14356a2680d913a3e37991e9d7755d86a7c0c6203917c34b0ea422491f3b28ed

Analysis

max time kernel
150s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2025, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
Size

30.6MB
MD5

6cc3475b50469100df7c24810d48b89f
SHA1

968829575a378d4d91af615db5e0f7e1db692694
SHA256

14356a2680d913a3e37991e9d7755d86a7c0c6203917c34b0ea422491f3b28ed
SHA512

54352b933f2c8b9fa44fb395c37ac72a54298068e55c9828f03172117bb9bb084e43e01522270876ed39f5d7b166641a74e3ce3035ef4ccda8e77ead8143db98
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMf:9nwngnwnBRRRVRO

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
5752	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\N:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\A:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\J:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\T:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\W:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\R:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\V:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\H:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\O:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\Y:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\I:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\K:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\L:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\S:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\X:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\U:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\G:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\M:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\Q:	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened (read-only)	\??\J:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened for modification	C:\AUTORUN.INF	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HelpMe.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5752	HelpMe.exe
5752	HelpMe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5792 wrote to memory of 5752	5792	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe	89
PID 5792 wrote to memory of 5752	5792	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe	89
PID 5792 wrote to memory of 5752	5792	2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe	89

C:\Users\Admin\AppData\Local\Temp\2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-21_6cc3475b50469100df7c24810d48b89f_darkgate_luca-stealer_ryuk.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5792
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-308834014-1004923324-1191300197-1000\desktop.ini.exe

Filesize
30.6MB

MD5
ac73a9c65e8752d501cfc9f31bc96fba

SHA1
060c7fb127389e8e6db9438ad250314b8ea54679

SHA256
14b919c881a55122a8e4ec931a05aa7fccd2b32884be80f09d8162120f0d5435

SHA512
c44cb36a67b0a3635f50a842234ffee233668f15547522bf598a5fa6da5aa4c36e8ba935b6eac3abc1edd09eedd6c4cdea862c0c7113b5d5de00747187191352

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
30.6MB

MD5
47c32aa5f34db8a33945d7e7b85f226b

SHA1
cf7c36dd095a244ce52bbeb990024b920122b31f

SHA256
f69227d3f479120c27f4cc6c682506feecced748ec88b320502737b56b5d8295

SHA512
ead8d44c16d6973f903fc57d9fd5768829bfae2590ebb89320337f09533be7279c76a8f6950ee4bf3705399f9cce08628e07cdaa9b97eb4f17d850e9548dc6a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
cf5b0e7f07e8e0410120436b3773731d

SHA1
8b3d4ed8a54a022ff02f23bbc0787e72e6693f0d

SHA256
c73fd8e8845a94dc53776271ea55ca55f3f917876fd61f9a7842d242aefcc86f

SHA512
be0a6dc7e37cf419db00e83da8738f43d019901a6df9037516b772ae5cda8231dc7751b85c948a513be16d7c91bb5b542ef29ac7113792b386fc058038a8252a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c535858aa33cc3e211601f595bf6ce0f

SHA1
7efc1969d8f3d94b7b4106631ed0f8fb100d1793

SHA256
2b6d7296487caa873986c8e087c0a21ce9bf3923825989492a5397e5ea0cb916

SHA512
635ff244ed567f437f42fc7aeea496777798c79c298bc36c7472ad964b9336a66adf9d2f0209dff7b00b1281065f29fa86077214f875bffa1805e0854f8628e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
399c793a731c4739ff09b293c1c85313

SHA1
6ab663a960f2ffc11ad03084aa21b918aaf58c4d

SHA256
378aa4de5e5fd474a35e46cff4e137216679c85d5cee24b367882e75b0afa975

SHA512
2197abd0f1323d66f20b9f15605f8b8aa7412e87c16705decbcab1b7dc806150bc546491d0ef485517b1728c78bdabf88ba7a7e2854956c2d0acb4f8cb9e06d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7c4558c7932eefefea0d4d2c7494237c

