Malware Analysis Report

2025-08-05 14:40

Sample ID 250703-f44c4svlt5
Target 52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1
SHA256 52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1

Threat Level: Known bad

The file 52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1 was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:29

Platform

win11-20250619-en

Max time kernel

145s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe

"C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Files

memory/4484-0-0x0000000002420000-0x0000000002421000-memory.dmp

memory/4484-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d2a480c6b868400f6820f95246df35d3
SHA1 fe4df3542d779584c17e5ab5cc74e239059a6976
SHA256 ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03
SHA512 c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf

memory/1336-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4024151881-1944119507-1574723210-1000\desktop.ini.exe

MD5 42458ea80baebebef08861a67d2d7fe8
SHA1 efa5a2f5f1d1ae5b9c9cd95935944ea9d96867da
SHA256 e2f04421ad8bf222b8830c038c828bc05460cad21940d4965a151ad9635fe0ef
SHA512 ceb7950fec826e6feeee4ddd9d80b579c09e38b2fda1a13982159808e0f3ea0ed2c061bfe94a5552d4ca307c20061dc5251e75a7b9cb9b0f230a4c31ee4c668d

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-4024151881-1944119507-1574723210-1000\desktop.ini.exe

MD5 62ed82dd4baa9969e3ea7426f3705741
SHA1 0fc6b153594ffc78db3dff47c628fbcd961f0831
SHA256 dca1c518c68899d21ffc92d1db66e06a3763e980bc462ea83e02ee955392c8e0
SHA512 182b8d967de6f6aecd26b7618a601039d0d1abfe671335895435f1e238a8d137192fc20f59d92b4f338ee7499f20529de74dbfe511760be601197f7d8914a07f

F:\AutoRun.exe

MD5 8aa0ba3629c385b6e4b521eb2a5aa836
SHA1 506a869e34b3e3efa92700ad0c623caf25ae0d21
SHA256 52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1
SHA512 49ec0a595530ebdf9df466c87fa58f9d4feae283f97449f4d63492e0b0d53a9d61631c624647718e7686f1798c398d2675678e075ef20509a97d07ea411ebbc1

memory/4484-49-0x0000000002420000-0x0000000002421000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c0c083876c40bc1ea509d62feb6ad185
SHA1 7ca65757af5875f0636c0f84ae79a91a83eb60e4
SHA256 5f8e689ef9b7ab57c200cfa85aafa7aae88f638a76aae9331c087bdd04812c2a
SHA512 2fd215f5b6a30bfe128725723d9243e9fbcabdeb5d291ac9f4863424ad1e0f093f6859cb721209f989906b256ace45729df0fb8c5739ec29f19402695d8ca140

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53ff30e1095a67ac781d89a7531d057e
SHA1 c2d3552503d886f4e243c6e19655294d74f15b76
SHA256 f2afbb64ea49d27ffd0bec93ad044471445ee9b227c2381f98e7e97cab810547
SHA512 f835a9d8abf82bdb87796162b159f10b4fddb59673340e59baa75bf18470d178f63e59969f2747b9bd7b2d77c417389f6049b811d916e2b5fda02bffc3b6938d

memory/1336-54-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f381c7f2cfb49fa023efbf38875b5075
SHA1 2bcea7fa7efb21b061001d72a8a5d81b14b60f3e
SHA256 222e22821b7db96a60f17fd515128240af42414a4222060623f3ccee72ab52f8
SHA512 0af53e09c86aa398529850ed279a4d699a732cdf2a9ed5753efdb04279ab8a781dd60e406769ff0853a27e8dbf9fa66340f02b7021050baf337c851780dfee60

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cb449c37c34e3804e74822c61685083d
SHA1 c39f9c0628382f072b3e667256bd06d8716aa418
SHA256 538692805a6a8b7c856123884a158098ea8f4a04b5904a97e912bd207ffed952
SHA512 40270766d14cf134f6a0bbe5f1f5d8b3e08c9c049d724b6f1a3bf80a9db32a270d2e41a59882b58a83482dbe1e7fa202a82d07b2945f91052bc973d74d65e813

