be352678b42b5e5d84b7f960331f7c874ebedd00689145f14d2f5e7ce79d0924

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/09/2023, 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe
Size

3.4MB
MD5

d36fe560cdfefeba4580a307db8cb2d3
SHA1

9e43c59d95e988ef2ac013d36218b4ecb856d04b
SHA256

be352678b42b5e5d84b7f960331f7c874ebedd00689145f14d2f5e7ce79d0924
SHA512

34f283ea0f915dd53a1ee623a448d5a717303e3d8d49ba6d3f503dd8c6437a11d0dd5f01ca616c9782b15f8cc6049773ab151c2373191e2d62ce12431978b389
SSDEEP

24576:eEtl9mRda12sX7hKB8NIyXbacAfZNRdpkhtIShJVVTyJNPty:9Es1RMB8NIMIxDCjVys

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	MZ

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	MZ

Executes dropped EXE 2 IoCs

pid	Process
1696	HelpMe.exe
1984	MZ

Loads dropped DLL 4 IoCs

pid	Process
2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe
2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe
2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe
2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	MZ
File opened (read-only)	\??\V:	MZ
File opened (read-only)	\??\X:	MZ
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\K:	MZ
File opened (read-only)	\??\T:	MZ
File opened (read-only)	\??\W:	MZ
File opened (read-only)	\??\L:	MZ
File opened (read-only)	\??\Y:	MZ
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	MZ
File opened (read-only)	\??\E:	MZ
File opened (read-only)	\??\G:	MZ
File opened (read-only)	\??\N:	MZ
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\H:	MZ
File opened (read-only)	\??\R:	MZ
File opened (read-only)	\??\Z:	MZ
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\M:	MZ
File opened (read-only)	\??\S:	MZ
File opened (read-only)	\??\U:	MZ
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\J:	MZ
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\B:	MZ
File opened (read-only)	\??\I:	MZ
File opened (read-only)	\??\O:	MZ
File opened (read-only)	\??\P:	MZ

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	MZ
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notepad.exe.exe	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	MZ
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1696	2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe	28
PID 2204 wrote to memory of 1696	2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe	28
PID 2204 wrote to memory of 1696	2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe	28
PID 2204 wrote to memory of 1696	2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe	28
PID 2204 wrote to memory of 1984	2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe	29
PID 2204 wrote to memory of 1984	2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe	29
PID 2204 wrote to memory of 1984	2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe	29
PID 2204 wrote to memory of 1984	2204	2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-22_d36fe560cdfefeba4580a307db8cb2d3_ryuk_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\MZ
  C:\Users\Admin\AppData\Local\Temp\\MZ
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-686452656-3203474025-4140627569-1000\desktop.ini.exe

Filesize
2.8MB

MD5
6e6117b0228834f4666b63c6b174c81b

SHA1
0270b777a6453d58427cf8d1084cfafcf71f60b6

SHA256
875a3a2074bc10ce4b2ee0dbbd8c0565a12d25625b822be69bc937ed9c5e49f9

SHA512
648792feda50da6a0dc2bca18a270eccb8f28cca816d1658bfc1fd78021af74d1330f823277d0b593bc00bd0cf74ba5db9ab89a0a04c1bfdaa4388222a05604d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.4MB

MD5
d36fe560cdfefeba4580a307db8cb2d3

SHA1
9e43c59d95e988ef2ac013d36218b4ecb856d04b

SHA256
be352678b42b5e5d84b7f960331f7c874ebedd00689145f14d2f5e7ce79d0924

SHA512
34f283ea0f915dd53a1ee623a448d5a717303e3d8d49ba6d3f503dd8c6437a11d0dd5f01ca616c9782b15f8cc6049773ab151c2373191e2d62ce12431978b389

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.4MB

MD5
d36fe560cdfefeba4580a307db8cb2d3

SHA1
9e43c59d95e988ef2ac013d36218b4ecb856d04b

SHA256
be352678b42b5e5d84b7f960331f7c874ebedd00689145f14d2f5e7ce79d0924

SHA512
34f283ea0f915dd53a1ee623a448d5a717303e3d8d49ba6d3f503dd8c6437a11d0dd5f01ca616c9782b15f8cc6049773ab151c2373191e2d62ce12431978b389

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
a1b822a95b7293c2b7cc5442df5bf6e5

SHA1
c7fa1839db78a15864bbb9a7b81b4e0b5c62734c

SHA256
38934c9de45ffb6a2fabd8395be9eb940a9ec443298772dab2de87dede1ab3c3

SHA512
29e87784e51cf0a743c247f62f23f3e527286533a1dbbbbe785688ef93e8d5d6240876ad2350284eedb33628eca05d256684d6d061dde594ed285afa4dc79e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
a1b822a95b7293c2b7cc5442df5bf6e5