SHA1
a316c40b7b1e3d9b76598ae95178626b9109d55b

SHA256
198c18d0f89a32137ff529b69be0d39c28cd404fa26b150a31fee3356c52296a

SHA512
fe53a83fb87b52871e622c87f6889242d2c78e321b4e60c2543d00855624269a39321d72f3bf9a431da64ee90073aba133773448328523cfe9b69ef12018ce66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
29ec6f69a78f1c39113f4c130d21431f

SHA1
5c310592e885bce914242baffb801dafab579391

SHA256
c075ffea9579e398565d972d5d118708560a2220fa19b7913670afa9f6a14a9e

SHA512
b5c5b746e64765a35a5126f67ba71c803eb2ecf56d28597d6930e41aa42aebe19366e780e8e77730aa8f971726dd48cded1813858077d2aafb835d3c3096c597

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
ff29373ac731971b93c5e59377b2f85f

SHA1
3131522de6ec82ddc586e39763a025b03628d4c9

SHA256
5ae7ba0bd098584e264fd4e35e2aa2a2f8d49309665c320c4b1ab5038592d291

SHA512
96a665ebfe9761f7839a3944b85edbd6ac008d23ccfd70ac2d44114e12cd81727e224210393df35baf72c40ae004668f1ee0541ae9b0a6b892dbb4ea22b0a1f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
bfeedb8b48ec781bd2bf0a444ba0edf4

SHA1
89d3dcb6df86af576d144004d940a8d9b35243e2

SHA256
060525352baca9f2cc24b97f67ed29e20706cbb85f88dd1ecb14c32497b26fac

SHA512
bef50ccd27618d56240a0d62a50ebb516cb45e09f8e6d300641175089ae93b8f22319a527efdcf0eedd4a6f7fc07236e6b5870bf3ece87dd839c0a6d16b47849

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0c848bae57fcbcc1798f2128bea1f4ae

SHA1
321d2a051ca8cf1af3103e691dc4fca748734770

SHA256
beebf470fe6a070f16e6d7db91c4356091719643a4545b4159c53bcd1542d5e4

SHA512
ab5fd6ec5c96e1b46160c23e303735c879e15ebfe8ab827fb9e984c1ad9fd9eacdb6ac99b42b7457e9697adc15f87b985330bad6d1a88fecaeb1ee11825c3280

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2fd60646250d351ba84ffce4afbdb8c7

SHA1
0dfec5dc9ac78b5379ed972cc0cd766ba2d34abf

SHA256
7514eca6f7f9c9ffe2b92b2a8042be1dace40440c897cf9a252a456067691ff2

SHA512
10174a179cca0f3d3242bb8f6eaacdaea4789ff29666f7659cea66e9e1dc53853dfa477fed233c6ec26bab69621a97c68fd7f536db73dd69d7a9ee6c7a547111

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
769437ccea8499f713b91fe70a905045

SHA1
1e186fe43dbf8570cda989c9e078dd7da05bd132

SHA256
fb8eea6230e93d3112142c18b5b82ab992c45ab8dcd894365f0b978ec9f3851a

SHA512
597d8a93bdf4b33caf90a7a8514655ada3cecb10d85c80567c1c0096e8f41b471f51fa3ceabe48f45f17ec786803fd9f5e5eb56cd3a40a6f684b84e4c8f05b26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
536589f449eb1ce30b652439028b320a

SHA1
a613b4ca82cf915b8840460adc8d4d5ead0dd2a8

SHA256
3f99e5c2352be4bbb62446f0ddaf48686585bd24fc9e533369ba1067057f8a68

SHA512
b020beccd53b6abd043bf9869a54e0560ec9bcc50ed2c0fea8a7c1f3c05d4d2661868535f77c2da503d46e2f60d7be9d07ad8c1bcb352440d0de7b0a7cfc2359

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b6af210808b0212f918cb6abc0cc22be

SHA1
c907a0c1ce524adbd026f61ae90b7b1170e3c91e

SHA256
3f97d4fd441865845a44a19bb6adaaab3aa35f50f55a5508b397b1be7476e7bd

SHA512
31127b3b86069b076d38e509a50eddd16b644dbaedeb7a184b439a35e9287a0891e687a92d964ffd77d2bab6d2ee243e28a065a92be0e6469168af17e6291820

