8b140221dc73afb2da459d3e84dc2a8c8ce2392ceadfd3d796b7948d455ea72a

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
03/07/2023, 19:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

202307023a50f95f57bac9d5c.exe
Size

3.7MB
MD5

3a50f95f57bac9d5c13d0cd763ac147e
SHA1

0c04343c2031eb4724fe973b403af15ed86b6f52
SHA256

8b140221dc73afb2da459d3e84dc2a8c8ce2392ceadfd3d796b7948d455ea72a
SHA512

8e3b62fcfee47558d2af27bf7b5bd8b29a3a15040781ec8a54e10cc685f4e2fc03c41ee533b64c5554501e6d6d74bbfc605881f619dc518a639f168240e72863
SSDEEP

24576:eEtl9mRda12sX7hKB8NIyXbacAfpNRdpkhtIShJVVTyJNPtz:9Es1RMB8NIMIhDCjVyV

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	MZ

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	MZ
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 2 IoCs

pid	Process
1056	HelpMe.exe
2300	MZ

Loads dropped DLL 4 IoCs

pid	Process
2380	202307023a50f95f57bac9d5c.exe
2380	202307023a50f95f57bac9d5c.exe
2380	202307023a50f95f57bac9d5c.exe
2380	202307023a50f95f57bac9d5c.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\E:	MZ
File opened (read-only)	\??\Y:	MZ
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\K:	MZ
File opened (read-only)	\??\M:	MZ
File opened (read-only)	\??\N:	MZ
File opened (read-only)	\??\V:	MZ
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\I:	MZ
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\A:	MZ
File opened (read-only)	\??\F:	MZ
File opened (read-only)	\??\Z:	MZ
File opened (read-only)	\??\Q:	MZ
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\J:	MZ
File opened (read-only)	\??\L:	MZ
File opened (read-only)	\??\O:	MZ
File opened (read-only)	\??\P:	MZ
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\S:	MZ
File opened (read-only)	\??\U:	MZ
File opened (read-only)	\??\X:	MZ
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\G:	MZ
File opened (read-only)	\??\W:	MZ
File opened (read-only)	\??\H:	MZ
File opened (read-only)	\??\R:	MZ
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\B:	MZ
File opened (read-only)	\??\T:	MZ

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	MZ

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notepad.exe.exe	202307023a50f95f57bac9d5c.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	202307023a50f95f57bac9d5c.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	MZ
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	202307023a50f95f57bac9d5c.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	202307023a50f95f57bac9d5c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2380	202307023a50f95f57bac9d5c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1056	2380	202307023a50f95f57bac9d5c.exe	29
PID 2380 wrote to memory of 1056	2380	202307023a50f95f57bac9d5c.exe	29
PID 2380 wrote to memory of 1056	2380	202307023a50f95f57bac9d5c.exe	29
PID 2380 wrote to memory of 1056	2380	202307023a50f95f57bac9d5c.exe	29
PID 2380 wrote to memory of 2300	2380	202307023a50f95f57bac9d5c.exe	30
PID 2380 wrote to memory of 2300	2380	202307023a50f95f57bac9d5c.exe	30
PID 2380 wrote to memory of 2300	2380	202307023a50f95f57bac9d5c.exe	30
PID 2380 wrote to memory of 2300	2380	202307023a50f95f57bac9d5c.exe	30

C:\Users\Admin\AppData\Local\Temp\202307023a50f95f57bac9d5c.exe
"C:\Users\Admin\AppData\Local\Temp\202307023a50f95f57bac9d5c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\MZ
  C:\Users\Admin\AppData\Local\Temp\\MZ
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-719110999-4061093145-1944564496-1000\desktop.ini.exe

Filesize
3.1MB

MD5
b7d89c711c47823fcb180bdf1f6b38c4

SHA1
28b86b63e116d046e5f14bb3d8b4150dd9504ab2

SHA256
96e6e6cdd31e2a959054b09a7fef7fce097578d774603f55f03c70efb8fad286

SHA512
5225a5adfca5e177e51b76ac36c33efb54b0b9742f62924802246eec05624d7c8c9cc63cadece9d68c577157c8bc99fb509d36ad83afe8c89c2c169f8bcd607e

Download Submit
C:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
C:\AutoRun.exe

Filesize
3.1MB

MD5
eb9271b4a636a8e7675bc030a0d6d803

SHA1
866f6b290538ef955565e71e087ea647a3418ebf

SHA256
9f63b62bc58665d3302cfe660b6fae22c9e36ade2365e78f0e50b0c9f4fc407f

SHA512
668f9991e5ba60129012e0255fb9e1ef32448e8d01faf47e2bf23e288b933ddb9df9d15f82cb124fe69fa2ec80cbd7f50e620159690b2076701a53209304fcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.7MB

MD5
3a50f95f57bac9d5c13d0cd763ac147e

SHA1
0c04343c2031eb4724fe973b403af15ed86b6f52

SHA256
8b140221dc73afb2da459d3e84dc2a8c8ce2392ceadfd3d796b7948d455ea72a

SHA512
8e3b62fcfee47558d2af27bf7b5bd8b29a3a15040781ec8a54e10cc685f4e2fc03c41ee533b64c5554501e6d6d74bbfc605881f619dc518a639f168240e72863

