e78b79db5da6e943f667fc6fb01b917676d1688f4084feb2880b9331ae9a6d35

Analysis

max time kernel
146s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
Size

29.8MB
MD5

3baa33b585db6fa01362e10102ff6e80
SHA1

8a10705e0ffe8080b8f34bd13b133ecec2a0fd59
SHA256

e78b79db5da6e943f667fc6fb01b917676d1688f4084feb2880b9331ae9a6d35
SHA512

9b3df0489a7317c8d225dc2ef949dc62aaae0ba6b251f4df8719a174cd4ab92b561c63a169efc260a080c81764cbdb090df01aff83d621e52f802d88e719a71f
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMx:9nwngnwnBRRRVRm

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
3048	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\J:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\P:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\R:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\T:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\K:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\O:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\W:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\Y:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\L:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\S:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\U:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\X:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\Z:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\E:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\B:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\H:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\Q:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\M:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\V:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\G:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\N:	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened for modification	C:\AUTORUN.INF	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3048	HelpMe.exe
3048	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 3048	1748	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe	91
PID 1748 wrote to memory of 3048	1748	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe	91
PID 1748 wrote to memory of 3048	1748	2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe	91

C:\Users\Admin\AppData\Local\Temp\2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-21_3baa33b585db6fa01362e10102ff6e80_darkgate_luca-stealer_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3446877943-4095308722-756223633-1000\desktop.ini.exe

Filesize
26.8MB

MD5
27121e57a0150da2ee67a74e864129fc

SHA1
26982e4673b63a1cc04fb4d0272e4d0ad86ede0e

SHA256
7900fff9307bba80410b009150e8c7f0090bf0d4ad56c722aaae8a4b87d0744b

SHA512
0a3002667b8637fdc3facecb42796ab1ec844b7ba6d422c39a83df11b9c0f27db7a76a590cc7e4eb2c5b9ea2bdcb63f5a1d3a5b10f16f2270fa4b7e1ad449df8

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
29.9MB

MD5
065bd43de794d76dcc016bf12252854c

SHA1
3cf937a676a1d78470a58ba90db24187d9f375f3

SHA256
36077a7d8e250c5310e0ec0de315900e9aa5cc8f2f0f300915614c12378be97e

SHA512
2138d9f6d0f1f55a5df1cb97233530e9dae2f0971c2f29054c48a95b65e630cb580ae0eebc92c22a2e2d25049988e3abf93f4bc91cd50f787a8c3b3bd5f06194

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e24bf3e706f1924f916290c8bbd20cc1

SHA1
2e5909dea006585da676cc3d92dd8c4ab778e99d

SHA256
8b464bc3cbe9d459c0504a2731df9f278f2bb0d3be6155297fa6247e7d7f12a6

SHA512
d4cdcc0a625d84af88577f44b9b8501e65749c823a52fc21a8cb00dcbddb509e2439f1c5bb6a5ed4f5f10692343874b6a5a79bf144d085b46543199b50d8d27d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a4a643b68eaefe8572af346431ee6536

SHA1
6247f1c4b574e4a317584bf646298cceddd775e4

SHA256
17ac9f35211e2cc694c5b934bd16ad0eeca561550eb0066b7ccbcbae8d0e4cdf

SHA512
a7a21f0d04ed5e575af910a777bc73233ce42e2b2729cb8f890263ececedeff6afea3b26ab414c6f33a674cffd7f91b9e41f200b92ad060b9d6b5400b109cf88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cd38d0e15f85d774e82266bf3b73ba34

SHA1
58b698d6b45cedd73a542ebd129975fb8ed9b07e

SHA256
36709d2a503b13e0682174c60fdf9cf6c2f1ad25806417cc9f5b8e5745b9b0ee

SHA512
f933517476158d7c9479aa64b4a543f1ed6b0e5c2d7bdca4ca9afbc63e18dab3f3b276ef1b56d09ca4e7c8c3c88613bebb45a02c0fc846ef74ed533eca8c5a32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
517d85524cf28a12c37694ca7336da68