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
cc7d041987f3c8da05dcb309b6d4e1a0

SHA1
8252c2a5cbf74a8110a4e10e377f7d08dcbeae5f

SHA256
a34e880449d67ec2f0a1eb4839a8efe775f58506c529c23b67bd322de8944454

SHA512
c13fbcb00beba498642d2979dc41cde48e0aa0ea7857a790323760e82071f7bc76201a40e87e14d76ef7a364fecbdbb50f192de07afe290820e4722859eb421e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
bb722206a8d9dfb67281242d11c9fe6f

SHA1
6f9b876bb8e5bd8cb1d3f933b6cb5431efa9beef

SHA256
42e3ffc97c9a7ad0e93b3bf69b482140bbed05258a9e945554c208530edab0d9

SHA512
8ca02cd0568d0d6780de2d03223f22103cf698c4746dc8531e903125c06dc46d3711252d2e08905e8c176bece2c355b1551a7c2c85c250237733b0eea7c501b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
70864c800704abdf7334608192c46478

SHA1
cb2e0467f89ba4d30e3671190e027cbde0ec18c1

SHA256
792f379f54462a87ac8e44e291d3d2d8aabbeb1a435115d7606d1100e35d99f7

SHA512
98a559047102c1577152438fc1369210ed8f2cf91b7503ca6718d2ab6211aeb1d9dfe899f615ce796ea60237f2687a96c1e93451ae14c86ea3ba8b30c43204a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9533f5371854aa0460c7b1caeaac0557

SHA1
0fa70284db314c7ed25256a166c4b982ed9184be

SHA256
5d41d8d5d328fd5fb195461e0d7c0b351dbe432e24780f03ba587ed3a4fb6338

SHA512
9044c87df0652d823f116a539db45eee069c11787399aeae33a8d31716d9ecd0bcbd2122876258de17f79726e0f622178d2971294c98729240679763e570ebed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
cc08e09727aac8082799e30cbd8b95b6

SHA1
3f964660c2419685a04bece7ff935123df207371

SHA256
bb6f1bc71faea47f566691a30c98fa5780e2be198557862792cb944672795da8

SHA512
935c2cf49d6a0fa6d6bf9fb141c32d172b6ac443434954250dac0ade14909d0d20b658a94173087ce1bc0c5c8be64d00cdc31f28a81a67d3b2e08215e05bed29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e9bfabef01c903ec0726e01ee05a91de

SHA1
00aff02de33868507aeabe27683a0d8f2543c2c4

SHA256
7c0fc7044e76d5cb410e5b0b4f9bbeb5f0a7be4357ae6f5ab9f4605485d4f66a

SHA512
3c006b289f7c0e21af8a1c9b8b80341e4ff6b3a87cb194c04257093bbfcf7a705aa6c42accb1c1fd1e01194805a95c97b8a10a57e8c972682879d0327262aec4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
efc943d4c1f4f36e0a0655c423713065

SHA1
5f0900b63b9e71c40eb8fbe857441fb623edc2b3

SHA256
45d238f08d96b939176da0dec72dbef2069b8b1904904c2f1254d7b8f99ed01c

SHA512
5c17c1d9dcbeb75911838189eb417325a9af4378d25c627462edf1bc3ada0045a4a954045fdf99488db0544165ad1949514c183d794c703f17884ad257b264d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d8d299afc553bfcbb96ae6bd65ccd2a0

SHA1
b338d931d951e670b342df3c17b957f4253f11cf

SHA256
18239263171b907e7eb86192c2bd5332438948a0ec95e7ba88464113ad6f2b62

SHA512
53925b5797c833df797c48ab176ab6c0dd646746e91f70350300b89c101093ff1d6938508a13164e3f888ae4677e0e1e974f021f00a2d7222db0c9c6aac9b1ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5112418accf4e4579ea98641788577bd

SHA1
896d1b8226fea9cd81d46bf4fa48c0238f7cb001

SHA256
6d3efc014e7e381c9fe52f66e3fb6d99b47aac9f097e885369ebbd469c3c85e7

SHA512
42453c30bda60bf9293c75aad0b36155804684e59eb390650c5ddb3d6a80c682101d95e6a7b5d9215cf716c92d086f650169dda49200b13a47beff4b7cd31332