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 83f4fd516df6bfa4a291e51ae27a467f
SHA1 c4c14f1c85756e4a3390b3c64e821aa7d2a65267
SHA256 b2f462c6dc4e2bee6f36251179be574f60c4eed6245dc26875a1f2dc0bcf6730
SHA512 ff2eef2f37d6fa2b36dd942f63e3fa2484531eb322a54c978b2d1ae3ab8035dde3455f74bf7fc360b6f320fa09797dd1180ee8a025f83b4146ff54150c83b855

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a013c315d2dda39fa70ec4afd3e8e672
SHA1 cceed0caa19b692f447111179b54ee72f4e2c11e
SHA256 33bee98cdd2825547a6bd753eb298c3af8e62d7c531561e925ae6febb49ba5ee
SHA512 bde1b5f6bbf3c7cd22aa34100eaa6a3767898a0571654bef2653846df78d08c46b72ede93584f5b865de5f4e68d357b037fe0658153340b1acdd07481c592dbd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9e7d08017d0cadcd1ad4d6509e2b0820
SHA1 ae30978f7b84f72fb68a1717414e3f84162da021
SHA256 2ff51ba6b86b7d15764ba99459a8849db73cec28e03e229246132d4437655623
SHA512 600ff618adba4bb06b1ddfc954b6df3f6d5fd1d77b310680d145b4bd2278178a9be6b56b715e950c36abf912141cf3c256215872ac94b13785e3cead21b058d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 92e77580a3134266ae9bd32e1c0ee047
SHA1 3a09e2f1718267240dc289f81f44589de2876123
SHA256 d590b1d7fa1f6a8f29bffdfd00ffb6ac2e4651e1d976bfc77afcc16474d05274
SHA512 aadcec82580f2bf6d7b521365bf8385ff943c5f7a4373a191418b3c1ae1c1c85553482cdeff08865dbc36c03ae75512d282a4507dc3ba2e0fc97b5a027939c8f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 042a8501334262f37319e4d6eb26dcbd
SHA1 c0459b72d425385096b2a433b24e384428520b2b
SHA256 7584593394723517648b688afdf8097de32a0d4eb913eea58667a27cca9aa4d7
SHA512 edc34eda062a29851e43b6c67fcb9a1f099dc3c243f90d85b78a71833c74f5eda73f1422f472b3e1810cc744c5f67f5e5d0c70283f065d0b0cf9f6efb4e3681c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 44cf082d76fe964035cd8a4611199aaa
SHA1 7f06395b814dc4f1e9d608db5366d45fe6c6d8c8
SHA256 1b41617c4d0c63e2636e281b9173ea4eb5c9c1680a7b2cdf3e05b4c6f2126704
SHA512 ac6258d97a5ded18461b452d4dee330da3a3cd80770390ffa947a265436e0e355b744c1479c6c729081b135cfbae5a85fb2bb5b81cffa3cfe3a58e0d1f3f9bf7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e8fa3b74dfc857e708dbaf130782bed0
SHA1 eb3b90610a7c9fdc140a11ba9b20ebc1ef9c0b9a
SHA256 438376da90a827f552a938cf1ea7a3b6ee1bcf43acddf66fc966d7327ac5a758
SHA512 68b21cbd32c6f6ffc458c1e30fc21857d77168435f6ac7a4c061aad3e199b784c2b50862eb5a0a87661f8deb197dcdc462ed44d2f58e6c08283f5ad93feaf5b8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9c47f0b82a573058d24ead7ed0b812e6
SHA1 94f1d18f64f62502c907fe33bc8e03dfd475d2ee
SHA256 9703293261fd653dfc3d3b2b6e4e7d19ea0a7962eba4d99eb48223b136e6056f
SHA512 e239eeb9a91646b02e241b6f305bbcc3c614aa8c712886fbfa90f4554982c4c39f2c02d75165e7de835bd9350d48ce456f9e026fb6926bc7c4b38add6af2a8d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5dffb8c869bde6cdbc54db8fd85fb648
SHA1 ef604ec73c54049f3748e55eac33f7b65e91a68e
SHA256 6fdcb179422daf5e32f2e05b489cf9527148f08395c6dd0bbb2dc8a73c96bf4a
SHA512 e6ed0f996d017e50bbeaf63c1ed1f25277bce1cbbd3576a6d4eb607a0027dc6e1c295e451524a55ff783d1eb574d3969555abf0e7ca358b5ff84355498a08512

