22ef374836ad7d281f73682692d80f9febe07f8b3910dfee9c06f63ac84e639d

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
Size

2.4MB
MD5

88d95f7a0e35ce04ea56c9e7f676f4b6
SHA1

b4de893d1a4d9686653c97b47c8b50345b70312a
SHA256

22ef374836ad7d281f73682692d80f9febe07f8b3910dfee9c06f63ac84e639d
SHA512

d1de00af08e5380b2c5df27a03ff493e154dc386795b79fe3c3519be363c503320e37ea99da46342a00d7cd2a9d548a4df0ad95d63dfee749854da2c18cdad8b
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCu:eEtl9mRda12sX7hKB8NIyXbacAfF

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
3740	HelpMe.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\O:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\A:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\S:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\W:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\Z:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\J:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\Q:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\X:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\Y:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\E:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\N:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\R:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\T:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\H:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\K:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\L:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\M:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\U:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\V:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\F:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\I:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\P:	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3740	HelpMe.exe
3740	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3740	4388	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe	83
PID 4388 wrote to memory of 3740	4388	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe	83
PID 4388 wrote to memory of 3740	4388	2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe	83

C:\Users\Admin\AppData\Local\Temp\2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-23_88d95f7a0e35ce04ea56c9e7f676f4b6_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-144354903-2550862337-1367551827-1000\desktop.ini.exe

Filesize
2.4MB

MD5
98df1feab1a42361de7cea1ca1629b3b

SHA1
b77d415e90c941dc0d5f41ec1b4c17f217e81090

SHA256
807b258902a0525de83426ea7d07ad16f063fbc4675d8b1ce3db0ca982691ead

SHA512
a94ea7cdb5bc4bbda0759b543d679c79cdc33a9abfc17648ae6bd41119136bf440771f96172a0e7c5b1ab1b2dd26ea385b614a9f1fb75243cb2d36842d9f61e8

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
3.2MB

MD5
a727a89246caa1b2a813f794db7d6025

SHA1
766ce8fb23766d88ac8143a2a068313bb72ba764

SHA256
2a705f387039be7dd4d2a04817f3fbdd8af0191ef28d6f267bd3c14b57512b2c

SHA512
6c5c28c7ca7c6ee7996a0487ee392db73a17ccdd8906fae4575c3b50b3fe6ed3a8039c550f21552689a1522abc29c6ca28364508a72bd1049b687b97fffe7318

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3cba9819ff60623a33204789f954c2ed

SHA1
01973709c8f71d16285d60bf5c89039cb1792688

SHA256
5f2c0ba0af99edf66b47380779d35bdd509a89d56aef748b2f9b6db9fedcb9c7

SHA512
27451b3792a7cfcca40ac06d4bdb90c2d63816d969dea196fd52a06601bc5cb4a69637d22af2388c04a51381e0eed7b62561ad6744088babbd5463c91eb0c059

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
116171c1b7612f089029b219b1010384

SHA1
3060c2e9c5b2adc0c3af6cc50c587a5ae0a3b17d

SHA256
25c3059eecf3799e27d383acd5faa912a0433fc592e30ba1bde11e82f1636883

SHA512
fb4fed41c3e29dd6e690102fce9525ca36d8bebd154c8841debc331d6d10d43bc6a9537ae9eb55d242e588fff9b5444da8495931cc80bc63b440a1f59513d3d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0c867391043ca1c57f4e58a95ff8003e

SHA1
56bf78060b57e1bd44cf130d18bbad532c70017c

SHA256
08de4d51a4118cec97d6679f9b7fdf4a6463f04fced5d5e0c8a2e12a9238ce98

SHA512
eb6ad4379c34c0ee3fee04f8ba0bab981279dd0a0cc3095fe0e21bc512e6a56bf2ad7a2e92cec2c7b7dd5f9e6db370f0b6d5bd84e8f0422dc49530502d4a19af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d067cc76ec696e630630d6a55b1f0446

SHA1
204d860c0408bdc1fd5d90299c099bbe51d693b8

SHA256
4a3a767a82548e17468f006f1a109bc8cf069c29c99457a1c5a3755c0fca2149

SHA512
869426c47507f394e09156d746284a0c7d6310681179e146fc3a95f24774983ab72ae8f6e2d3fb74f4b65e60cff6cf6033e100d1fb4524de997c867ebfd5d437