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
0bc76f0e3cec605a736107a9d260c203

SHA1
e5d66435ffe70aa425e1bc8e79cda8176e3c57d8

SHA256
2f7ced82b96387f8bc75d0326ddc17230ffa45496b6e4658bb66769cad356a88

SHA512
0a6a6dd512c875becf9404112c369f8f6b391eebfb7350a2abe66e750393c6e5b40e7f1fc61fbb808f2e38a1fa918e481d2ea7473294ccb2cbabaa7f8d4ebc50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3ae5be8c574b937bfde8bba9aff4b150

SHA1
d8956c3719799d4cbc1b624c8d17a96696284ebd

SHA256
52dc845cf7edacd222b25f897aa6cac7b320c24352d47e423d077861bda5c570

SHA512
8a3014f967de6c8dcb6875a77cc54cefb1a8a4f4d3b573de3bcd6db5dd657ee7c1cfa2dcd0fbc739b57ed4e68926cb2e2c1aa4f0261cab14ab152644b9e40ad3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2ecf299669da679930dbc05a45ec40a2

SHA1
5b5632ee0d3dbda192113c060f839c1b9ec76fa2

SHA256
5feec257ee9a9a62becdeeddcac87c836529de222fa12abb3eba26906ceef617

SHA512
389395a339972006f69431d88859efd36a8910e91f83654f9e5e0987d8bbd679a883b205fda344ca20f1b34fefc6d19e4d23d2a26786e9e53919bed3d9a08092

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e40fd840de940c07f9f86ba745517c52

SHA1
418a764d85bedcf7ad89a29550f52eb618b68c80

SHA256
a156924e325c8e84c76adb9bc02469404698b0dc878ee84d5c9473fae6457b1d

SHA512
27bc2252788c6fd815a4c0a936c361b612fd096e9783dc76d176ce4cafc5ed056fb85687a0ddb4e01241966e8d5854bdabf41a2dcafb7518fcff8ae060b98aa2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d7bd42d2c7949b0fdd7b51a0c15d90e2

SHA1
d5258b499c1ad4ce99f663d5a966341f81a456a1

SHA256
c1a9842472bc2864ffa4a0a7e8d31c6675aad357a682d609ba9d73a827bb123a

SHA512
ae47e5161ba46412025d7b0b292fa357d48048c3cc39963f4d8cd685b99081c7117a9f6bdbf86181faa3b7aa03eb3b1c5cad95864f9acf75cc5f53c494c7fdd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
99ffb1ca724b27516e8a20217794c752

SHA1
c8eb1cb86a0c4e3bc35a534e723142cec7700c56

SHA256
44ef894ee6fb0cb2328017475be1b1fb100092b28f64afa6b7a1c7d5716fc924

SHA512
9f9e76ecd63c10fa872c5ff10bafeebbe77c20101ad2e7e9a3ba480ac668838941870cde4e1f3d975aaf49026427540ceca276dd4092f7a30f95b253dec4c862

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2127cc4340b626775222ed3c3bb4fb29

SHA1
bd7b67f7a44ca2f12307d6461ab450ea2f2c7613

SHA256
600dce80063e71efc7e517472c0089483e1802e5c30d83ec99c9e07c4da531d4

SHA512
1b179400374fe308f3f8da26e88a32d9538e87fe2446cd9cb8725602b36ebe83c724610fa7112eb15dd6c5e2b4b1eeab6a4867799a96cdd4f7826f4f71c79e7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6ab0bedd966c84bee4463356cc0294e3

SHA1
f3967f0eec79bda6b7c54e8299365ef60e7ca24a

SHA256
b599954225058ad1baea2d415483e91d9ea1e1d31c3bc6c38cfb12d8b9eb1a8f

SHA512
a887722ade7729fa486821ba2ad5f8fd161e8759fb559ac8676e1b1411db65caa29d44a1bd6f19ea51995b10450586e77bae7f257e6fc562ca2b18c59ddb15f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ae2b4cd66f80ffe43c416cbc2924e48e