SHA1
f518177099246c1ce69793abc376ae1c7c8dc714

SHA256
9049f13d93848c922d9c499c8890c175f91f04202e04f747f42e1f8d0ae8deee

SHA512
1d24941af9170e191a3ff25a5b7507356a3d53d8ab72c5dc748748507125e18c3fb4d6186a448463638d1f44c551c81aa889b1eab263036b51c93ad482e0358c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4693865a9b6df39fb377d559aa3972f9

SHA1
7c250a12e274675ddfdb0a81ade47f3aada4480f

SHA256
8d975e7285edc707ddc3d8a62b923f20ca9e0d8f1b80164143764d00981e6833

SHA512
76a30d8a14679d46599245aad9626946fde6cb523df63cd312fb54db3a84b33f7b22171a0d39c36a1c66ecfaeac5db5b777bfa9c65efc71f22a1a4fe3cf73f00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b67af0d58060ab17b3f461bd04c0aa85

SHA1
17e33246420c9ef096e33114c36fa37f61954abb

SHA256
095f8c36d3d460efb970a2a9e3bc550f9ac09c459a1ddf1be9e9795a046b54a3

SHA512
881fff45603f43ebd75bf945b01351d778a62f5441bf662adc3070de2aa9eaca42bef3965ec977e7d4c66e6898e90d64d93b97a2ebdcf091de15781a8454a9a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
69eb3d1f4f1c80059900adeed58bd3e0

SHA1
4d526fd207a329f7bbf5fcf4db0848e6311e0427

SHA256
4acc5e93f8923840be0334d2a92d70568652d48c6bbf5ebbe6a0c621fc407bb3

SHA512
b07636c6fa9d44cedc538fbe1efc2aa0570a193bb34d17992d45760ab8cfbb1cc28c5ed56838fe27d364773d24bfe64789d91b50af037820ffa048e409cfc442

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9df72763378780e6b98ab48f533b695e

SHA1
66a4bd8f893c755d359ba5d2fec82ca438e70527

SHA256
985a87189125148f7c8fbb5014d21fc8ce9869a46732bc0df2c390810c6d0db1

SHA512
9dbc384c246cf8b99ce2c1274979dba5dbfc0a0b5ee6bd0456dc1665b51f1a228f6e073cd4b70968ffececd7e62778080c11ea17077bd9c678a3d8fc26e59fc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ee65ee56ad950ffdc3dcd63b342334fa

SHA1
6ec307df4d8bda8165308f9dd0e77a38098a8903

SHA256
6b1600ca4374a86108188853aceb894f926308efc999473d4d65d874be80c4dc

SHA512
4f95527baa6461c89de30df6e2cdfdfb07ea3d6bac393ad4efb81aae137aac8c86115841cbff277535d9aae40d6088cf3e458262ba4b7517408cb73266095f50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8d8af8fa708249f657af3ef0d93a3dde

SHA1
0cf942ee9d1066ece9a58921dca5f687156815ca

SHA256
c2adaa128be7ff5948bc6a5697014f903e035dfb55602353ec21519eb48c6311

SHA512
b847e30c035b56bde92738a271126dfe4f51f74a6584ea9a5bbc246315b3076133f1af43e93b2d45a6e11fa16b5021528cd6e51e2feb3151b3286801641825e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
02c688b9caccae2c0b615c879d04e7e9

SHA1
0954e66cf33685697d2693ce690e6bcf2a1e7f37

SHA256
236d63a39b6e0ebc7007239bcbec9f64c3d82f771700f92950301617347aa08d

SHA512
11f767505a5e0c0569435935eed471157b3349b8d0bd4854ba8756374c9787c25b3fd6ddb2008c3b4757ccb4da581a64c4c376a104e32e0b17b5c214f381d998

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a3dbf5cbf4c9eb388a417214fa5e73f1