SHA1
c7fa1839db78a15864bbb9a7b81b4e0b5c62734c

SHA256
38934c9de45ffb6a2fabd8395be9eb940a9ec443298772dab2de87dede1ab3c3

SHA512
29e87784e51cf0a743c247f62f23f3e527286533a1dbbbbe785688ef93e8d5d6240876ad2350284eedb33628eca05d256684d6d061dde594ed285afa4dc79e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
a1b822a95b7293c2b7cc5442df5bf6e5

SHA1
c7fa1839db78a15864bbb9a7b81b4e0b5c62734c

SHA256
38934c9de45ffb6a2fabd8395be9eb940a9ec443298772dab2de87dede1ab3c3

SHA512
29e87784e51cf0a743c247f62f23f3e527286533a1dbbbbe785688ef93e8d5d6240876ad2350284eedb33628eca05d256684d6d061dde594ed285afa4dc79e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
a1b822a95b7293c2b7cc5442df5bf6e5

SHA1
c7fa1839db78a15864bbb9a7b81b4e0b5c62734c

SHA256
38934c9de45ffb6a2fabd8395be9eb940a9ec443298772dab2de87dede1ab3c3

SHA512
29e87784e51cf0a743c247f62f23f3e527286533a1dbbbbe785688ef93e8d5d6240876ad2350284eedb33628eca05d256684d6d061dde594ed285afa4dc79e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
a1b822a95b7293c2b7cc5442df5bf6e5

SHA1
c7fa1839db78a15864bbb9a7b81b4e0b5c62734c

SHA256
38934c9de45ffb6a2fabd8395be9eb940a9ec443298772dab2de87dede1ab3c3

SHA512
29e87784e51cf0a743c247f62f23f3e527286533a1dbbbbe785688ef93e8d5d6240876ad2350284eedb33628eca05d256684d6d061dde594ed285afa4dc79e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
a1b822a95b7293c2b7cc5442df5bf6e5

SHA1
c7fa1839db78a15864bbb9a7b81b4e0b5c62734c

SHA256
38934c9de45ffb6a2fabd8395be9eb940a9ec443298772dab2de87dede1ab3c3

SHA512
29e87784e51cf0a743c247f62f23f3e527286533a1dbbbbe785688ef93e8d5d6240876ad2350284eedb33628eca05d256684d6d061dde594ed285afa4dc79e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
a1b822a95b7293c2b7cc5442df5bf6e5

SHA1
c7fa1839db78a15864bbb9a7b81b4e0b5c62734c

SHA256
38934c9de45ffb6a2fabd8395be9eb940a9ec443298772dab2de87dede1ab3c3

SHA512
29e87784e51cf0a743c247f62f23f3e527286533a1dbbbbe785688ef93e8d5d6240876ad2350284eedb33628eca05d256684d6d061dde594ed285afa4dc79e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
a1b822a95b7293c2b7cc5442df5bf6e5

SHA1
c7fa1839db78a15864bbb9a7b81b4e0b5c62734c

SHA256
38934c9de45ffb6a2fabd8395be9eb940a9ec443298772dab2de87dede1ab3c3

SHA512
29e87784e51cf0a743c247f62f23f3e527286533a1dbbbbe785688ef93e8d5d6240876ad2350284eedb33628eca05d256684d6d061dde594ed285afa4dc79e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
a1b822a95b7293c2b7cc5442df5bf6e5

SHA1
c7fa1839db78a15864bbb9a7b81b4e0b5c62734c

SHA256
38934c9de45ffb6a2fabd8395be9eb940a9ec443298772dab2de87dede1ab3c3

SHA512
29e87784e51cf0a743c247f62f23f3e527286533a1dbbbbe785688ef93e8d5d6240876ad2350284eedb33628eca05d256684d6d061dde594ed285afa4dc79e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
a1b822a95b7293c2b7cc5442df5bf6e5

SHA1
c7fa1839db78a15864bbb9a7b81b4e0b5c62734c

SHA256
38934c9de45ffb6a2fabd8395be9eb940a9ec443298772dab2de87dede1ab3c3

SHA512
29e87784e51cf0a743c247f62f23f3e527286533a1dbbbbe785688ef93e8d5d6240876ad2350284eedb33628eca05d256684d6d061dde594ed285afa4dc79e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
992B

MD5
a1b822a95b7293c2b7cc5442df5bf6e5

SHA1
c7fa1839db78a15864bbb9a7b81b4e0b5c62734c

SHA256
38934c9de45ffb6a2fabd8395be9eb940a9ec443298772dab2de87dede1ab3c3

SHA512
29e87784e51cf0a743c247f62f23f3e527286533a1dbbbbe785688ef93e8d5d6240876ad2350284eedb33628eca05d256684d6d061dde594ed285afa4dc79e42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
019b00fd5cecfbc46a4034b0f2022298

