d64b9e8f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
56c6a66386f6064486db3e1e5af30e83

SHA1
da81031ac6d708b69a33547d05a6fd216bed8643

SHA256
6c5313a4c210b100fcfbdceca3b33a23a5cd24ecc70a3ae1575610ee5df087bd

SHA512
4a0e4312abfaa9d21fe5e6091a7e8c7d18e4c54a436646dd1464f861df1d04777c8a76649c949c9acb2599a53f73f6890bf8bd53801e35965905002ed083db48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
56c6a66386f6064486db3e1e5af30e83

SHA1
da81031ac6d708b69a33547d05a6fd216bed8643

SHA256
6c5313a4c210b100fcfbdceca3b33a23a5cd24ecc70a3ae1575610ee5df087bd

SHA512
4a0e4312abfaa9d21fe5e6091a7e8c7d18e4c54a436646dd1464f861df1d04777c8a76649c949c9acb2599a53f73f6890bf8bd53801e35965905002ed083db48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
1e351b1b2238863f232c2246ea525c03

SHA1
70833c584107266be65aa0dcb5422109fdb470a1

SHA256
a194d2d5d18a416aae68949921c088b02378528ffb3e76cab948dd530f676f95

SHA512
b305b00ffea9601efc8443ec5dcc3ac3cd77461f5f34c5d5ca5d79aefce88941baf54bef7ab88abb2e5e3f93163af7d61f5e0c1c2b3eed53629de2e8c7af283f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
982dc4eb6cd449525535edb035ab88d3

SHA1
cf142f6006bcc70d7389e5aee9ede9e60360d5d8

SHA256
faf25aed1edb43ddf8f9321509b6b5c53f81e11ee4bcb715842b8a9d2ec0f727

SHA512
ddc66a7fd9f3434a02c84015cb0e1ad69bd98d2c57b9f4fbac4e9c0aaa851084802c8da6899f045b83f772953545765625da61472a8b53c7fb12c135f0caaa7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
90a22b4b2aedea6acedd7e8b5397d258

SHA1
bb4fe5eac124566a5e4686656146e3cab6ee9896

SHA256
6860446a9ba7f8ae417dbc946bb71cc39af9f492276c43c76ed3673de12d1f63

SHA512
9199d95f39462f67f8029a6ccc3f10ea1ce916000a257cf0dc723c63106d75f3a257df8fc9fa1daacfd1c510ee10098928c8168b288fd1805038120e6013f7bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
b46b623c5c5d0b54f14df0a63e2da963

SHA1
adf9576429dc7ad21f316277c65c249dd95692e6

SHA256
8de846d5837548a5690b32be5d1d3c9a2b3d28e8c728f85798f8ac219299ad03

SHA512
03518efa5649339cc9fed7a9038633a6a0b839fd7e9e6e115ba377c85354342072c295b3dc0ab0d5638aa5d79319c5f10f12195e9a585eea4c3e651c03ff9cc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
c3fe11c66ad80a93e9031d98ada3e599

SHA1
69d50a5460fa1e9ba789f17b260d5278a83e866b

SHA256
8ff2852a4bfd62074e3d2b2110a45c8cd2bb7349c6b49232c93409512228a9bf

SHA512
e555be4cca9706778444152b63daf2443f5ba2ea1b0bae77b02e1b0e5bb8238512afb71a448fd12a24862fbcc4a4e6a65cc4ce272e7327202def14740fd4176f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
a67e5bfaa5bb6d85acdc5e9c0163a1eb

SHA1
f15d58177e37e977ab4458e53bf67c8f4af1320e

SHA256
da8da15ca259439ea2e3c435e5d5a1692ccdba77130dfbcc3b1a57db8a5be33e

SHA512
04aa79702d4f79d47c6e3f941f1bd85d616eb4bfe31aa9aa8dc284a42af588bd615da238c43b615f98e03295bcb96799ddb41ec19a517cdfefbe95ebb1dc7ed5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
03dd58f3d1798b92e3ac942402551b27

SHA1
cc660cc6181df18e4d5e1c84d6217eed6943816b

SHA256
203609f36f1901c21de6bf1b2655cedad3938fb791eb0957c5ec56ebc9aa8713

SHA512
8fa5c5fde86538ba37e40bb0202377234e0ee37e79735a534a115e8ca4245b61b0551fc3c6db1111c995e889dcec6a4aba27aa0f53658081244089f0b40766aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
bdfcb5e2a2c838af8e2d156b74381605

SHA1
1827b57f8bf6072c984747fec959992451a6891a

SHA256
864acacec83c7e01ff70d77901fb1d9fe031345c2373ca05659ef47acbb5594c

SHA512
12c854b2e0cbbcdf702c2622baf378899b3189fe181b3831b711bcb192eeee1b920ec49a5410726bc4cbee34630e0b463f24349aa182722648b82f7fbc8180be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
f1be9e44d6c158e0a48bca0d338eaae6

SHA1
dcf280b0623764360742667838fb42e8a916d060

SHA256
d71098e6515eb33b721fe0ca7342994e93ef653073e01ef6c9c6fec80bef6577

SHA512
3591dc1421075966f352f370dc924c3713d86166154a82585dfb4aeb309d184e65a19580367e69c8864178cfae1e849b7700e5a2a09aff86fb058b6a0d3779c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
0457df245ade54671b2d600462f7d94f