SHA1
6c5df5355c2d1a0252ba52fbd06836249c06c12a

SHA256
9c5c1540f114cf51532f7fd2edbdc5118e2e39cd84f6ac26b3b73ad7be5a172b

SHA512
84989dd39fcbabd990d33af28c4bf07658baa04f6c8f056e132cd136e732840bb24f9d4972bd4ed73c89f55a420f1c1d7dde012c8eeb56865599a95ee74e59d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
b4c63e43072122bd8850f96f1c4055f4

SHA1
3be39945b280094c73947b8d01a4418b25bf20c6

SHA256
545928c5089e2ca9c31e6811a1b9cee0e908c07a4a5cf373de135208bd611342

SHA512
25e90e18bcd675f65c70cc8d9b34b3db6adac1637c5712c20b7beb5041d11681bbd85aa43cbb14b9c6741909c9db1c3d4df8018745ea17853cd7acc4732cce52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
63b90828acd0b737ee8cdc5f91c96344

SHA1
749a91c1551d34b31ee27f90f25fc1c332aab4d1

SHA256
eddccaca04d210c840fe57f56ae2ac9439893a4bb768f66d57eec624738a6b11

SHA512
205ecb2ecd4dafcc6f738a09bbca9cd4f99fdbcd4a2e65b652c21e56446332e74e2607a032ff1032d2b13730f31469d305fa46686c6ba7cde0fc55bab1a15425

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
63a283bbe5c98844746222d09cc6d00b

SHA1
d8020c276fe113079d31752807652a0d26326991

SHA256
189116c54a6795e6fd6844dcf504feffb43b4faa527f484162d245e274e721c3

SHA512
b8303c4f27f7ab465c2f1c6fbcbd1922bca597df119bd0c17f72b0a5223f5e8b3980f30c538ffc35b50791e015c7fc2043662a7104469960995a8bdca5c655a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6b11d797768d201882f376049438e9c5

SHA1
3cd566a616e77eac06d66cfed1aa7bb9ecda1da6

SHA256
87b0d9eca777f668cdeef1aa7697b99286432a547888b5a4fd88033506ccb321

SHA512
5b9c7a9eed9d65c8e32cfff746c1c6389931efd83122bf6cca1b5c26fda07d86c1dbcdf4b2c4468f616fdcb4e0cbe95acf2b3a2a656cac3e0d05c71d9a6e590e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8dc44b77d43265b396a3e6b93f8eb9b7

SHA1
d8eb6ee5ab3440f7abe6815728b9cedbf6cf54ab

SHA256
353407edf4d54aefaf5f279bcbcb88d5981c82b84d0db14ed3d351e91f1deef7

SHA512
536931b6b303aa09592aafb792684228936733819c6cfdcbce42f591afdd644522dd57204705ae32c04aa92308366e2bdb07d332932224cbd80c5ebc4d031c6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
297bab27a7c55f266cc9e7754075f5ea

SHA1
d570f6d2980f66b1dbf26da17653713dc9cd7edd

SHA256
93a2706396ddeee0ae5375aae443415f78b329d952b418b75353c2e70e1f82e7

SHA512
186bade27c4ac669517767a9cff5af4e9c49706651d6ad5dbe3ccbebbef06686a17773276762bcc78373ef3ba01e19ffa390509792005d85b9ea6940959ccc24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d36b76f57d8d481038516943324e4660

SHA1
535aa7dca71701e2a974cf6bd5e4caa47a133026

SHA256
3a3a3d9ae892e8afed112054785cd4685c09956fd6318570883f2f6fdeee98a8

SHA512
490179913c00b68681af61d025d4cddf17778d57d2d64468daf37fac01b643969d969c34c478e1ed5fba6ae22f1354ba74a3688ee23d7d7683e145a41fcab909

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
b09d77218a2b19e9756d6c6126ba0ae4