SHA1
e30bb9b7f92d2dc8358e01a541baac41d228b8c0

SHA256
8986563ab0fbf3a5dcb79cafa5d2cc5ae5fc8cced5edf73da2146791beaebbb5

SHA512
6227c468dfe1cf390667f41c4dd5f05b1bd5643687eda1be9214e97731649322b2fefbeaeb1b3b5ec84e268293da1a9c148c1cc051c9bed2f6c50b297b92cd49

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.8MB

MD5
71a4097f0a3d33d2e3ab305f9f26ff91

SHA1
e888ecf56bbcf65326ed3ba7c81afad3321d3030

SHA256
7a5c77be3cae4ed0f86c762d390feb4e14152b8807e4b7ee4f616eb1007431b4

SHA512
f475f3688a50cec777ecf9763fa93d14b682ceee5a4315ad412b193f19a8c30768b5fe7cd486b69ca8f2c3d9e542d1c9f27482648bfb49e3f4339176d6686dc9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.8MB

MD5
71a4097f0a3d33d2e3ab305f9f26ff91

SHA1
e888ecf56bbcf65326ed3ba7c81afad3321d3030

SHA256
7a5c77be3cae4ed0f86c762d390feb4e14152b8807e4b7ee4f616eb1007431b4

SHA512
f475f3688a50cec777ecf9763fa93d14b682ceee5a4315ad412b193f19a8c30768b5fe7cd486b69ca8f2c3d9e542d1c9f27482648bfb49e3f4339176d6686dc9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
2.8MB

MD5
71a4097f0a3d33d2e3ab305f9f26ff91

SHA1
e888ecf56bbcf65326ed3ba7c81afad3321d3030

SHA256
7a5c77be3cae4ed0f86c762d390feb4e14152b8807e4b7ee4f616eb1007431b4

SHA512
f475f3688a50cec777ecf9763fa93d14b682ceee5a4315ad412b193f19a8c30768b5fe7cd486b69ca8f2c3d9e542d1c9f27482648bfb49e3f4339176d6686dc9

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
2.8MB

MD5
71a4097f0a3d33d2e3ab305f9f26ff91

SHA1
e888ecf56bbcf65326ed3ba7c81afad3321d3030

SHA256
7a5c77be3cae4ed0f86c762d390feb4e14152b8807e4b7ee4f616eb1007431b4

SHA512
f475f3688a50cec777ecf9763fa93d14b682ceee5a4315ad412b193f19a8c30768b5fe7cd486b69ca8f2c3d9e542d1c9f27482648bfb49e3f4339176d6686dc9

Download Submit
\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.4MB

MD5
d36fe560cdfefeba4580a307db8cb2d3

SHA1
9e43c59d95e988ef2ac013d36218b4ecb856d04b

SHA256
be352678b42b5e5d84b7f960331f7c874ebedd00689145f14d2f5e7ce79d0924

SHA512
34f283ea0f915dd53a1ee623a448d5a717303e3d8d49ba6d3f503dd8c6437a11d0dd5f01ca616c9782b15f8cc6049773ab151c2373191e2d62ce12431978b389

Download Submit
\Users\Admin\AppData\Local\Temp\MZ

Filesize
3.4MB

MD5
d36fe560cdfefeba4580a307db8cb2d3

SHA1
9e43c59d95e988ef2ac013d36218b4ecb856d04b

SHA256
be352678b42b5e5d84b7f960331f7c874ebedd00689145f14d2f5e7ce79d0924

SHA512
34f283ea0f915dd53a1ee623a448d5a717303e3d8d49ba6d3f503dd8c6437a11d0dd5f01ca616c9782b15f8cc6049773ab151c2373191e2d62ce12431978b389

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.8MB

MD5
71a4097f0a3d33d2e3ab305f9f26ff91

SHA1
e888ecf56bbcf65326ed3ba7c81afad3321d3030

SHA256
7a5c77be3cae4ed0f86c762d390feb4e14152b8807e4b7ee4f616eb1007431b4

SHA512
f475f3688a50cec777ecf9763fa93d14b682ceee5a4315ad412b193f19a8c30768b5fe7cd486b69ca8f2c3d9e542d1c9f27482648bfb49e3f4339176d6686dc9

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.8MB

MD5
71a4097f0a3d33d2e3ab305f9f26ff91

SHA1
e888ecf56bbcf65326ed3ba7c81afad3321d3030

SHA256
7a5c77be3cae4ed0f86c762d390feb4e14152b8807e4b7ee4f616eb1007431b4

SHA512
f475f3688a50cec777ecf9763fa93d14b682ceee5a4315ad412b193f19a8c30768b5fe7cd486b69ca8f2c3d9e542d1c9f27482648bfb49e3f4339176d6686dc9

Download Submit
memory/1696-84-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1696-11-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1984-25-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1984-21-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1984-89-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2204-20-0x0000000000380000-0x00000000003FB000-memory.dmp

Filesize
492KB

Download
memory/2204-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2204-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2204-28-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download