SHA1
2652e23db6e67d33f166b93ff9f9d31719457a4c

SHA256
3521f2ce810cbc0e194aefe45c4cb06b2ba1cb84cc6f0e6a24ec4e649ef35185

SHA512
be4f6ab592f1d6167b245afcf44ebca0aacd8f0bd7272b996678f46cb7f78ecc6be7c9ec055e2e763d3cfd72ca9aed60ffbfd3a7ba74f056070c889e57764691

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
063fcaddfba93491affa93f534582abe

SHA1
8782e6b8fe49e597a9f3ef8df49fad714c9181e6

SHA256
abe1f2cbb3dfc67bf0ee2a7bad544ef3e8ce97c82d13dcfac6fe0d208b830bc4

SHA512
86e7045e1e90cf75d9e2c73b6ac497995db44ccdfa8993dc3fe92ee4aedc2a32b359ef67278c6a09dfd36eccb661fe9de40e25ce77ba8f5095218b039e5710e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
d1c9a68ae8b01305974905ddfffd9c4e

SHA1
7dafa5ca5e4812d21ecb79c9a11c82e056ee4035

SHA256
094061df338d687ec0cbc29fa601333f69b7acbc019ee83ea813373dbc1870cb

SHA512
7ef1fc6421e0d18d392412e67c0d0295a8bc450d34f7efbee95359d2377dd89302664c0625f401f319b727bd257b79866beafe356a03f8576685a4bde7a40788

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
aa6906a2ccda969fca5562cb7233f651

SHA1
d3ed34b907e7734e10ec6eb0ee1f74b937645747

SHA256
9b5a0b76f675e6be34648ae2154d3ddf99b97252b6a0b1bb74f4554fa76841d8

SHA512
53d878bac9a702c0273bd050282f22afd2b5b4567269de333d37f455a701a949e9b740528b9e97f09e95126f345da657fd899971f2e771835cb52ea43fd3ffe9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
aa6906a2ccda969fca5562cb7233f651

SHA1
d3ed34b907e7734e10ec6eb0ee1f74b937645747

SHA256
9b5a0b76f675e6be34648ae2154d3ddf99b97252b6a0b1bb74f4554fa76841d8

SHA512
53d878bac9a702c0273bd050282f22afd2b5b4567269de333d37f455a701a949e9b740528b9e97f09e95126f345da657fd899971f2e771835cb52ea43fd3ffe9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0caab42cd557f4fc29dd9b721c2ce1ca

SHA1
abed58b03f073c0a291d6b8fa5d318118c29e5d6

SHA256
9c60692ad2963d05047a9c14ca000895d5316f9a5c3d9b2c526c781d30499f9a

SHA512
9682d16c7eabb0e580f14d26313a6c1a6de9be8aecc47c9fe7bffce194bcd531e894c965eef6f51d66033b7b38773e1a71c447e0892b90222b6b02aed1bc0a80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
6965d691cb4afe98025f70113c3b2619

SHA1
4baed1bb976d974fd4a94dde1301ae247c8bfbb8

SHA256
8abfde7cbb13d0ab91e69d1f9b303fb12f6b7ac5f52a94383ca86d6e9628dcf3

SHA512
0d900408094c50bf5fedcb36b2c749bfbd90ad9713323d9f94176b2e1563ff2cb058d6fa75055f281845f260cd61922cf1a60956a5b91784870fb6017239cdb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
2c7a6ffc4ed6e6db2fc074789ccb6bee

SHA1
8c7c98ea1a19eb91343fc4f15fb3d6a6c7ced763

SHA256
de75c2966fedc6b7970875fd24b9c808dfc009d6765b697efadcb3d551503f68

SHA512
516885680d12e56e891e741cc3cb07e01dee2204fb810219e613126df49c561cb4263a4b50b1a7751d6597442d0a35f7acd05c79bff209b264b267e780cb9e52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
feed5e6fcdca226e6a6bb3665f384c41

SHA1
6b4472e910cb23cf733d927810793e5ce909e760

SHA256
a40c6f80a3e9f70c6685121877526c67d86f1404c2ec1a28a6739d5cf5e5fff6

SHA512
b18631ae33a850785354a4c23fbdac960996158fb7daf2c1c146054c2eb1ded828d021afb92030f1845b22efda349c5c4dc91b5dd2b2768274cee7718479d0b0

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
544KB

MD5
785a8785372aa6660b004b5bca78a530

SHA1
c2b78ef3244d5d00ee002c91b1d38bee3b6fdfd7

SHA256
5c367bd5372d8b1addd661083b11d0c9055c313883325a8802bc0bab3e6c08c1

SHA512
588cfcfa67989101fddfdd37851a157785b7907d88d277e1ea07ce915a9413b70fd84e16b24cc21717234cd81c7c65969d9054d3bb5945bb620300276ef714b2

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
544KB

MD5
785a8785372aa6660b004b5bca78a530

SHA1
c2b78ef3244d5d00ee002c91b1d38bee3b6fdfd7

SHA256
5c367bd5372d8b1addd661083b11d0c9055c313883325a8802bc0bab3e6c08c1

SHA512
588cfcfa67989101fddfdd37851a157785b7907d88d277e1ea07ce915a9413b70fd84e16b24cc21717234cd81c7c65969d9054d3bb5945bb620300276ef714b2

Download Submit
memory/4596-130-0x0000000000000000-mapping.dmp

Download