0dfa5754bd91b3605504f8cf49d498d0e3b7ea5d0c3af20bd94eb33d6704626d

Analysis

max time kernel
153s
max time network
35s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
26/04/2023, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe
Size

3.0MB
MD5

88a230528b06c525c64b27905aef17df
SHA1

d69533af59e863787f0e914bb62c713ea3db90af
SHA256

0dfa5754bd91b3605504f8cf49d498d0e3b7ea5d0c3af20bd94eb33d6704626d
SHA512

a119918d2adcaa80700ddf2fd79d421e2c21c1a881ab1c3bd1081b602e9d97a22b73b92a0b7ad54f0c76f50727adb0a2fc9644e224b4ce2d42c6110539e814b9
SSDEEP

24576:eEtl9mRda12sX7hKB8NIyXbacAfPNRdpkhtIShJVVTyJNPtx:9Es1RMB8NIMIXDCjVyT

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	MZ

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	MZ
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 2 IoCs

pid	Process
1584	HelpMe.exe
848	MZ

Loads dropped DLL 4 IoCs

pid	Process
1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe
1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe
1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe
1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	MZ
File opened (read-only)	\??\O:	MZ
File opened (read-only)	\??\P:	MZ
File opened (read-only)	\??\Q:	MZ
File opened (read-only)	\??\Z:	MZ
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\J:	MZ
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\F:	MZ
File opened (read-only)	\??\M:	MZ
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	MZ
File opened (read-only)	\??\X:	MZ
File opened (read-only)	\??\Y:	MZ
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\T:	MZ
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\N:	MZ
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\A:	MZ
File opened (read-only)	\??\G:	MZ
File opened (read-only)	\??\I:	MZ
File opened (read-only)	\??\S:	MZ
File opened (read-only)	\??\W:	MZ
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	MZ
File opened (read-only)	\??\V:	MZ
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\E:	MZ
File opened (read-only)	\??\H:	MZ
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\L:	MZ
File opened (read-only)	\??\R:	MZ
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	MZ

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	MZ
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1584	1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe	27
PID 1612 wrote to memory of 1584	1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe	27
PID 1612 wrote to memory of 1584	1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe	27
PID 1612 wrote to memory of 1584	1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe	27
PID 1612 wrote to memory of 848	1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe	28
PID 1612 wrote to memory of 848	1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe	28
PID 1612 wrote to memory of 848	1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe	28
PID 1612 wrote to memory of 848	1612	2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe	28

C:\Users\Admin\AppData\Local\Temp\2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-04-25_88a230528b06c525c64b27905aef17df_ryuk.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\MZ
  C:\Users\Admin\AppData\Local\Temp\\MZ
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1563773381-2037468142-1146002597-1000\desktop.ini.exe

Filesize
2.5MB

MD5
5d46b916000beb4d7ee5152d85e4191b

SHA1
d3865c633b4e4fe311cf871d220c7aef1fb4e406

SHA256
c39f88908b7d289c9b9fd245c90ed2b7fe781e68f565d2652cbbdeb7443de7a5

SHA512
699133e4a89de52ebb6be3f7f11bd8b4eff25e8257747cbcfc34dac78b1dabfdc79083d31330cc604923fc0799031d0aa28e82a18da5b04f62fc7c8d39b118ef

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
2.5MB

MD5
96fe9afe15150cd44126d984b9087035

SHA1
7ab7b18461f1e6ccad122116555e6a2fab3423ef

SHA256
9ea786661f9422c4c22025e3e1ee49cdc21424a24213ccb8761268a0fa88c5b1

SHA512
e87f1b2f8661d7321295bb229ab7a3f3d12dc9a7bf4792306442941305e5c618f28cb012b0b2dee41954b0dbbc78f4fca652b9c1d9acdbd7e4bf9c70bf3f3077

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.0MB

MD5
88a230528b06c525c64b27905aef17df

SHA1
d69533af59e863787f0e914bb62c713ea3db90af

SHA256
0dfa5754bd91b3605504f8cf49d498d0e3b7ea5d0c3af20bd94eb33d6704626d

SHA512
a119918d2adcaa80700ddf2fd79d421e2c21c1a881ab1c3bd1081b602e9d97a22b73b92a0b7ad54f0c76f50727adb0a2fc9644e224b4ce2d42c6110539e814b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.0MB

MD5
88a230528b06c525c64b27905aef17df

SHA1
d69533af59e863787f0e914bb62c713ea3db90af

SHA256
0dfa5754bd91b3605504f8cf49d498d0e3b7ea5d0c3af20bd94eb33d6704626d

SHA512
a119918d2adcaa80700ddf2fd79d421e2c21c1a881ab1c3bd1081b602e9d97a22b73b92a0b7ad54f0c76f50727adb0a2fc9644e224b4ce2d42c6110539e814b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
996B