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
528747e60d7ca6ce6dd38c721e92e8b9

SHA1
8a059386bf8dd19bb6020323eac2479680175178

SHA256
66f3d8a15db3b438e6d7c464fca4c4254405bc2d927c9b315d4063da271de0f4

SHA512
dc23e3426af407a0a502bf2daadd7a5e84308ed27274081ec3fd0c29416be344ad7273246c28a2fd1c2cea20095ea437d0fbeac280ad9f81176a1a88273f6aaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
542d83544194a4398042df77a2522935

SHA1
445da82b0e1b382381cef2729ce17ffa50800a60

SHA256
3d559cde1c8b30d417f7da26193c7f31f2d8a602a8d89c891ddd67aac047fdd4

SHA512
e23d611512211a1b2c68e492b1bc2d27712bb8b603d5d6e1ca813a86cda3491827af0e2583cf457d91c49d7e2fe2a6ece853967ad9a0dfd370e7dfd945f1a2e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f787062bbd16129e86456c0a91ac3229

SHA1
bfcce5676ce042cd3e89faf4fdaee66e0e2311c8

SHA256
3ea2a834cef5e618bd2fcd50d57161163a5c4833d063140a7f0c13b8c1f7b3fa

SHA512
0d5457d498de0baed29787db71b269127703f9f85b21b0842a7faa396f8a28d562b8e96363f146fc091c5245db182f1bfbce180e459e09a6390e33415dc6350c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
603604ea67f9ff2c7af0afef84cd1c8d

SHA1
231e3d1719995c19f0e4942aa742084e54d3c71f

SHA256
abc04fb3d92cb56263a3f38a87f8ef80fb8eddf91b36c7ff0b9d026bfab4b8da

SHA512
b9575b327079f441de243f2eef396763540958197260326b6aa7fc32e5b6b0bb0c9470fc8a6ce2363bd64e0d0611cd37685158057a612b1b6d01487fdc88c6be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f787062bbd16129e86456c0a91ac3229

SHA1
bfcce5676ce042cd3e89faf4fdaee66e0e2311c8

SHA256
3ea2a834cef5e618bd2fcd50d57161163a5c4833d063140a7f0c13b8c1f7b3fa

SHA512
0d5457d498de0baed29787db71b269127703f9f85b21b0842a7faa396f8a28d562b8e96363f146fc091c5245db182f1bfbce180e459e09a6390e33415dc6350c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ecb714473e02c4a8bb08c02737d64908

SHA1
94b26ed30a3f329c22f8f6751426c51cc4879c4b

SHA256
4bd24da1644389e4a8fd9f5c09dcee0c13393f2efe37057ea55e6e07a88dd6c4

SHA512
b8e1a6e99a36e157182a4bf566a6702d4262168e4d04fbc836d658406a0e85930a0d87f37b76911690d12b54507bebfdcb229f0b479b6fc07093c644b998cac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
69d00d5f2e1f6f9c6e1acefe4533a82b

SHA1
e16d6195c38110e99d65f2ef1927ad0ea03b5e36

SHA256
994819891b67c99185b4777fcc0fc7cc47a23814b68a3f343d497312e6613a70

SHA512
66f604df89688c611316230e113a7d721dabe2209888f4d56bd78a1a8c8e8aa62db16ddab96a4fedf663477cd8b9a95f59370bff361dded83b614af351324d46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
be68b9c554b050b5295dcaa93194ef3e

SHA1
4ee0fa6ec58b4d963f4821ce905c07503ee56e47

SHA256
f915a012c2624304d23a5e395870511f6aa19950989dee47ce7234eebecaae43

SHA512
6464cf995b1e5dd01b4b0a1675c60d2c7084e0369104a034e718686b850ddda8118cc5f61e2c249384af7a14466b26e72cab812c1515c595d27e5ef68020d3b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e48c05dd29dae98c708559093d134a25

