78aeca6f87356d5d7407a6d7f28687a2c325c16c36fd195617e910c659fc03cb

Analysis

max time kernel
149s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/04/2023, 04:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
Size

2.4MB
MD5

9f10e5d07b6fda46d9476ab08d122fb2
SHA1

43dda00e106d5f4de40bc82dd901153e82629cc6
SHA256

78aeca6f87356d5d7407a6d7f28687a2c325c16c36fd195617e910c659fc03cb
SHA512

f3bc0ee35033ca060260c9c00d85828d6ccf7428f577c2b52f6e6a2d7b3728dce6148d96c4f0c31cfd485103af8ad75d636e2ad9425b243fe6c0768947ceca32
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCo:eEtl9mRda12sX7hKB8NIyXbacAfuS

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
1688	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
908	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
908	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\Y:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\E:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\B:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\H:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\N:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\R:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\U:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\V:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\S:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\Z:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\I:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\Q:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\T:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\X:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\K:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\L:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\M:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\O:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\W:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\F:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\J:	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1688	HelpMe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 1688	908	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe	28
PID 908 wrote to memory of 1688	908	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe	28
PID 908 wrote to memory of 1688	908	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe	28
PID 908 wrote to memory of 1688	908	2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-04-10_9f10e5d07b6fda46d9476ab08d122fb2_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2647223082-2067913677-935928954-1000\desktop.ini.exe

Filesize
2.4MB

MD5
c519b2ab5aed05691a17561b21388a8e

SHA1
20f741fa1ef16a3ed553ef9f59d3d45bc9bb5ad8

SHA256
743d615cc98feb49ebfa883624c8e8ec0530ed678c661845d559ca2aefb78995

SHA512
48627e030c70b96602edf160ac382db9dded180a2a763e0886c15ded97542a522adf65d9ad41201b1a79116e290caf82f68582fecce4f2738c81ca91bd1efe30

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.4MB

MD5
9f10e5d07b6fda46d9476ab08d122fb2

SHA1
43dda00e106d5f4de40bc82dd901153e82629cc6

SHA256
78aeca6f87356d5d7407a6d7f28687a2c325c16c36fd195617e910c659fc03cb

SHA512
f3bc0ee35033ca060260c9c00d85828d6ccf7428f577c2b52f6e6a2d7b3728dce6148d96c4f0c31cfd485103af8ad75d636e2ad9425b243fe6c0768947ceca32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f108c98c8366f552fb665c4538cf7557

SHA1
0c4a7bb88851ba7731b2dffc76d66fa8eb6ae932

SHA256
eb787dbac3cbdc8296a964282864cdd751a5bb32b89e4f0b503a0b9bd9938ecb

SHA512
b246dbfc91d6ebb52baba2ab9ce4be55993726a046bdfb14cd9f25e48e24c062b21b9419c4848db16c59224e4da48a149a708093c221e4d404886ac3601dfdbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f108c98c8366f552fb665c4538cf7557

SHA1
0c4a7bb88851ba7731b2dffc76d66fa8eb6ae932

SHA256
eb787dbac3cbdc8296a964282864cdd751a5bb32b89e4f0b503a0b9bd9938ecb

SHA512
b246dbfc91d6ebb52baba2ab9ce4be55993726a046bdfb14cd9f25e48e24c062b21b9419c4848db16c59224e4da48a149a708093c221e4d404886ac3601dfdbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
bec3d41824c18bd93852326f1f0f7c46

SHA1
01b292612d1200b1af1affec91efcb78b02343af

SHA256
11f9479d53b84771b9f486006016166c7fb3eda42e9bdeba17fe74aaecb4fe57

SHA512
5cbd5f79176b98b5071089f132bf375a9d9673004c92b07aace2babe98cf9bcda2ee773f4d4fb9499183331f3f3d38868f407c3c29e17538de44142626e2b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fedffcf8619cc89c359e565b245001dd

SHA1
990c21aae6f563699b77cc5a9d17816dd488319a

SHA256
00f9f44f07ee66c030ffa9ffd0691d1a8f2302d68909da378c34f77434094c9c

SHA512
d515fb7e20b2f1c517870b5a4055db4c4f9ea605729ecbb3e87d6d9c35df40c62086eafe396c96a22a79b98434582c420d413ec1ebd5b6d395709302e1ab7b46

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
e04aa3a6b658b95396943832bf985573

SHA1
da70e2b4b0912a7bced95e0cfeb80ced99ad1b88

SHA256
5b5796f2098629008eedadd5420d5fc1845a305fe2d41fe03773f71b36219fd7

SHA512
805c003d44b9d8d6d7c3fd99dbcf9dd86f480aad9190eb7273690ba55a1bde4ad7f59ce2d91733d80f35441154f9b7633edba99430bd95e8e062be5fd7b2cfd2

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
e04aa3a6b658b95396943832bf985573

SHA1
da70e2b4b0912a7bced95e0cfeb80ced99ad1b88

SHA256
5b5796f2098629008eedadd5420d5fc1845a305fe2d41fe03773f71b36219fd7

SHA512
805c003d44b9d8d6d7c3fd99dbcf9dd86f480aad9190eb7273690ba55a1bde4ad7f59ce2d91733d80f35441154f9b7633edba99430bd95e8e062be5fd7b2cfd2

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
e04aa3a6b658b95396943832bf985573

SHA1
da70e2b4b0912a7bced95e0cfeb80ced99ad1b88

SHA256
5b5796f2098629008eedadd5420d5fc1845a305fe2d41fe03773f71b36219fd7

SHA512
805c003d44b9d8d6d7c3fd99dbcf9dd86f480aad9190eb7273690ba55a1bde4ad7f59ce2d91733d80f35441154f9b7633edba99430bd95e8e062be5fd7b2cfd2

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
e04aa3a6b658b95396943832bf985573

SHA1
da70e2b4b0912a7bced95e0cfeb80ced99ad1b88

SHA256
5b5796f2098629008eedadd5420d5fc1845a305fe2d41fe03773f71b36219fd7

SHA512
805c003d44b9d8d6d7c3fd99dbcf9dd86f480aad9190eb7273690ba55a1bde4ad7f59ce2d91733d80f35441154f9b7633edba99430bd95e8e062be5fd7b2cfd2

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
e04aa3a6b658b95396943832bf985573

SHA1
da70e2b4b0912a7bced95e0cfeb80ced99ad1b88

SHA256
5b5796f2098629008eedadd5420d5fc1845a305fe2d41fe03773f71b36219fd7

SHA512
805c003d44b9d8d6d7c3fd99dbcf9dd86f480aad9190eb7273690ba55a1bde4ad7f59ce2d91733d80f35441154f9b7633edba99430bd95e8e062be5fd7b2cfd2

Download Submit
memory/908-57-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/908-121-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/908-124-0x0000000000260000-0x00000000002DB000-memory.dmp

Filesize
492KB

Download
memory/908-70-0x0000000000260000-0x00000000002DB000-memory.dmp

Filesize
492KB

Download
memory/908-58-0x0000000000260000-0x00000000002DB000-memory.dmp

Filesize
492KB

Download
memory/908-56-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1688-71-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1688-72-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1688-125-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download