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 050a089dfd4a5fa9dfe5f68ae8eeea95
SHA1 8d6d206608ca9ce25eff2910d68da3182c79c39f
SHA256 7f6b77f18430fa17806667d7d7f7a3793b458016aec3f6717d30d0ee4e745c8f
SHA512 c60a6e6ccdf76a79f57ea76fbb2c5eb720b009e3b946f191c0f190b2af8193a5cf82c94f434762b8c77697054e640384e881bfef9a177e1474a1d85c86428095

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd47f9b5cf9a2720fc7d6ddf8790fa85
SHA1 9cdfef62ca9257b49c0c99d0a2229914f3af2336
SHA256 43c6b589048885206f669445925f4faebe91c322bc1cb1c30e18805f0706c2fb
SHA512 ba3e07c8001dd026a9c36db1d16d0aadf5a8cd7304ee490b753cd45ba2c7d62f63a717b418cf0c364e5dc118ce398cd75f4798d9f451ad63dbe0749e655db124

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7931e4a438061d3aeba4617365b1d21e
SHA1 dabf3a50497759b1eb4137e52b91ed7223446094
SHA256 3fcd57823e54d3668414e406cb214eda34c2d6a72a5eab1604c6d35311ce0fb2
SHA512 6eba0c048912b5cc387658cd7f788d4e9a55ab16e867315dfabb9341c15455b68c787bb7d016f564c50664a949291f146c6159bc4a8afdfe225ad4b601505896

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a54e319632d49ad6f66e771fd4cd5c47
SHA1 aa607ea41e67d9966aa76e2a5ae56543e64a6dc8
SHA256 e3700cad6b28960c97ea0a53080f047be022d73713c93fa78b2c014283e80296
SHA512 d75394b681882f4a274fbf9e677d65b4a8061e93c0d5df17d857e5d5213c110ecac1d6fa84abd9cd6638d462f4ee2310d29b0557ac9baa148e4d2d1e7e32789b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 92f2d1dc6ca668724c46b619c315a83f
SHA1 800ef9593844bfeb86a6fa2c7879cb32b4779771
SHA256 ae24df48ead33d0e7ce91dddcd12a28a815db41c3c43681753553e3fa0bcea6c
SHA512 a4e75cfc1f5e6686243b9a6b62ef3a95ce8a7def232084f126803a41e1aac32b69d76eab7943825372c0a88de5e1c2e274d77f4e10cdc6b547a1f4c44c83cbfa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1c3a34369921bb20dfa7c117dcc226b
SHA1 dd0486624b938a354b003b14c0a4ef473cfe53a8
SHA256 79ccd0b37ef2b353275678bd60416b6da11b51c924aff419634118b31bdae535
SHA512 245d9fa31373a9788e973277d596b9a1f3bcf7d8cec7092c390a2d4da3bf516ee373c6002284b6002204cb661e6b69e1f9a8b95adfc762410017dbb858a55817