SHA1
6c96fee6dbb4bb7a37203d4e5a0b0d6a661243cc

SHA256
f1056f465635463587f77ea642feed44896e074e4a0f821edb704152c688652f

SHA512
38cb379adfd46894a7d20c8dbd0014ddb204923bc8730b4aa8b5a67fff17b49fef7b97bd713e0e5d08a1375e38b5a436fb340ddd2d91651972c6514422fc299c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
317cebff1eaa3aad2e603eb15949aa8e

SHA1
0884cd3417d2b3eea2e1e5d627785e09df126898

SHA256
ef2683a9d6432408baea0ae927e22c7e6e7296fca7ee398be1be0e28fd54358f

SHA512
9744b0354229c6a4f793feafc0907e480160995d2187b912d27d959e98e5ae855465a4eae990d3cc85b73da1d97239d593ce7ece5f9d1805d45574a1e0cccc1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e6cf83486a3f908760bc9eabd3bf8e2c

SHA1
a65f48e084a5acc8d66be09c50d0aacb62713dba

SHA256
15bd3c0009ea3f5bdb1a026834c4b5a09403ac91712b9770c5851f2646263bb1

SHA512
2e32d2d00ecb30da42688b1eb7bb92e84cdb9035191f497e14bab8213717a11a071cd9f1f0afee87414af89c3105e10504cc3e1485e707e357ae8099d901a214

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5a9e4a2b850c4d8d4c304fbf213d1aa6

SHA1
5008a140ed1a1292ba8744ec8b2d9b4b680e2445

SHA256
d8fa5e71a30cb0912888478a450c6c62f9a6ea18a4e26751c7e5a93fd1287ce6

SHA512
cd1460732f84d4c20e8e616e5cea9efd82c095001bbba7e41a9576de6f5658c3d908b344cff1b1142c02ae0fd1739236a1760cdf6a5045f9c42fa8585657ea05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
af4e021b6d3451e286aeec4cf3a462c6

SHA1
7e178da615e9a8b822152596e2809932ccfcaa89

SHA256
ca45f1f1e8cfb7ad907227755a856cbaaed303a73b4f74e2b1727af2fc58a2fc

SHA512
403d89c2694fca6718c165e36d141847c764b7b19e10aef9e0f8d9bd6ab31cb7f24c3fa35564e038bb342806446ad3170d3642027ed378b212a279ba8e75db99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
84264c6a19a74de1f2576fe53367a1bc

SHA1
24ebe065331e56195363bf4bda9e378c7f379671

SHA256
ee3c6932c9e7d423a4485be71eacd2d2797ebdeb20b4cefd5431fa01672856ea

SHA512
3e7d81e660ac4b103863a7a1966f9bf444cbe50462c7a02d70cb301493707b98e44f3f1c2d5ecb2c2880dc9371a239ee7a217938c01fa021f586de0973a1237a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
03aa301f526815622da663f65c8536d4

SHA1
02820928f217e0a22ce133db5d32442b8d38d54e

SHA256
29d62042fb7baeb6c00009bda0870a9abcc78adc4b4b0a96042566ff5e55bd6a

SHA512
5451ba22bee9465318fe79e41cb2ddd86b45a1b7a330430e6033af6712627ca673b7d8559734ab183e2306127a1ec20fddb6e67d6c61a5a5aea9c57aa89e2afc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ac9c7c5fd33fedbdc1fc337f62320118

SHA1
3a66218ea1d0779312da5e3b9513b93a38c25c0c

SHA256
df415eaeabcad0905a8ca8ae3c0cc66da7d7d23fe0253ac07c4a561617aa4c61

SHA512
4430fa96844e9ffd4c807b2c60866ce225e0ef481ebb8861a5077f2ee1b23695ac5019a0c3772187f9fe39ea228f9134314acfd82bca8f652611012fefc1c071

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5897df52624099206e036b91dfb5c4e0

SHA1
e77bf211fa0d31740fa32a93deb73f59d37612dd

SHA256
c4782dea4461fb3463c1e48e146e4b29981cb38034534e44a17d9a792231ab67

SHA512
f108da9bbf23697a3a7f7d2056e27d536391a0f0a6559afecd78d704ed796ee2609d93d79b21ad9d17840605818c31e635a8f03a4ef61ea78b5bd29f633b76ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
cb4acf0d3279d1a541228fd97073a78a