SHA1
9f542e93516a81a0741eb9b84b0222e25d75936e

SHA256
1b4239c8fafb2925788e6d7f89c0be91569beb26b139aac62d85f8c6f5e7503b

SHA512
793f09f6eb76fd25ff14700c14ff2fd6420b32a3ce08f4ae5e12fc33b70c2b5a4df2498ed78e2c3aa05d5057260b0c9a9d23ef4bd2f45e1a1fb10f0cd4100574

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5abb25a4ab9903c99f77447ae5fad9e2

SHA1
5dd5e22da3cd2752c60f1dbab5e4e2ef2f874b3a

SHA256
aa5292e69db78ac375e2e74887231c00c56cba6f22a3523245091195d00c6ff4

SHA512
a82d97b02a4330e7710f364580d59b2d2a512ae25003122b415fc1e66216018d416701c18b16db7aa34a440b2ce36e2f4686e41f49118f2c6cca8eb432dd5d62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
9449b564f659efa5a948e29c53d74896

SHA1
d076ce9585553ff95e8f4d0a493c4b519e9876b4

SHA256
c7cb379c175196ff1ab4eb5b946f2e09ef8b6208d1088c8a75141ffad89fbf86

SHA512
bf3cd8b96f97fe97052f3155074e07cae3b9417d1ce2f78ce5bd1eac8df62a9b67d249a3dd8bc0ae8f89ac9ae0344c205f3bc8b2f1aeb12f625a87641ba1782c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0acacaea2e433abf009948c2642f6300

SHA1
be038df6326f7726947dce72fc4ff68de8165706

SHA256
3799c926f78eb44522ad423450ca1a5593aec1949352d7914cfeab6768d86f37

SHA512
b137d0a715980ad0399df324f361e3d1430e4df165671bff377700b9ca37f98c79dd07e60bb2241c28ba17f0ee3a276f1e2b0eb30e1675afd81124c7069165a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8cc1327b558cf32b8ea679a42666fde6

SHA1
168836767be1888a5d9c5a81577f58e7a0bf8bdb

SHA256
cfd68fd5a2bd9f9bbbb36716fbd25266d1947c429cb0754b981539d2c8df80dd

SHA512
1747ee759e15fb824381d602a8787bf4e8dd664653930631af28e01d63964f8318dc694dd5121ba380c559194756a7abf2dfd9c54884ce6ac942aa99b8a0f153

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f2b621f110f810a076ca18f40c90b8c3

SHA1
d1c1da0427def68e3949820986cb86675f1e2a74

SHA256
3a89daee8496d86c60cab65547e200a3c17c25286f563ed67e8083905786324d

SHA512
91927812163316724a3150634dad277f1d97ca555b8a609afc6335009a6b31369db1bd4b0fad0c7a22f0b61a80b26ad1f7b7178560da7bcdf352ab93752d7b78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8e7c7cd48cd5ce1838c9fe25b857c8bb

SHA1
cbafdc82e8ac8f776aa26ea5efa0f19a79c7e3ca

SHA256
cde11cb05da3f24817358d0e148e5c198ee439a32f0fec61525762792b020687

SHA512
9b34b3345779ace149cb03a3bb2b3dd8a065bce8b082c2711a5c6032f0a49a7fd429d74157d7bea6f8316a847412b74ecf904fc5f0388f2ba12f1fceb2b06c00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
723ef97db1f5d5652d12f5f98427a2ae

SHA1
a761d006fde4ef432b24be72cdefaa7eb01d827d

SHA256
889392c5ebae9ba1644d4c0fd528acb5aa9277655f61478834e68718dd9d8e53

SHA512
f28a0b10afe12b5e661d2b2fe1ea66a69ddb266545b2d0e2fe5983d4f2c1a46c6e941e22ebe2fcd991404d379f002671a4844e8461f9fdf1548957aa10fb1135

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3b3e1d22c366283815759c2d7439d6be

