54c3759049aa1e826391f6e2c3536cd3054a4ac1477db2cfffb79d28cf75726b

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe
Size

9.1MB
MD5

6e1c6f9b71a2032877591ef269058d42
SHA1

3704e5ef0cd504acabb97b58fb6b579416f31f6f
SHA256

54c3759049aa1e826391f6e2c3536cd3054a4ac1477db2cfffb79d28cf75726b
SHA512

4a6faa777ff166d768b419a5edda70cdb4fab906a9ac4c087dac9ad8c744453180966b5dadf5405feeb63cf50bd7a6a94a9697dc6e944237b920cc3087fb0b9b
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMZ:9nwn8

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	MZ

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	MZ
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	MZ
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 2 IoCs

pid	Process
1988	HelpMe.exe
4820	MZ

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	MZ
File opened (read-only)	\??\I:	MZ
File opened (read-only)	\??\T:	MZ
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\N:	MZ
File opened (read-only)	\??\Z:	MZ
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	MZ
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\R:	MZ
File opened (read-only)	\??\S:	MZ
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	MZ
File opened (read-only)	\??\H:	MZ
File opened (read-only)	\??\K:	MZ
File opened (read-only)	\??\U:	MZ
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\J:	MZ
File opened (read-only)	\??\M:	MZ
File opened (read-only)	\??\O:	MZ
File opened (read-only)	\??\P:	MZ
File opened (read-only)	\??\Q:	MZ
File opened (read-only)	\??\V:	MZ
File opened (read-only)	\??\W:	MZ
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\E:	MZ
File opened (read-only)	\??\L:	MZ
File opened (read-only)	\??\Y:	MZ
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\A:	MZ
File opened (read-only)	\??\G:	HelpMe.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	MZ
File opened for modification	F:\AUTORUN.INF	MZ
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notepad.exe.exe	2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	MZ
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\cs.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4444	2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe
4444	2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 1988	4444	2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe	86
PID 4444 wrote to memory of 1988	4444	2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe	86
PID 4444 wrote to memory of 1988	4444	2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe	86
PID 4444 wrote to memory of 4820	4444	2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe	88
PID 4444 wrote to memory of 4820	4444	2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe	88
PID 4444 wrote to memory of 4820	4444	2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-25_6e1c6f9b71a2032877591ef269058d42_ryuk_JC.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\MZ
  C:\Users\Admin\AppData\Local\Temp\\MZ
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1926387074-3400613176-3566796709-1000\desktop.ini.exe

Filesize
8.6MB

MD5
126868c484dd48a95e6f8d6d502cf04a

SHA1
8212d691bec14ddc42824ac81af17d9a8d758242

SHA256
407605e8e3213b8d9322c3217664586108096f86af1495bdc9767c6edfff6a1a

SHA512
04b56217893effebfff1e927cce0b3ca4d7a5de924eec627864844c3d8ad19f6483c76e85372cbfa2dcce046e7b8e49bad2421130e7cff2ed62a4dd0f441b5d4

Download Submit
C:\AutoRun.exe

Filesize
8.6MB

MD5
6318cf30b0bee1f31d6613354b499512

SHA1
9268aabac277b116987ceed332f9538b5e2573b5

SHA256
283fd04f0a877d11a3a1db84c8ad3ff4a2f55c9fbfcc80d9001a6c51c7b2e730

SHA512
14e20d8e885cabbb7a72e3db3b1d14142fba5b904b91e7172c8e1fee3cee640683d1fd9152cacb0473bd6cc35b5b31bfafb9a28edae92d69f3daa839389d00a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZ

Filesize
9.1MB

MD5
6e1c6f9b71a2032877591ef269058d42

SHA1
3704e5ef0cd504acabb97b58fb6b579416f31f6f

SHA256
54c3759049aa1e826391f6e2c3536cd3054a4ac1477db2cfffb79d28cf75726b

SHA512
4a6faa777ff166d768b419a5edda70cdb4fab906a9ac4c087dac9ad8c744453180966b5dadf5405feeb63cf50bd7a6a94a9697dc6e944237b920cc3087fb0b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZ

Filesize
9.1MB

MD5
6e1c6f9b71a2032877591ef269058d42

SHA1
3704e5ef0cd504acabb97b58fb6b579416f31f6f

SHA256
54c3759049aa1e826391f6e2c3536cd3054a4ac1477db2cfffb79d28cf75726b

SHA512
4a6faa777ff166d768b419a5edda70cdb4fab906a9ac4c087dac9ad8c744453180966b5dadf5405feeb63cf50bd7a6a94a9697dc6e944237b920cc3087fb0b9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6477aaee3fa50b13d7f3c604457f3ae4