SHA1
26f6a73b42a3fb4f06cb33057f40ddb2f54a5833

SHA256
5fbdeac412959e9a224279927e65b742126fa734a2cf52c127bd372dff75002a

SHA512
20ff78431b76aea019311bb9c27b95d1fd6d4d0c58d9170eebb03f069fcaf23bffad356900bcd924297aa18a5377bf245f53396bac1e9703dcfbf94dd34e73c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4cec502d9fbf7be22dffed04c9358f9e

SHA1
6bbd3982f7f4b063422ef63a25ed3e6a3936519b

SHA256
5ac01727f15e0041a161e188aac6784fb47a53a57daaa4667cef7981a945114f

SHA512
483d174b04a3038f1ebce45434aaaba04b30bfe5864a1e9b4eb70cfff8ffad282885ecf9651bb0ecceac067b4cc566873c85fc2b9959f34e78cb87ef1e3552d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
854352f75df236ebe247eeeec845fdc9

SHA1
797d6371f5e2071f3232031a496705c4a7c76987

SHA256
5a4e7a6f994ae2a671046d5c21d295ff5df4548710d79d28a86e3e289568cb45

SHA512
308f7190c0e5fa334abe7477f772624cf093c3d71247cd9689a08c078840a8a5a190a34ebaac6732709c2a6130218c3f4b6baa703de5e98546bbb5b9fc375a56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
48c29f686c5fdb05b0e44d0cf1e6d3c2

SHA1
0684b91bfb9d8098be39651dde53e99dca655df1

SHA256
0c8ba5b48fa03fc00f8ba056c4425c6a2b326c011e100d6c8f81844599081f66

SHA512
539bece7d193cd825a435bd174b1c22521a1f5dc3777571ab4c58149901ee03839c129872e7608bbd6d919a1582e51a7295c8499f50136c6ca2756a6003fb080

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b6b9fe26dec32d0bedaee3bf7576dab9

SHA1
2541b8c346551e4895a29437a328a14443562331

SHA256
614fe905f5b3a27dbfced824ef43622c12d5f812c647e895ce41e3f5c997ef8b

SHA512
e4bfa42e432a46267798aefc529c06f05f160337c8876a925d1ec3d14b73f740891d9221f45cd34b8ae965e41833b1f6007fe2be3ba7223cab6fd4dc478a22e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ed03bfd4707f754f096ca3d8e5b5414e

SHA1
c1b837512b9d293658d0e6cbfaa998f4157d5852

SHA256
16860d542e92d9fae41fe1aae136ae5027a70eb04f321f341b9fea4a1c325b37

SHA512
6bcb0616e5d8085737e3c9bd2e7b4032e49515b82071783d2bc9cf471163f250a1fb239a4452bdaacf5e4ab1956a0afbfd117164de3d6b8c679e247241bfeb47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a143ea1abfc45f5ba1f825199f2d65d4

SHA1
ba8d44dc85039bbc44ce1d428d28c509538516ca

SHA256
95f816265bad34d78cc6a036db2fc6eb86dc80d745cf683012d05aeaf357b0b3

SHA512
01cee709f384d36a77d93acea2da72e3d77934dd6afc149af7406edf4df672735877116f9fd91356298272e9e41db1020ad9d4f54cf78ea6d7bcf7fe841119b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a08e63f9fea3884381b9f3e8361f4f89

SHA1
fe31dea2fd0c90f9cef0e827b6017750b33d4c45

SHA256
23acb20dcb052dcc5409614fa8cdbf8bb314059b41799bd53de2ce6e1c14b13f

SHA512
06042719dc2a8873a8db86ecf0f4dbdf368e1eeae5b2b834760ea56af1ec854eb2963ee0f118fc2428fc0255b44da59b83856d71d0b1015665a3b1fe8f406b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6d8491822e3c61bc9c1b641087a56953

SHA1
0e31748849f9906228f214ca593e61e50f75f6fe

SHA256
6a919fb2f00f1164ae3a6b0a52608c13848672f7f1b29202b6dc939f57878a45

SHA512
d47e18084dae28a833cdb0655e073e4801e2482cb7023a4245faef8efc3e5cf08a84e34bd58c958d50408a0e03a13926febcae4ce030b9f1c7e218daeac258fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
60125534b6ae4093d00f84df14c5ae0a