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.7MB

MD5
3a50f95f57bac9d5c13d0cd763ac147e

SHA1
0c04343c2031eb4724fe973b403af15ed86b6f52

SHA256
8b140221dc73afb2da459d3e84dc2a8c8ce2392ceadfd3d796b7948d455ea72a

SHA512
8e3b62fcfee47558d2af27bf7b5bd8b29a3a15040781ec8a54e10cc685f4e2fc03c41ee533b64c5554501e6d6d74bbfc605881f619dc518a639f168240e72863

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
554660ec7eaa2b466f8726e82ab3d50b

SHA1
255a488ee720e9874b96d44fa0663b9e442d2cd2

SHA256
04d4363bbbe1b02bd9e4f7747ca2ea3686a537072c489cf05645964f2a757d00

SHA512
4084467c5f578b0a6485531129765ea59f260bba9808a4f1a322054be1ac58e4b1b08d351c00d347cccdc0fb7b359a248d6de7ad8a3d6c813501bab29e9abc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
07f9fc06bcfbf66f9d4ec6e96c6cf559

SHA1
34f480360da2d407e66ad68ad0f649b88724557a

SHA256
d4c554222faa0c4c0a54db7f305d5dc7f64b6734b3dffc603134c2b0565b4956

SHA512
5b4259f56fd4d785ea87eaa1b5b4b8ac976f48fbf6789583904bd2f1aff946357dfc790639cf9d52262b17046144703ff036a559327032a0a5be206ebfdbe46c

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
eb9271b4a636a8e7675bc030a0d6d803

SHA1
866f6b290538ef955565e71e087ea647a3418ebf

SHA256
9f63b62bc58665d3302cfe660b6fae22c9e36ade2365e78f0e50b0c9f4fc407f

SHA512
668f9991e5ba60129012e0255fb9e1ef32448e8d01faf47e2bf23e288b933ddb9df9d15f82cb124fe69fa2ec80cbd7f50e620159690b2076701a53209304fcdc

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
eb9271b4a636a8e7675bc030a0d6d803

SHA1
866f6b290538ef955565e71e087ea647a3418ebf

SHA256
9f63b62bc58665d3302cfe660b6fae22c9e36ade2365e78f0e50b0c9f4fc407f

SHA512
668f9991e5ba60129012e0255fb9e1ef32448e8d01faf47e2bf23e288b933ddb9df9d15f82cb124fe69fa2ec80cbd7f50e620159690b2076701a53209304fcdc

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
eb9271b4a636a8e7675bc030a0d6d803

SHA1
866f6b290538ef955565e71e087ea647a3418ebf

SHA256
9f63b62bc58665d3302cfe660b6fae22c9e36ade2365e78f0e50b0c9f4fc407f

SHA512
668f9991e5ba60129012e0255fb9e1ef32448e8d01faf47e2bf23e288b933ddb9df9d15f82cb124fe69fa2ec80cbd7f50e620159690b2076701a53209304fcdc

Download Submit
\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.7MB

MD5
3a50f95f57bac9d5c13d0cd763ac147e

SHA1
0c04343c2031eb4724fe973b403af15ed86b6f52

SHA256
8b140221dc73afb2da459d3e84dc2a8c8ce2392ceadfd3d796b7948d455ea72a

SHA512
8e3b62fcfee47558d2af27bf7b5bd8b29a3a15040781ec8a54e10cc685f4e2fc03c41ee533b64c5554501e6d6d74bbfc605881f619dc518a639f168240e72863

Download Submit
\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.7MB

MD5
3a50f95f57bac9d5c13d0cd763ac147e

SHA1
0c04343c2031eb4724fe973b403af15ed86b6f52

SHA256
8b140221dc73afb2da459d3e84dc2a8c8ce2392ceadfd3d796b7948d455ea72a

SHA512
8e3b62fcfee47558d2af27bf7b5bd8b29a3a15040781ec8a54e10cc685f4e2fc03c41ee533b64c5554501e6d6d74bbfc605881f619dc518a639f168240e72863

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
eb9271b4a636a8e7675bc030a0d6d803

SHA1
866f6b290538ef955565e71e087ea647a3418ebf

SHA256
9f63b62bc58665d3302cfe660b6fae22c9e36ade2365e78f0e50b0c9f4fc407f

SHA512
668f9991e5ba60129012e0255fb9e1ef32448e8d01faf47e2bf23e288b933ddb9df9d15f82cb124fe69fa2ec80cbd7f50e620159690b2076701a53209304fcdc

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
eb9271b4a636a8e7675bc030a0d6d803

SHA1
866f6b290538ef955565e71e087ea647a3418ebf

SHA256
9f63b62bc58665d3302cfe660b6fae22c9e36ade2365e78f0e50b0c9f4fc407f

SHA512
668f9991e5ba60129012e0255fb9e1ef32448e8d01faf47e2bf23e288b933ddb9df9d15f82cb124fe69fa2ec80cbd7f50e620159690b2076701a53209304fcdc

Download Submit
memory/1056-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1056-288-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1056-67-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2300-85-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2300-84-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2300-291-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2380-83-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2380-80-0x0000000002AC0000-0x0000000002B3B000-memory.dmp

Filesize
492KB

Download
memory/2380-77-0x0000000002AC0000-0x0000000002B3B000-memory.dmp

Filesize
492KB

Download
memory/2380-64-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2380-65-0x0000000002AC0000-0x0000000002B3B000-memory.dmp

Filesize
492KB

Download
memory/2380-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download