MD5
d2c0248e82d9b88de964e7f59ddec93a

SHA1
cc5eaea03291868637de422c0fac825be775fa0b

SHA256
cca0e3173e8e7071e71abc602a2063f4ddce5563b8cb3607edb83534adb5e69e

SHA512
dd6fd1fd8e285bb1b385aebc3732fcbedbb129ddd6a4bbcac94f7ff4c2b4b72a224509982e835274803feca2d2a7fd54d4779ca60da100497427f30ecc7185d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1023fb51826942d25068db4731a96bae

SHA1
45a88ef696a005e3cb5eb483b8d7956abfd2e7e9

SHA256
53794beffa6cc1c07cbc6189752bb8e7a96cacae93d29b7456333374016924e9

SHA512
1a9613f666f823329529406f95de4f3b0809b545ac6a79ddbc432aea6f28c839f5b682e39346bc84e3e4404d14c83868d0308af4465b5b05c09034f453690a5c

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
96fe9afe15150cd44126d984b9087035

SHA1
7ab7b18461f1e6ccad122116555e6a2fab3423ef

SHA256
9ea786661f9422c4c22025e3e1ee49cdc21424a24213ccb8761268a0fa88c5b1

SHA512
e87f1b2f8661d7321295bb229ab7a3f3d12dc9a7bf4792306442941305e5c618f28cb012b0b2dee41954b0dbbc78f4fca652b9c1d9acdbd7e4bf9c70bf3f3077

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
96fe9afe15150cd44126d984b9087035

SHA1
7ab7b18461f1e6ccad122116555e6a2fab3423ef

SHA256
9ea786661f9422c4c22025e3e1ee49cdc21424a24213ccb8761268a0fa88c5b1

SHA512
e87f1b2f8661d7321295bb229ab7a3f3d12dc9a7bf4792306442941305e5c618f28cb012b0b2dee41954b0dbbc78f4fca652b9c1d9acdbd7e4bf9c70bf3f3077

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
96fe9afe15150cd44126d984b9087035

SHA1
7ab7b18461f1e6ccad122116555e6a2fab3423ef

SHA256
9ea786661f9422c4c22025e3e1ee49cdc21424a24213ccb8761268a0fa88c5b1

SHA512
e87f1b2f8661d7321295bb229ab7a3f3d12dc9a7bf4792306442941305e5c618f28cb012b0b2dee41954b0dbbc78f4fca652b9c1d9acdbd7e4bf9c70bf3f3077

Download Submit
\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.0MB

MD5
88a230528b06c525c64b27905aef17df

SHA1
d69533af59e863787f0e914bb62c713ea3db90af

SHA256
0dfa5754bd91b3605504f8cf49d498d0e3b7ea5d0c3af20bd94eb33d6704626d

SHA512
a119918d2adcaa80700ddf2fd79d421e2c21c1a881ab1c3bd1081b602e9d97a22b73b92a0b7ad54f0c76f50727adb0a2fc9644e224b4ce2d42c6110539e814b9

Download Submit
\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.0MB

MD5
88a230528b06c525c64b27905aef17df

SHA1
d69533af59e863787f0e914bb62c713ea3db90af

SHA256
0dfa5754bd91b3605504f8cf49d498d0e3b7ea5d0c3af20bd94eb33d6704626d

SHA512
a119918d2adcaa80700ddf2fd79d421e2c21c1a881ab1c3bd1081b602e9d97a22b73b92a0b7ad54f0c76f50727adb0a2fc9644e224b4ce2d42c6110539e814b9

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
96fe9afe15150cd44126d984b9087035

SHA1
7ab7b18461f1e6ccad122116555e6a2fab3423ef

SHA256
9ea786661f9422c4c22025e3e1ee49cdc21424a24213ccb8761268a0fa88c5b1

SHA512
e87f1b2f8661d7321295bb229ab7a3f3d12dc9a7bf4792306442941305e5c618f28cb012b0b2dee41954b0dbbc78f4fca652b9c1d9acdbd7e4bf9c70bf3f3077

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.5MB

MD5
96fe9afe15150cd44126d984b9087035

SHA1
7ab7b18461f1e6ccad122116555e6a2fab3423ef

SHA256
9ea786661f9422c4c22025e3e1ee49cdc21424a24213ccb8761268a0fa88c5b1

SHA512
e87f1b2f8661d7321295bb229ab7a3f3d12dc9a7bf4792306442941305e5c618f28cb012b0b2dee41954b0dbbc78f4fca652b9c1d9acdbd7e4bf9c70bf3f3077

Download Submit
memory/848-85-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/848-86-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/848-134-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1584-75-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1584-135-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1584-76-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1612-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1612-55-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1612-58-0x0000000002AF0000-0x0000000002B6B000-memory.dmp

Filesize
492KB

Download
memory/1612-74-0x0000000002AF0000-0x0000000002B6B000-memory.dmp

Filesize
492KB

Download
memory/1612-78-0x0000000002AF0000-0x0000000002B6B000-memory.dmp

Filesize
492KB

Download
memory/1612-83-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1612-84-0x0000000002AF0000-0x0000000002B6B000-memory.dmp

Filesize
492KB

Download
memory/1612-133-0x0000000002AF0000-0x0000000002B6B000-memory.dmp

Filesize
492KB

Download