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c969de7513d21b4e3ae558b34d1d91e7
SHA1 4a41a53f521d5c91a2311fd484393ea5f9be4447
SHA256 73f9349ce397c524cc5034fb11a2a2780c54840cd8b308ad48a9ed0ceefd7c28
SHA512 afe2955ae628fb8b3e34d46fc180e8bec05361e8c1775369b81754ab6328678a44ca0936e349f5ac1e101e075bf55b4d11a2c6076b05388897c32a3353c6aaf3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 68217f574f2a9fe5a39cbdc88b48baa6
SHA1 abef1fc4ea919ecf6758f87cf49c109ac3f9a666
SHA256 ca30461c7ec5d5d3aa4a81996cac8e4e54de258a8469941496dd55ae760646e2
SHA512 187d4f1d2008b5cdcb7f8540b49fe171100aeaaa2f5fb85d09b7cd83527d39049ebc13a787b5f817d294a66a4ee2c0da0e47462382815690912bad6d10957d43

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 63ed7a5cfe879482667445cf2c50ed35
SHA1 7cb6403251e1277322d0fb1b36aa55b71b425754
SHA256 3583597a8c051403b22770c20dc1238e5c5672347e97488c9422848f9bf48f74
SHA512 5ecce142f86686a76f07332def5675c07e9d72248b4b43170f76edb7fbd98ff46993bcd272b1f6d4885e864c94409ab4bd9de450ac3527f2d1bd5934aff9e371

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1d757bc5637bd81022a402d6bfe96e6
SHA1 ed6fd6229752b2581f774dd2e15f8a85cf534d74
SHA256 dbfb24c4e767a6255a3b26a3db6e706066c6523f24180adbfef2bb04aead1ca3
SHA512 30b8f81a114f0503c520bc67c43353acd1d24410b9a38a1e590fb1c20075f45644a325895c6b757119269954ecdcecc8fe782372d285e2953f3e3d3239b40eb6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da4288f2e007f4f33ae74ca440a78467
SHA1 59051a8f2b3e233c93db5a40fccde2a75ea1eaf8
SHA256 deb898591dcabab6e06a9f1f9aeec60217f56611bd2cbca932167a49771189ab
SHA512 848565f5621f44a636e177cba4c608ef263d19f34042e1ec92fc253396fff54c63595fce0a986f3a975af09f52b1a18a176ec9fe1641d9d12d418ed591805bb7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 77a8cfb94475be5dd7b45c576631b908
SHA1 5e49e24d1d4b8c409c6ff560f0e637f43a980ef9
SHA256 57f3a562bc568603c6eaeef414cef06360b82b7f699c4fcd5655eea7a92cc450
SHA512 bfc3084bec3f248cf0fa7cf106e15ac7135761bd90df326138428bcc6e172b0f2adb1c1a583c418e7171cc881b21ff49e9df6deff2a8de3105cd47ac6aa2ac95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f7728ecf2814f9ca8971bf2d7158fe08
SHA1 de34c37c2be7b3829f788c8449dbc30ed2e53541
SHA256 63d13478d019d01dface170df7745cc58bc90275d295281737ea36021264be86
SHA512 21d429ea49fbc07f1e6ffe1ef5308b4ddacbef2c881f98442e11e064309f1ec2aa101d7ba0b76480634befd16db4655511832a4ac6445e51e1e296b3b2728c86

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c29bccdda7e2536897fbf029856693b6
SHA1 78f1df02164622b56f66d5b9ba849968d68b1929
SHA256 053096fa178ec81bc436b251d8fc1e1d9490ddebc3d3b355e1b012936724241f
SHA512 a8bed4fa292e1acdcfadec6221f17aaecb0f3d9c6cce33cfbcd883f49297a2b33c18e9708857417409ab544eaca916817f266b99c3402c1363351b299bbe0898

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 103fdb1fd8dcd6ccdc8465d44be09dd7
SHA1 007d3004ee48c432062089c8870ba70025fc92fe
SHA256 8096c7b5c5fcc86efd97802449c9bff93259ab8423d6e2cb43c68aad1f6a8599
SHA512 89fc98354496a1843347b3dbe1d05debcc84e1dd670f0e9aea158ef8bc2a25cf780037c3aee3573dd8ef710b187f80b99da85f8ac83ee79ab20e0273e722b971