SHA1
6694532cc1a9507a2f8c2eba96b653cf6c6fd950

SHA256
f6d50362c5fb63bf27e8d48d8fd2ca9b80ff612d60b484d277931efe9531eb81

SHA512
7f027241539c7b10ec4937484aa73f82969bf6324b52619a8697ea1f1cdaf74e2fe216e47f0853ed869b1d2fe62beba767e6f547fc3484e7be9ba984ed133ef7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1d272b499d4b3e951da1ca41e9ca9c3e

SHA1
bcf48fe0d6aa2b8f43d28e556b4c78cd3f6e43c8

SHA256
48f117e597fb1d16ec1d18544c22a6216fce13b0370739ad4890997b3ddc1148

SHA512
5acb0038152234bd42f28192438dc8942752da45c5b81cfad6ab0ffaf43be5bbf61baeb6b7cb3c1c2c850da45934a7d60d1f4ccff5e1ee9b5da4ca39176cd964

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d1e4c34494ff7c2f0089dac62121da31

SHA1
ba830c8ac6125b873460698abe07e54d5cfafacb

SHA256
8108defad1e685074ebe435794280621be33fbf2d63356a332b4b45a6ea642bb

SHA512
aadda865699368f15154a88f9354b7f1829db9a0b7ae620e59ed65a1bd91c01a299671b32a8e7abaf3b645d1c1a047ad05cba6a7af884c71dde2f17c9868ddd0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
74fd6c111ad73184f3e5fe702c3cfffd

SHA1
52bd8e88bbdec037a31a5ec79243b0f2f8e2d81e

SHA256
df1fc4eed7b451060f11113d41ebbc0b4321ad51e00f70323f48985182f81f97

SHA512
f799a764f8ce3ce447dd7bb18678917309a9c251cf08c37157cfc97b9da19d39490e0fd7b9991713058ff63d8cbe7caef86cdf20a4b47115d152b431f565c5cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
dfa11f8a03f1240c0d0c98cc52d09d8a

SHA1
09e967b50ff172b0f7946cb9027564aa83d75b64

SHA256
cac41ae5c569786f2ac17d133a674383de700bf190e7479e5841e4f646eb4d5d

SHA512
eaccc8f2929758deb18ed84c4239432236647f2f2464cb6d1ab731777e7912f191e83cb143ec76caecb7afc324bf47afc312e68e5180cd111a5ac7e6f09d53c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e0f973c087ff809e9c08caaa7b6558e3

SHA1
3ca1ca1ba90f8fe7b0779da7abe0d28af346b283

SHA256
07fe5ec186405617922cecd5f710d0d1654553df78b03239e214968f627cf488

SHA512
00598de66c5117d5e4aae397c6d0eb4f1ff9faba0d7c1ae4b279c9e34e4a6576f14aa7c2edbe68958a88b999225dc270bce970505b7e530eaf16e61230fdf4a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
48666b37bcdb1f29af8d2fbe860ce442

SHA1
6da99677616e4c4105546b4bd5e8b50ce98aadbf

SHA256
1d39855d5662731b2fab7536e1b79c06d3441df136347a4e7e43c1fd088f3edf

SHA512
67626384a1d410085d96e86c31da77556b5e85fb2031407e22693e9f7f8a9d5861684cbbc1bb19bf94c019dc8ee7bf4d855b61ca8222bde21c0ca4d21161a412

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
5e636aa7bb0fbbcf052006afee9497a1

SHA1
956f76d14ce631721a447c48eb9fcfbfb27a58ce

SHA256
dada526a2b8f30a7cd569e0fb28ddf982216e012ae3041552cd608721800b2a8

SHA512
6dbdc829ef29be043acb95fc22db4b6b5c7d31dabfe06e790a8a1f24b2134bc88a5dea54352b383693875d969281a93779b233a9ffe5953508fa3a4f15b41332

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d45654ad722d67222ee0321e14fa8cb3

SHA1
b3776d1526f3d21eb83f900e4c756a51520423c1

SHA256
c443cecbceebe2136350b0ecebbd23d93c8ca32110e54cc3ffb25cb8bcf6cd3e

SHA512
0fdb93601ed4653ab7c93b4e37e82a0c1c2814e0b79f640b48cb9590deac6a9524ebec7b54d59e66ab2ad08775c3a3dc1b603ce771e8d2edefbd010f3a289d57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
6a5dc5a258e3d811eed153bece1676a5