SHA1
1fa5e4c9ae62d9c371093085301bf301ec8f378a

SHA256
e06b538b2dd7a379fb2b2cb98eadbf5de013b021ad37926798032d478b7a327c

SHA512
ae9bb8239de6367cc50431da70080fddaa0240faf4a85bed9cae81ec7d4a75def42502e961db4a81bb08648d610b31cde5ba919b66c2b4439a4007709ece36a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d50c982175b9565cf42dfff6d628e88d

SHA1
e865edf829473f0c967c10fecb6d4d09d0182d0b

SHA256
40701783c32cfd7b448f2c9474527ae3edd1d7fbfc598c0851da37aac8e746a9

SHA512
ad158bcbd085b56f35ec48023a185773d9707caf71f039b85074dbedfa748cea5c3250c219bc9b5214e62fa5a84f5da2a126f3878231188219bec34d87c8676c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ecf85fe6bc073a513dc93b77fe3349ed

SHA1
d3f8c61a661589ac80df0e880b7ec0bf0529402a

SHA256
ea4a7ae6a7d7af0cc17ecdd621f4724af6b2bfdb873ef2dfa99d98b6e6c87762

SHA512
a7b2898ef694de9c1c1be573a81e2fb28ca8ade0faa3c3970ec608bcc164b2b60af72d39e52730710da42a69246e2369dd284552cab32497cdf7be9790afe60b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
190467831674ac887bbaa65244874568

SHA1
0a0295714fc47629316e9eae954356fd1c236eb3

SHA256
40447b27345cb20093cc31c3a0b0da4b95ef0539918b5e1f2fae3410b5539a7b

SHA512
871fb7aeda0a591833f1fd42da0ebdd76953cee8354621aaa754c925b38165ca4aa502e487f804eabc33800c324fc309d9d1f8203c992f8658cade53ea8e901b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4a35391a8c255a6f0d60bdf47ea106b3

SHA1
f5a3356b2108564763cf3efabbfcdef9c4086c45

SHA256
697bf86184d13c3a7d712803c1ed25f81324e786da4a9e33c518062622dbc815

SHA512
7e8d96d7b5732e0df162a7242b1bc3cc36ed26cd9287752abb0bf3eb87a998855e8ccaf7c2a87891d74fe77914407b3035456d613954d145e5cfdb44f23b1893

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0be1a3a24c0fbe06f8a5543c8b5c1a37

SHA1
aae23624259196b318f8867effa575299567bfbe

SHA256
2ca2659e314ae0cf4ad9296db73a1e5b0f606a329aa676b31421938a193d2f09

SHA512
2d949c4f9af6b45f9792ca1d219fcb4e18a5e66165cf7c8e4ea9c7e0124e5c275ad5d594a0951a73c255bf8781c8dd1ed084286368b596340b2f9761b742e135

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
62389917d06aa25669aec8ccb93111c0

SHA1
3422fc01bb74195824e2fe9db5ea091b0711b52b

SHA256
db5f78077a9f0a42a215dd4e7cfbb6d9d9d3b3f4a7b75c2453008b6cc18bf463

SHA512
e8217a1e1e91977c85069375043cb069079189b23e3e32ebb2f3fa9c3ca189a149fe7a4c99bfdcdd1b58bde3ca0aa362c19f68205dfaeac7cfcce98307c2bec9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b5e4804f0c18025103c5acd36f9a1d16

SHA1
af54893f41e6cec9560a383cc125fc056b6be3de

SHA256
32fbde453bdee2959e82b6166ec1ab6ac7407bccbd731ac0909076c990a26081

SHA512
f559d21db917b8834764fda2747e6f10ddac6632abf74678b2ace05fbd7b330c3266fade668e4c5cdbc128685b195ac0475af5519053308201544b33058c570a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0b5697af8753881ef5cc7791cd2c8d3d

SHA1
2a906b84df5c2bd979c433bff3d3671b91cd6752

SHA256
971bd709d822a2d81a2476ebc14c732bb0ecef01f0e40d5ede6f50f7de57c965

SHA512
df9125a1399b7f8497990f31238cd6d48976489ae18e5cb9ef8a5e8eaabffe2b8904e97e469a65824382e92639cfcdd43705cf0df11536176240618e86c8e886

