c8470268021f5abcbaefafdc5af78f00d9fe3ec60244c76dcd19d9553c9a467b

Analysis

max time kernel
146s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
Size

20.8MB
MD5

4a5124a0eda820d13842f5f2cb1a1f68
SHA1

73ca97e8f09591871e7b9eba1d22d783883438b4
SHA256

c8470268021f5abcbaefafdc5af78f00d9fe3ec60244c76dcd19d9553c9a467b
SHA512

8d02d8e8987c18b79dc6682dc2026a1494554dd6d593096c46ee56dbff27a137b2b11d38973910d23140d4edadda392aeff89200ab2611b6a13e74f476c234cd
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMh:9nwngnwnBRg

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
1316	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1244	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
1244	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\K:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\W:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\Z:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\L:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\O:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\S:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\U:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\N:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\R:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\Y:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\A:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\Q:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\I:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\T:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\X:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\E:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\H:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\M:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\P:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\B:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened (read-only)	\??\J:	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1316	HelpMe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 1316	1244	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe	28
PID 1244 wrote to memory of 1316	1244	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe	28
PID 1244 wrote to memory of 1316	1244	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe	28
PID 1244 wrote to memory of 1316	1244	NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-06_4a5124a0eda820d13842f5f2cb1a1f68_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1154728922-3261336865-3456416385-1000\desktop.ini.exe

Filesize
20.8MB

MD5
aeb687b8055d9af8b97fb69de7832736

SHA1
2f99813a49c879e0212992f52bb2b0d641a6aea1

SHA256
a6297a542ceaeb1e6bd0d85f4513c1bf250bd023d2daff546abc03587dbd235a

SHA512
0761eafbe27d7b455efe1ce4c58bf0bccba90e341c5cb9530b4907c63b409d155a3786a5b2abde80dfae90f827c1192a4d6dcb0469394676ab66c1ef4a7f3676

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
6cc1f667881a609eb69c613a18b4c0a9

SHA1
b8684c815bc3ceca692f47382dc783ed492c75a8

SHA256
47b70cf9e113b13cb1652fa26ed792ddbe4eed53244aa44fed87e4bc62f7e295

SHA512
946339317d6f45866025eb6a02da07b91242517697a7b63ab851221076facead31fce2946901c35de0ae0d16717700fd83b9aa0f86c5c5d4d9c3663a93c37801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2c03b3e9bb05396a7719f9ebee36dd67

SHA1
1055fdc6ac07ce32ecb1c209e991e46fa50d02af

SHA256
edfd7b0ef559df8b0b36de54a436ea8c3e31ddd3f7d82afb393ed16656d8a32c

SHA512
f993ca1a0b7cf78043efbb2a6aa04da557b4a2a4e3e8550948315d8378d27a49086c6e019153118507d315bd1347cbbe3416a17cc204d367d69650732e056b07

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
ba4ec0962806185e6ebfe447a07980a9

SHA1
92c042febc977274ec06ea7a7644921f5b67869f

SHA256
ab2dee89d7f1e2d155b9952af73b5d7e03c4b24c5743e45d5b182f3f1e7ac414

SHA512
9a7c520beaa971bc325a01d66e2a48e7a8021efd48a5080eed1c0b6fccf9ecaf47cd1bd0cb82cadc6d8bc3a9974a93879945ff2cda2fa0d7cf83ecb3bc757557

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
ba4ec0962806185e6ebfe447a07980a9

SHA1
92c042febc977274ec06ea7a7644921f5b67869f

SHA256
ab2dee89d7f1e2d155b9952af73b5d7e03c4b24c5743e45d5b182f3f1e7ac414

SHA512
9a7c520beaa971bc325a01d66e2a48e7a8021efd48a5080eed1c0b6fccf9ecaf47cd1bd0cb82cadc6d8bc3a9974a93879945ff2cda2fa0d7cf83ecb3bc757557

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
ba4ec0962806185e6ebfe447a07980a9

SHA1
92c042febc977274ec06ea7a7644921f5b67869f

SHA256
ab2dee89d7f1e2d155b9952af73b5d7e03c4b24c5743e45d5b182f3f1e7ac414

SHA512
9a7c520beaa971bc325a01d66e2a48e7a8021efd48a5080eed1c0b6fccf9ecaf47cd1bd0cb82cadc6d8bc3a9974a93879945ff2cda2fa0d7cf83ecb3bc757557

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
20.8MB

MD5
4a5124a0eda820d13842f5f2cb1a1f68

SHA1
73ca97e8f09591871e7b9eba1d22d783883438b4

SHA256
c8470268021f5abcbaefafdc5af78f00d9fe3ec60244c76dcd19d9553c9a467b

SHA512
8d02d8e8987c18b79dc6682dc2026a1494554dd6d593096c46ee56dbff27a137b2b11d38973910d23140d4edadda392aeff89200ab2611b6a13e74f476c234cd

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
ba4ec0962806185e6ebfe447a07980a9

SHA1
92c042febc977274ec06ea7a7644921f5b67869f

SHA256
ab2dee89d7f1e2d155b9952af73b5d7e03c4b24c5743e45d5b182f3f1e7ac414

SHA512
9a7c520beaa971bc325a01d66e2a48e7a8021efd48a5080eed1c0b6fccf9ecaf47cd1bd0cb82cadc6d8bc3a9974a93879945ff2cda2fa0d7cf83ecb3bc757557

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
ba4ec0962806185e6ebfe447a07980a9

SHA1
92c042febc977274ec06ea7a7644921f5b67869f

SHA256
ab2dee89d7f1e2d155b9952af73b5d7e03c4b24c5743e45d5b182f3f1e7ac414

SHA512
9a7c520beaa971bc325a01d66e2a48e7a8021efd48a5080eed1c0b6fccf9ecaf47cd1bd0cb82cadc6d8bc3a9974a93879945ff2cda2fa0d7cf83ecb3bc757557

Download Submit
memory/1244-77-0x0000000000280000-0x00000000002FB000-memory.dmp

Filesize
492KB

Download
memory/1244-76-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1244-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1244-9-0x0000000000280000-0x00000000002FB000-memory.dmp

Filesize
492KB

Download
memory/1244-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1244-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1316-86-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1316-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1316-11-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download