SHA1
329a5c68d7df6b5111e2f9f8469698c7490b313a

SHA256
efc40f683308e225221eefd3f4633b9d7da554ca6a51c209105b28061ce08357

SHA512
b5faa5cc3ecbc34030f3b6cc1dd7e1b409a11baf1392e33cab801635ce485c59a026d69c3a2aae0b39d16158a182a5e75d7f54a0a75817144a7b5bfa511e487e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
3b249fe43e21ecf990d80850b65ca93c

SHA1
5b55e9b0371f5b299ff7a479af843f420317eca8

SHA256
19ecee0873fe0b70d8e38d11e37d543f028cdcdb0b30da60bce1139b5154ee1e

SHA512
b7364630bae250cbe6e5de51b68d0badd9531ae2fc51357efa2b3e45418654d21aa4b81a2ad6ca2076c8e0bd6e510b533ccec320bdd3ff0a858a0a6075cbbab1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6477aaee3fa50b13d7f3c604457f3ae4

SHA1
329a5c68d7df6b5111e2f9f8469698c7490b313a

SHA256
efc40f683308e225221eefd3f4633b9d7da554ca6a51c209105b28061ce08357

SHA512
b5faa5cc3ecbc34030f3b6cc1dd7e1b409a11baf1392e33cab801635ce485c59a026d69c3a2aae0b39d16158a182a5e75d7f54a0a75817144a7b5bfa511e487e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0fd57291da809a532c13265b7400b4f2

SHA1
904573f58b2170da22e88fd55b89e378021a6839

SHA256
6d0779544fc180923a93809790601b97edf083b3bae8effe81df708f48cfbe02

SHA512
d46888d74407a0b9a5abe58481e40c27b7b193869a406b352f26c07bb1ad92444905718fbc5772af91e45454a618e1aef5cd588128d06f3390d9f0fc2f267d28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d97dd39f5251c85489f44f24268e9731

SHA1
be1b638fe75d1917a43113f7c40e381173c8903f

SHA256
5e661e0cfee5d79625fe8a382c56532845424298d0fe459248ecd3de696830d4

SHA512
4bab4489f4903ac54c3ef5f5a56dadcdeccd7d2ac1fb150355c41b5e8c06d0c0c2599e8fdad3fa0c97a90d50a17d1cdfaca877ef17e7288fb2638bf7fd252bdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d97dd39f5251c85489f44f24268e9731

SHA1
be1b638fe75d1917a43113f7c40e381173c8903f

SHA256
5e661e0cfee5d79625fe8a382c56532845424298d0fe459248ecd3de696830d4

SHA512
4bab4489f4903ac54c3ef5f5a56dadcdeccd7d2ac1fb150355c41b5e8c06d0c0c2599e8fdad3fa0c97a90d50a17d1cdfaca877ef17e7288fb2638bf7fd252bdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a9c960a566ab5839a340dc723467c7f

SHA1
69cb854a9dc202e0c7e20daff3abaab0c3c40d63

SHA256
703d317149230a5c2e39034e1bc16d7556c7a5d2ef06bf0f367122b8dcb7e27d

SHA512
5bfd75dc4033282b146484cb6d479a63748b24222547e34a9d37cb2819837d2d93e6e6bdbb03fb1c64ed6fbe61e73f3810811cf1b703c199144679465b6feb8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a9c960a566ab5839a340dc723467c7f

SHA1
69cb854a9dc202e0c7e20daff3abaab0c3c40d63

SHA256
703d317149230a5c2e39034e1bc16d7556c7a5d2ef06bf0f367122b8dcb7e27d

SHA512
5bfd75dc4033282b146484cb6d479a63748b24222547e34a9d37cb2819837d2d93e6e6bdbb03fb1c64ed6fbe61e73f3810811cf1b703c199144679465b6feb8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a0431ca77e8033e088cf25f4539baf10

SHA1
4b7b260810a0e2fc4168c2c6bed50b63d8961efb

SHA256
565198874a06e88abd89cc486b41c0d09122f832ca982131aca533c9561a6e15

SHA512
bd1c9f9f352594c6219e58e21836ee0858916cf5999dbb0ba0d6e3f983802446a1be71577763f060c469a35ce033dc509fa4dbf50eca877b24773a77a76e93e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66efb98df3594f155234428847b639

SHA1
c3d59aac73a7f5f244f76a7d460b4403bdd2a7b7

SHA256
a212928d094168eb8a9ec724d2c0da966a157126e51ae2a15665fb8fca90b4f5

SHA512
b80fe982a6b4ef9031d9bf1a9b0974762dde4539ac19c407fd3b6569a51b8b0700924c072280b22e65b7fe4c2a87e061e3b4e9f7a39ac0734f79fd5cfffd2c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7a66efb98df3594f155234428847b639