SHA1
7fad9c050fae3c011afb13abe6865dd1225f9c42

SHA256
65b370281775bdc63986279418f4c521a70a872d16b2aab00d8dd6c4cb3beaef

SHA512
dcd94c83d5258fe48c355a9e4ea179624c44e637fcae28bb02efcec9a61acb447d32263e80e843e09e739914c0d37cc658a0d920ac138c82d27b08a47eca7f8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
12cea45caf0c08339064be48b962b2fb

SHA1
5db49c554147e8401ae9b0a8d5f9c25afadf5cd6

SHA256
b4c9c33cbbbaf8e51b62334581031e3f5bda284a242f6eaa4f14cb7aed5260a7

SHA512
237e47f69d208c3ab7e31b70f35513f0cccbbb740de357780b1d67193d2a838c9beab0ee88292e37b6d224952f5641155129bdf6f464d6fe5e40317c9fb7d5df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d023ea603680d0ce62ac07a97297b9aa

SHA1
0ffa163dada9c2435992301a4c4771453ae374b5

SHA256
39169f7ad2cb441ededb2f1e96b3acfdd820ba267fcb1d56e73759f57841cadb

SHA512
e5871ef0b5ed7589248a209416bf68038a74547a63c16f8b9fcd64d7b639dacf9c0217d475179c24902e4a76911f5a4ac2358d5fed4f4fd6361dd92011740cca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
62f1ffa34927ff849a70541ae3629bc1

SHA1
e2c67ad8660add0f7d223ff4cf1e2cd5f81cafac

SHA256
6320801402500097032616cd7774503025fb5546a26c764ac5029949bd49490a

SHA512
ee8678a3fb507848d8da0764ff66eaecf941f8cd484fb61822280e5065c929d1616f97998a3c60a64a80f859967fa4f04414f804320792a5516ae5e2e43ffcea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
256103a95848277a7e0a1424b82c0e0b

SHA1
6d1f7ed512b586e60b106c39a1f821e1b593a38e

SHA256
041604eda1e43374c808785783470925d8911c7364e17f0c7ecddb6a9edd7233

SHA512
a2e3be4f865bcb7bbd599e8e46463e54e5b48688a6a82bc41d1a099e2d8f5dcde7e83a01510368bafe083013ec02e8726781ec71a814bded2f8d2dc627aa5e96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
194b61e884455d6e287fe7323b001f19

SHA1
cb593d31f2ea4a7e43c94a161492e9222130d04c

SHA256
4ce2fca05988a1e161e3c46076464837a57bca6256387fa328bc48e95c875661

SHA512
a9f3c142eb755deaa13cf18c8e7c822b493cfc332d61ba31068496abb8fea4eaee5137a14abf5498b2cc8e347a5e2ca28b962df2262d1a16cb8dc40939fc0c2b

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
29.8MB

MD5
f9972814ce7382c5e6a3ca7f291aae48

SHA1
50f0b705a72f56093d72687d922f61e831f79a77

SHA256
cfd5b179331e33274f8b901bf26eabe1c69666be589c8fa2268604dbe656792d

SHA512
24d5a8c59bbf7ae65ae04031866beaa894775afe32c6c22a385963846d57ddeef79a0c7969d7aa6cd4ddf5fbd4335a8cff59e3963a52f9d0fe67ac7f97f9efc7

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
30.6MB

MD5
6cc3475b50469100df7c24810d48b89f

SHA1
968829575a378d4d91af615db5e0f7e1db692694

SHA256
14356a2680d913a3e37991e9d7755d86a7c0c6203917c34b0ea422491f3b28ed

SHA512
54352b933f2c8b9fa44fb395c37ac72a54298068e55c9828f03172117bb9bb084e43e01522270876ed39f5d7b166641a74e3ce3035ef4ccda8e77ead8143db98

Download Submit
memory/5752-60-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5752-61-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/5752-6-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/5792-55-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/5792-54-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5792-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5792-1-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download