SHA1
b6c6e1a32a344c3daaa7fcfdc834968e129d12fd

SHA256
748873c22e561721fb120dc8db3adf4aba8af9c45a8fd9c9c5f1c968ea4b1491

SHA512
e615beb1e888e8933f239452ca851cfae86783d8e876a329b25c51fa886e53a68a6da632ab511a21487b034a1f94d5d5f72a7a31a672c5bb84fbeba20ab1dbba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1b8fd1aaaca103cfc4617b61c30f3677

SHA1
e5f6bdd306051d9b1b6f1c6592a895d225bfd40c

SHA256
4d1cb31bc1dbd3b0d1cb4a1043e278dacd38f48d23b05df8309f3bacacffaa11

SHA512
280df7db0a6495294f6890248013c024f48a6a95aeb485cb0855ce99ea1c3f590d5edf0211ed98b415c7670060912fa05a4752ab840c1b25137bde87719ea425

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4b4a2448a289d241fab5219d69057780

SHA1
f38a4b79605dbeb7f831e7e47fbfcea4600606c4

SHA256
5a3c184285a0feab189d2b03be46647891099eea20c8c9efdd0cac862305c02c

SHA512
034f940d617d3e9d6541692bcbc89cf4ae4c3ffa4707e3396a257f20974b7594f2104de319e3016fd6debdb35d27ad942c774611d3cef24bbcfda604cf6a5532

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7f6ae0758d259b7824d589f61a59ae79

SHA1
c7f47bb03b0b1ebe0bc8e0f4919ada13144f895d

SHA256
3e2ca57fb6def599ba231cafd5c3cfd85259d75ff0bd956f5244e945d6613d42

SHA512
7099f0d7606bc0f399430e8da5841ff653d18a71cbf89269b0f838334bec0d40cad46cda3a8ce7c187d4a1fb01e0d44b3522c4cb8141def2dc021b0a96e61602

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3b3f9b9cbd6b8ba2c359cc80c67650c0

SHA1
51d44ccc8e69c79d468b3452a7f4c512efdf3518

SHA256
31ded11ced16d9f4660a2f34054e5ff2a139ac309d3daf0e931631b8bd8199ab

SHA512
78794e7d2bfd90732f5e3ccbdc9f1a1b5a5b8857fd639a0eb68e6dafc11df91211e05100666c9f19fc434b975e429a92ff4f4af4e9aed9ca9d8b006db9d22133

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5445591adbe7f3e54eb15d6ecad03ca8

SHA1
0ff05a9974d900a8168ed88832a64b08496936fa

SHA256
80030ca5eb9104c17e2f711274cdb67f48c90879af456491937b288931ffabea

SHA512
43b976ea355c722b93e0eff37c75e277a9aa1e88a955e0ae512ef4932de1dd3c18be512105b222aadb2f8eab7c179537c688ba737766162366aec8aed1cae2a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
63c6d80674055c82462db0ed6bdc6fb6

SHA1
6b41a24eac8c466c0bfa494148570b318b30fba0

SHA256
6774152e5275cc5f2180c47a9ad34656c8eed08f055cef5deec65d681506086b

SHA512
dc0476e6197150f47768a3fa6e6b0b6022a2864461723e1b52d63450ec729d78a57ae45d8d2bcf9dd0f082acc213986fed0c550a2c767c97f7d9b21499be88d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5b2ca78bc9cb82335e4f1774e5e8680f

SHA1
090cfa102f53dff597fdbdfda3924c0a8d575900

SHA256
879d5689b0f2a63a4d893e6317820229afa1e581c397709cda43da0d1a2cb878

SHA512
cd843878c202659ef42a879e2381127aa089b284e8a56cb332be1c4d35bce69a14ee66779372052118ba51b72150b6eb4eafebe2381a9d07b8a0333401230dfe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
3cc656f2b4d54fdab7eb875e9289224b

SHA1
a29a207635eb5b813c3fcb0630510f8f3fba19b0

SHA256
c6ba734e401da19afa97c1ea552fb293cb97c52883013432e674effaca8235ed

SHA512
8ab399021ad454170f4094a9ed82ec17548bae4d929411c776d558e159b69870eea0ba560a918aa9e8103ddbdf26b31e25d37952d163bd9797c93056aa9f97e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
1fff2e261935798ac056eec81295df21