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
c25553446ed8d790bb746dc6f032f2a8

SHA1
a4985db40c9901b2b8c90e4893def777b005dc0d

SHA256
f8794adf0c0059b6a6c8cb929706e473a176f4fc93b90f4366cfa66c98e25957

SHA512
697493e8abf260c45f1b2719654dfdf399ff47b1118bc1299b03d3de7725ffdd9a841e2b79119ea0d429078e28f32bda89a6f5f0706ca2b7e3ddac813f7541c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
db2bd23425ab10661a7ab0c215bc6a48

SHA1
e15838134f353bd8aa63d4fa47a900ade741cee8

SHA256
6bff75c152e5ad05f279596346e576a626c187eba4a0b382c62e270c15c26fe8

SHA512
eee659c96429030eb5005a8638190aa9ba742ecabea23d4367a8edd38c8e380f8587133906eff90655be083b58956a1ef9fabd6487890fe05141780579eeca76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7405090eeeda51f27c9ac0ccd1e09f5b

SHA1
0799a405f4d7861f88ffa027d9f189c16542bced

SHA256
3a0b18394cf453db71f14075e046f174a4d26a8faa0c5591840816cba18cb528

SHA512
99d01325fa9ebc014d8195bb77d76f1b404ba7f97c552fe69c780afb4a688bef9e1ffcfd93a15ed74532deaa447e595ab5ab8ddde9c37153a8c6cf0d393eb22b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
25d4cef9769ae616bfc9b5a7fdde55cb

SHA1
85d51c683dac4b049705551332b6b96a2c34e61d

SHA256
113b0435c2b94e8246bcd8c7c5e76924a5d70e9d91a4e1df737fe05871089a50

SHA512
34722fd96ae1f5cc0711c9dc8bdb885aad96f093eb8352a31d75d7ddd3cb5e39f23a566b82276331189b2f55245b215b437c60ed11fcf7e697a02ca31448b0ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
e61905a9f951c0522258a907637493b7

SHA1
aac1ef42c979d3c6c14254c07c5ee4eefd57a601

SHA256
a70ca4bd97ff8c72a55ff004f62b2e51de248a52357327f0a47d1dcbfcd12c66

SHA512
aa720fa191f62e7aa2d12801b12830ac3398642096f4fb8cee92623310ae8dee007c9649f6f5dc9f33e2ce25c1efaff0a7183fab531501b45d110256a303693e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
53bf9ae90d525f811f1a90ad9155b11c

SHA1
c199d68006bbfcbfbe42ae17bb09717385f7f01d

SHA256
924070d3b6215bdabe1948eb911f7ae239d249ecef79fd0b7467adfb6cc636fc

SHA512
2334c6e1c64f96241357b953a63ffff5fd55d1866e10f193f43eead8ecbd2aefb40375e17043c15963ecc2bc4aa62668ba5fd9756ac6743cfd5f41dc3d2f9b42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
83c9cde4ecffae5254a46e7d6b07a481

SHA1
95c53b98675286a220ab34f130d43a4b7e069ebd

SHA256
bba1a242eac28fff76100a230f5da087fcd45474fe55f19295b00032529ab75b

SHA512
256d3c322822e822792413fcd60c5b2267ec253b30637a6f7d2231bbe21eb53675d67e6532da5466b4b5f1dcbf7eec59c8a5ada8d8c3e9eb04964a78fce1908e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a76dfa927a68add43a7f61bc2e6809f6

SHA1
80253e516f39a052ab66d976c28b3c15f2d8bb48

SHA256
a7fd78518eb9e6c2658e8d6a8b57f3cb290b02b771e2ebd2a481493d4b20e734

SHA512
d3718d42c01eaea1ced994334d876467e56e85660efb539dc2f2fd7650138ab379c7c79d73fa6beacfee65fc6bed3f2bd0fce97546ddc7c305bedc911eae4bf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4670959275a3c0954a3cb6a546a2af92