SHA1
c3d59aac73a7f5f244f76a7d460b4403bdd2a7b7

SHA256
a212928d094168eb8a9ec724d2c0da966a157126e51ae2a15665fb8fca90b4f5

SHA512
b80fe982a6b4ef9031d9bf1a9b0974762dde4539ac19c407fd3b6569a51b8b0700924c072280b22e65b7fe4c2a87e061e3b4e9f7a39ac0734f79fd5cfffd2c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
411aa508a96b590267f06a4da1aeb69d

SHA1
b610d53997d1e2270d76a06f109e7ef84ac283cc

SHA256
e4d2cf06f3f87dcb2589bbfc05926fb6982015ba31a087358fd028a8f79c3e8b

SHA512
0d8e403ea42c3c8bf2f5ee44edaf42cf7f527e1f4e06c4b1584320d5df47759943484f34fdc6fccba3a80248f11638c635a78a1604dc1f29a1829b84f9c3d415

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8146381e791a2decd872064368239d2e

SHA1
f425d43baaae0b73a61ebcf782b1978a596b50a1

SHA256
2a1d049b96df812f913fb756c8f0b10fb33a8e1e62a186a59a85450de0d02ae3

SHA512
a91fc49711c5f38b36591b5b76a27ca637d55f40bf8b8794a37dbfd9ecaac3829ace3990fce0da6dc6afa060a6c893e3afd0c62f9f69cc608656352b503ae234

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
730abbefeb1bea6d4b40bd579070c57b

SHA1
9b25f5c62f2306e1569624e45f5ebd743ed67c0f

SHA256
9bb4e86a361eb860c1bfbddf1551d74f30af456deebf6e52b184bc335e220cd8

SHA512
9f59c4c39ad5d5de692d8898ede5e4bd49b06921273bd718dde35eb47c3996feb46197e11286a175ecede5ab4c8bed0f9015017e3dd1a77a2e2f1461c6419d94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
750a12911cf40a17ac25b92f16773eee

SHA1
6407f370f69a25f6ae1e34d624ffd5c4e388e7a2

SHA256
1b311c64a3e7eedec751ab16fe5703449d5ea25b9167e4b4c3f4f97a3ed2f58e

SHA512
c30caed35bc44adfd05dbc1e4b80e5b58dbad6fe3c2f56f1c6671232ce73b0e501b6b44192a99d885f4b78b181a5886631ef92ffa2193bbc287aee74870f6dad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
5f20ec588e1b49fc26763e97cd907d5b

SHA1
450f6df917a35d05d02684cd342ee261645001a0

SHA256
a3b2a5efde1e858121c8bff6c0a8661f1f765e5ace6ea949abe4884859f212a0

SHA512
425456f1e3ba985659ab8f212b0a57b0222223cebb19f512f04dbb656a6f400221c3ed6befa25b5130879dd0b9569995517885f8e3ae4d56570b6f80afb9b21b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
6ae3add3ceec3419f41ac22f9c652f59

SHA1
a767ce93b7e4aefd5f9036728783dcd7322e9e4d

SHA256
6d8cf2f71f4cfe83cf8ba991a395958c273f0c43fd69464d13adc9a9c9e5c0cf

SHA512
2a6b1f5fdce6fa3c57b84a74bd608d70c9fb9d03aa50af2d5a32fa3211ddd87ef1114cfff1eecdc4dc4959a458f6ed784e0c6d4d019d98db0a45be4e8f5fcea4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f71bccae66fd1b619d65931799662a7c

SHA1
c59a8090309746c2e671657252724a4a984f26f2

SHA256
2510c73596d44ef01b55308f296fb1ba5e6fd59c4997a354c6a1830d2897077f

SHA512
747219cd4494c0d1dcb278da4aa8be5d8f41c62a20a0011106acebbe5375037ec5a16694bd9c4b64566fc38f81bc158279746a44963794deca35f89fc86c4c13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f71bccae66fd1b619d65931799662a7c

SHA1
c59a8090309746c2e671657252724a4a984f26f2

SHA256
2510c73596d44ef01b55308f296fb1ba5e6fd59c4997a354c6a1830d2897077f

SHA512
747219cd4494c0d1dcb278da4aa8be5d8f41c62a20a0011106acebbe5375037ec5a16694bd9c4b64566fc38f81bc158279746a44963794deca35f89fc86c4c13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
f71bccae66fd1b619d65931799662a7c

SHA1
c59a8090309746c2e671657252724a4a984f26f2

SHA256
2510c73596d44ef01b55308f296fb1ba5e6fd59c4997a354c6a1830d2897077f

SHA512
747219cd4494c0d1dcb278da4aa8be5d8f41c62a20a0011106acebbe5375037ec5a16694bd9c4b64566fc38f81bc158279746a44963794deca35f89fc86c4c13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2e565a1298915d2dd9609ff966dfccb2