SHA1
0d866ddc9bd4d6ebd5246a71aeec13621a091d91

SHA256
31fe7a6f07a37169ccc06c52f99ce96e7800754c523066476f74526a04946de2

SHA512
56c3127e6f009a829ef7163a5c4f5f3ebc8ff01db79e27c6675a7bd37dae410a7a2482d7968db156de67c3457d7a9cb0c5d8e5c2fbe8aed9f2d80c126c246492

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
34a0458613c48341b074af66136e8753

SHA1
6f929d8dd8f74b24b30371764b0baf259607ff53

SHA256
ef83d8ef46f692244633d0a5aca790976659ea66411d3eda8a62f9ca24128275

SHA512
93910e960b2a2c9b91a7141ed3c64c35319e6313b9e3db5b986b4afb66ececa1ddc90889dfad8ed51e4430a03fb013733d8f18d75d17a7d1d2b92edf3e43c415

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5593d5586238e9f8aab198d99dce76d1

SHA1
9d16fed6e085c0242680de8591d0ae07d69cd688

SHA256
e94a5692074a5a23f406d41b0439ea38d4bccd60e3efb3eeb6aabb9c68150a68

SHA512
e637673fd7ac5c1346da948478cf74ea405c46c42fc7434c73f62e678c7ff4867c69ee951782f16ec288c2571e9c3b2bb3d725374afa2452370afc8cd2085c0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0789b42a2f29513094e5ee69eb4cb697

SHA1
a5d9fcfa60c11a588a09a1e19567109720d1c76b

SHA256
168b46ca520d4ca28a0969f41ede928433a3e5b5c6a09328f3638e26c41dd426

SHA512
ac5aa9d2a3ba4c6ecdd81cd3601251fabf7c9747d6ba58c726abf165e016b7ca939dd7acb6cbd330f827e046c01541294a46c72dccfb9a8899ce57f05e4bab61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
84e5c89e7461e386b94ba651a2d5b818

SHA1
5700923592c8280bbf4302069b1d2f09f2f86265

SHA256
22cf03512dd4989f2dde4535b3768063b8cc2fa78074b18b06c73bd2021c98f0

SHA512
b481a21a09d58afdb29762ee04d10fa41b361a59046f8ac28da7c3aee6c62227419f823b53f2a40adbdcf5ae8f340040b4c42e8eea0a34b30a944b71e83826fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d3131ce05615b888fe30690afa5da48a

SHA1
5ba4f0a04e1357adf961b3dfad90825d6e7e023c

SHA256
7462b25f612a8e0ce4b46fb8bac8741c9efa4c6759a021bc94dfc7608747312d

SHA512
c4dd0d7a0fcfaf7c3f115b7c08a62a57363d8b1043949f6af5810dcd4ddbae19e32f5374316d0f0d136af4945ce75b7b099cb7022b3034993f4c296c2ecf4ce4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
301f54bf1c233dd5518c75f1175a2d7d

SHA1
64b5f4a7e46a608e9468e63f8e20aa517df045a6

SHA256
cdb664ce468a75d370b4fa601c3e6ffe881f8dc17142a7bd69428e8171b2f26d

SHA512
e7185439056fa0daba780f73f2fb823a8dabefe1e68a7c9b0b675271812486db2cab3f02131d1331a5feaecdd1f6798e751f26e5c7868879df6511dd13006285

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9c424e4f7254b7ed1f8334b45dfe24bf

SHA1
9a5c3967a2cc4f0a840cb740b6b91960234ac46e

SHA256
faad6dd82cf859b5a17a1a1cb00bad2a8da0ecdc56c0e5fec06cf0f8d28cc1d8

SHA512
104f0af6a7a0cd34e361568ae7204797d4a651db4b14f148ba8ed2e0e555d393d6a47e308467dfc0d32fa9c82bfaf070ebbac3558ed175f750a8520c52d952ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
db4c4b2d096eec96aec32036372670af