SHA1
b9ed24e07809243e2db63812732c5f003b82030d

SHA256
c84e0d1c77a6b052ad2adfce51bd4e291aab2aa27af8dd37a5340f41e972475d

SHA512
f8803a12913367786fb5232f56affdaa645ee53e8ca2235dbc5d748183fe2897b22d9280436e3ec84d2b6a85b8a7e432c76f3329a02477929ce744aaadd67fd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
051ed745f86459af5fa1e05f79d0c337

SHA1
202fa8e4390ac22cd1397f46130330720350f78c

SHA256
69018791c5615b964a1b968b02daea143014f0b60f41c2586b1437b6f388c560

SHA512
c25bdebf5ec3d68b10a2c248771569bad88f28f1195fa7bf4705c03ae599f8eff195b282890c4fe3972f03c9a51c89ee882b0a473755e8358b000fc1afadd004

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d96b9255843c001416f9b809d405d2aa

SHA1
ae9d7c2a294b61f10dbce84c601a343cfa602f28

SHA256
0d878245ebf5fbd8cc891f250fb7b5293c4dfbb8427812c5bbca4f722178bed4

SHA512
725997b555da232dc0e4b5f043cf119368d693c4896417ab1c87302bb31ca92543132f0cc61d8ee85dd0e5af7f4a9ddbd24ca3af473df6951bb1fb7165926f3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a881d0a93ba57e0f26ae5fa445c4a052

SHA1
ec19d0baae9642630282fcdd5f1b33dec5bb02a3

SHA256
647885062a21db31861a60ce7c68794924b773dfe7eb6a32e0fbd7f7445467ef

SHA512
3177e567da38c778cc45ee2aede08c6ae03d587051fb11a84b454f7f3103754f56035b3020fdaae6e416155fd5aa0f640408a8e2442af07a7a7fa29d34b7c020

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
25f9d9613c666cda8e0ea67c985b2ed8

SHA1
f548952180232b1062e89d1798d182450d56e3bc

SHA256
f3a084ff00cfd434a1e5cd6d2a2172dfaea5ad2608f5692e2813376be93188a5

SHA512
e53c2d42bad86dc2ce104356b4ca9d7001a11c1fd6cb5ca81f224e65e63b5558de2d1aaba465d77f972235b4cb2708f9c1099756185c11a4b56b87935eee2a0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
028b9e5a31c34029ce15981c17fecf9c

SHA1
7ce2f4aa97329f713a8270570def76ddf64d82db

SHA256
8742a300a3f453c3aa225f72c01170e8d91ba24a199ec3f506c3ae056ab90e87

SHA512
e26857bb5fe1e78e8b79369ea6c267e02f1ea617078dc08d2b1db1ca89df86721713d9c44ea55e7f3f8d12f9b1a6d82623c39850089dd156e9ae704f76d6ab04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
7a6c2a6d02f4a62ab7393f7922b07ffd

SHA1
95a0f12b935fc614c7c86e3c77d75116cbe33803

SHA256
3ef5ad0c63ef5403f353d4e6bec11db811b86f44031734b418d93e4b9b28b829

SHA512
cffe576234eea9845ce41d2364a43587820bf2bd62bdaa55a7e24084666ab7f6832fc35ab508452a569c0ddd0ac0b6f20b0e21f3829318cb4d4ed04902a8e71d

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
4fcabd6af524fb70e356d08e610521f2

SHA1
f104637706390fd5f304e0ae671487f50e9b1c04

SHA256
7d75df18d2b20161d728fc950d7adaa0ff0e1bb8e9447787b90942aad407b61a

SHA512
970d7df16ad5aa7517fc68bed5e394a4f08a3ce8de6c4a3c8f055626b38ab45eeda63149a9051bde26559946bb3cfbe7d0f7e373730ea53c59fd83e5c9944697

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
4fcabd6af524fb70e356d08e610521f2

SHA1
f104637706390fd5f304e0ae671487f50e9b1c04

SHA256
7d75df18d2b20161d728fc950d7adaa0ff0e1bb8e9447787b90942aad407b61a

SHA512
970d7df16ad5aa7517fc68bed5e394a4f08a3ce8de6c4a3c8f055626b38ab45eeda63149a9051bde26559946bb3cfbe7d0f7e373730ea53c59fd83e5c9944697

Download Submit
memory/3740-162-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3740-141-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3740-142-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4388-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4388-140-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/4388-158-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download