SHA1
4140902f78d7c5bfd7be2d046e9a97836518bb2f

SHA256
02af86d9197c7360e8e61330b1d020ba1b623b7bce17f71970283ed6194e7352

SHA512
a6682a4bb7bf0f76621aba359f92621ecc3ad52d37b8db80da2d5ba4acc03ff9c9d3e5693726108a35abc34b4bc8e0b7ceac530c599c53ecd24a67b6c792b31c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e0850e258ceb5767f2e7b2b209056d7e

SHA1
42c8b22e3d0c6c87a78249fdd676f76459419175

SHA256
41b212e6e8bd1def6bdf3d6a9e50058bace1edd369edd102fee9066258f7bdb9

SHA512
80643d7eab5cb33b91aab9a8f28253542e51052905bde963ca4cefffded4bab41ffc66798e31f391d1401f7b5285982eeb99817915cdef9132942a24bf5cfee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
58699834c9bfb1618307336976bafd31

SHA1
c8b95a646bf397123150e874aacb9747993f9616

SHA256
33c55cd4d7681b35b0cbc586c8d5630a395db0ddcf49c30119cd54b6203837f2

SHA512
f8be85ac6fef42502f615b0525fcf7947ecb931b1d07fd2f5c0d7c1ae7b64980ade96d1099a203d0b6ab68d8121072f2adf7fe3b3faa536b843ee16a42960823

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
58699834c9bfb1618307336976bafd31

SHA1
c8b95a646bf397123150e874aacb9747993f9616

SHA256
33c55cd4d7681b35b0cbc586c8d5630a395db0ddcf49c30119cd54b6203837f2

SHA512
f8be85ac6fef42502f615b0525fcf7947ecb931b1d07fd2f5c0d7c1ae7b64980ade96d1099a203d0b6ab68d8121072f2adf7fe3b3faa536b843ee16a42960823

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
8.6MB

MD5
6318cf30b0bee1f31d6613354b499512

SHA1
9268aabac277b116987ceed332f9538b5e2573b5

SHA256
283fd04f0a877d11a3a1db84c8ad3ff4a2f55c9fbfcc80d9001a6c51c7b2e730

SHA512
14e20d8e885cabbb7a72e3db3b1d14142fba5b904b91e7172c8e1fee3cee640683d1fd9152cacb0473bd6cc35b5b31bfafb9a28edae92d69f3daa839389d00a0

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
8.6MB

MD5
6318cf30b0bee1f31d6613354b499512

SHA1
9268aabac277b116987ceed332f9538b5e2573b5

SHA256
283fd04f0a877d11a3a1db84c8ad3ff4a2f55c9fbfcc80d9001a6c51c7b2e730

SHA512
14e20d8e885cabbb7a72e3db3b1d14142fba5b904b91e7172c8e1fee3cee640683d1fd9152cacb0473bd6cc35b5b31bfafb9a28edae92d69f3daa839389d00a0

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe

Filesize
9.2MB

MD5
da26889680dc04dabf715441a069fdb0

SHA1
27b270699d395b52c548bae4e69c25bfb78d3b7a

SHA256
4ac239e6f16d988abf11dffc8e17072a8981f062be67d064ddbbe3c472e06cde

SHA512
5ddcc66a4fd51dc0091896e832907c051534c5eef7578c1e952064f7b920d1ac4400ae9bf5295f04b838175aaee78028f9e499506112bf583217c0fef8080780

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
8.6MB

MD5
1e6dece3d7d048930b2b2eb2835793ab

SHA1
e98aeda80515d455c8b5ec95369a6d751457f00a

SHA256
9253d7753eecbe79110341015950c9d30e8db06bfd3a156d6bca658aeb702545

SHA512
58cab12c80b409d69bcd7bfe8434469a4046f2803422867607dce116a4aa7f5032d5bc47f052ff47598483b37950d845cebead1b93b4750de428e1eac1fc5bb1

Download Submit
F:\AutoRun.exe

Filesize
8.6MB

MD5
6318cf30b0bee1f31d6613354b499512

SHA1
9268aabac277b116987ceed332f9538b5e2573b5

SHA256
283fd04f0a877d11a3a1db84c8ad3ff4a2f55c9fbfcc80d9001a6c51c7b2e730

SHA512
14e20d8e885cabbb7a72e3db3b1d14142fba5b904b91e7172c8e1fee3cee640683d1fd9152cacb0473bd6cc35b5b31bfafb9a28edae92d69f3daa839389d00a0

Download Submit
memory/1988-7-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/1988-6-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1988-34-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1988-35-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/4444-17-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4444-1-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4444-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4820-12-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/4820-37-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4820-52-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download