SHA1
464ae24d817db8aa27caf16d659a64a3692d457d

SHA256
0cd66e828fc30d08aad0c8771d2cde9a4c799e2a03bdd0370d0f1a3c89017634

SHA512
b37b1d880a67900fa52ce4a21ded2b3e98d114620bd536f9ecc33974d4e0d2551a4ed89bfa726f78e95d4d8008ae9bfddb8b0d494726172a04127e928955917b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ce547a51c11d7e5931688b2e0d1e299a

SHA1
16da56bea17468900424651cd65cf4c0167cc23e

SHA256
e3792fe91e1b57267b242b223a8d7c20e01d3656f388cf1715842572014f68d1

SHA512
4bf0d056d91340cc81d1512ac5ca5da913650ad2a206ed7835ba551a5f7cfa173c9fb7e7435be0890bf9d849d6b8ef6c82f2158a252484b870ae1e3bb009a254

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
05611029b11335ffeeaf87a07cbe2297

SHA1
a0137ca0c608fd2feb4bc481ed1e16bd8c6700a7

SHA256
34d525fd6ca15490fc868f6c2eea56e1fa293e77d62e024fbccdac37d4eafb9f

SHA512
f1f41b4965ea8b0c424f962e883cca7710fae44a121a2f50aba006b8f8a4f2c3964e2e4143947e3a53eac92ae83a35918094652f6ac19a673c97201bfa45aa7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bd32acf35a070d5b932590830c863716

SHA1
df8b14983abf148b0c991da94bb48c59dce40032

SHA256
efe0ef1382d2e46016300a220426623dd8e394da1a833ad0d7124fa6fa78ee83

SHA512
0145ff0fb3dde9ca0b5e4f11e34273a2d73a98756944f00f09249101c4f9da22a9b24f6cae92ede9d41658e8d995efa914dece96cb8258abcb16a7118cc32cf3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
808c91b5944ce8b67feea9afcf7a8353

SHA1
4a00390bd3a33f51349478e3340b409a959b71e5

SHA256
1daf5c245f2031e4c282de0586e715e6e5c147bc05e1b285c5099c1f46cc659b

SHA512
cfacd691f4dab6d18c3ab7c9383e05757751d21138e568a8e20ac7b7c07662a6b260b5ae24d4579560852aac34d4eaa89ff209bda6934652e2a8a87ee3a76963

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
edac10b0951d86c80afc61ad6145f190

SHA1
9a0f3f5e62e71ca9ddda43f8fdb912e9af844e1d

SHA256
063f68b31db308ecab4437b303855077f958ab5c55ca25299416c6bc84f960e8

SHA512
102d938297a28664f6efec5ad977eb3eec4dd71f151860fef361578a135cecbaac5225cc64b0d4adb17ffe1ab1b460e135012c8fa444336e4906911084f88ca6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
20b34c25f1625e0505e8b70ab0c4529d

SHA1
139b390cabf79d3cac0c1462eb30c184942864b8

SHA256
1d18a8769cb8c86882802b001f646d56c213c7c79891aac0e1d201ff1a63c1db

SHA512
a910d2d3211381d8d7e400fee711ac841d84c84604d0b933cb2b38195e3bd8b980acf6230c664a13a486cc024d0f71f04456e5627d4f8603a3fef3f5841d4388

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4fa56667b63541cfe7ac7360b04aa8f2

SHA1
3a31bff1c746e84b6a1b1ad341601e51d5749654

SHA256
a2479c4d7a639e608dffc5b8d83ccaf5f4c97bda5b5f4a79b40ed9a0e91ca13d

SHA512
bcfce439f720d22e4b465031f77aca88acc147f3075753ef013430aa6081ac5c364b41856a5a8cae19b35f1f264c402abf74b2d8edf860fc03a56c8e4088d787

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
019e1718ba91cde0545567ac654121ef

SHA1
182902a675acaab442a2fc724d8a404102843a39

SHA256
b976e96e13893c0bb267f419bba50133c173b1d0b8126e47ef26f162bd837e49

SHA512
62eb47ad046a037a3269251c232cd155c07a131c6fb99dbf6817d3a0266baa12b6d14f460267abae87a583ab5e1b2adbfa364a87e10e4d0883c80167b5b75bec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0c3f12152171ad041122d1db34592f7f

SHA1
8a47c3513957ad8cc686b76f8d6357ff33418f31

SHA256
62bd7113d957fa8dfc87e3a944f76b24adbaf80c18ef7e57a93e38f8404e8051

SHA512
050465c1bc3154242f0d4118002aeffcef96e0458942cf396e5a52d80669eb71f8db12720885a94836ed112d3ef6a1ef105fa77782841b72f6d73bb8022c35e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0575eafff1d17bcbb9648c32a066b630

SHA1
e2ecd56d229727ec5ece4279102e874f0a0d6ad2

SHA256
b3b6a9c59ca1fce69ddb88e5b897ca28e4445e5ac221c6ae698588c613899538

SHA512
95c50cb142988826d2fbf3a15d6525341b4ba4c3f81d2293cb0366e34fb5d8ab7064e3fe993a6fc131fa95828f9bbc05c3b6c0aed53c76920d7eec0dcfb60562

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b00871ad899ef2f693cfbfef46301927

SHA1
13483e549d094e590cbb3e1b7aad641d554bc702

SHA256
601c4e96a028e8803961c5e34700d2e883784d94b0d9df48291aac4da1e0cc15

SHA512
e87f44acb4ad50fcf22ff66b149a4927e439581d994fc6b0a016200dcac8b5c570ea8b7a3c73d5cf22e5fc7fcfd4b5143ccef22148beb226c0e390acd0926bab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
202393bc1c4aecb254e92464b0e5b76d

SHA1
6d314a3027332e4bcdb101e05bb58abafeec3360

SHA256
6389780a400671b9841b6e6b5da3d6fbbb611bc01c464a714db5513bfbb09c96

SHA512
fc4072a2dbf8ed298435f0f762ef9be718e89670538993c1aad489b27a654bc697427d8e1b28ccc1292de3b54efa301d8fbeeac3f8d7419c2ea510c5f52f9358

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
785937cfb5efa425c7ed95974bbe9428

SHA1
04cc2d62915a7d6cd4aa7f23d526260237e471b2

SHA256
4e50f2e17a298a67ff6d745de1e57263da40af9557900bde08c95da73cf65b0a

SHA512
92369b03738c20215a3468a2a5d1d61b3a14d5476afae9b8bac29655c00f228783e716d627f815d99fd16b199dca0c8ee1be236a9ac8b2d222632f0f0f772adb

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
29.1MB

MD5
9b03721e6e174af6833eac71e587e97f

SHA1
13ef639527cf979371ccaa47d39ef3bbcf1d8bb7

SHA256
ec0ceb2e039f68a43d808efcbe0d9105f6b2a9f703df9f4e3178695e043abf6d

SHA512
d9154495936b0b09905036855b8469d7e7b32f9daa2167508d181361dd67696e4e446a4dde7a16ebd22cd3e56128e83e3dcac218919008f2735f10767c301619

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
29.8MB

MD5
3baa33b585db6fa01362e10102ff6e80

SHA1
8a10705e0ffe8080b8f34bd13b133ecec2a0fd59

SHA256
e78b79db5da6e943f667fc6fb01b917676d1688f4084feb2880b9331ae9a6d35

SHA512
9b3df0489a7317c8d225dc2ef949dc62aaae0ba6b251f4df8719a174cd4ab92b561c63a169efc260a080c81764cbdb090df01aff83d621e52f802d88e719a71f

Download Submit
memory/1748-54-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1748-53-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1748-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1748-1-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/3048-55-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3048-7-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/3048-5-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download