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 de714e90c85895d2bdf639d08fe69584
SHA1 ba89d1bc4d4aafb15bd215884a301b777bc8213d
SHA256 79a46faa16b0757b2b534dc0fb6d9bc20f0df424b59feff52427aec6add8d75a
SHA512 34c28ff994e0fcbec541f4833513b9b1bae35168e0471abf8a5a211cb50832301bf7e58f74cd3619ad4b63024850ae3a35e579b55895d7269101ac7083c60461

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e938419c8859959271a4da1d8c629e9
SHA1 ecd89b3472036d2b0d87a25114b5c6dc4fa88c38
SHA256 7aec71e0bbe74a1938e1c570f978cb1f67b063d3228861685956eeee0c14dd8c
SHA512 5130ba5d61dfe563dab1d5b263fcbe26ed33da472ec9ebd93434b9abacf1a29a6c5eda2db8942eb3b83cfd6a736e07dc8de72432b070d25714aa5c223ed30fce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e8552f2163086d9504128c337903eef7
SHA1 4ab2117aeb80caec96ad3eee052c329a876a20c5
SHA256 ba625bac2e2cde1f8235d994625d7a9439260b2a81241077682d3a3b8cf56289
SHA512 ef34fd539648cff97c79df286c99f32f6991ad00d6e0451a36b1453cd2ced40839ea647c3b7d3d3d3e1b913ac37d5b853a11f827fe4569b9958a44e0f5d15def

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb436f19de00931b99a4446fc95620ca
SHA1 cc6b532ae3b6713f8ba6fac6856310b9c7612c80
SHA256 19e1fb7771af7191116b910162845df4a984098a480ee38129c36de5fcff0268
SHA512 21548d423d6f43ff79d6d54655415b6535b7b3cba3c2fed55250e6f618574b6001feaac6a304bfa6f4a20feabfd4ad3525cddf7889cd4fa462af09de3515f5a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8e5790e4890876749ea8645fbaf3d573
SHA1 3ebaf0894cfb475f8eb46c7f69b1aaf39594768f
SHA256 5b90e3d64248d95db5f4385d9021cfa7b717bd43d27c3161ca48019f9bbb1c60
SHA512 df87bae57b464e2775299f0ecc393fc212b575f05a9032a3b9963fa34b6d927eaec9be430e5ccb5f6db9239fc61f347d32ed7fb46a2fdbc1e1126d162f74d38d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f01d63843d38f7e7900bbf64d2e21ab4
SHA1 8c9974a5200df5de2df735284376e2934a9bfd34
SHA256 581a9b9129066c91918a8b3a977141a8884eab0dded32537ef59479c95b0cb4e
SHA512 c8997a7ac3433d24e18586cc4abd9440e4a8fc4a466c9411cc439c1b2c686833729fcf929975c0122d0b060340f696c0265c88d900ec2c0b0fde62b4fe1ce524

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e7b36dbda1c42b0d2966ad7429ec9635
SHA1 6b65dabebc74ddf2c16847b3951c535b599ed2a5
SHA256 626c4f834be8d9fd2c25932a7603fc651a046172220975a73d043ba099709e2e
SHA512 359dbf54452302604c34460bf6372ae2791ba616c515fdcf2b3acee151f3d9c74d6df4aeff7f9e4c8ee78933fd9226b3b62b0454f023dec4abc365b7fc995931

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aad968668ddb4c86093ecd39e0352ecd
SHA1 43c112e37f8f17bda82517daf3667feaf692d62b
SHA256 6d570234afdbfaf38e421be522d8bc8f05f845af39c9785e338f7b2fafcd9c27
SHA512 6b025f7e9a62184c67c06b0c8745a82b53bdaf6dbf89cee8e48b466aae8ad5dad7e839393e661794aa1696b93e8d2cad96b2a08fe17838cab59fc81956e6d771

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec35087a9e7f9c0c01c2c9f9d6ce2e61
SHA1 d76f35448ff792a4bb928921ec9303a28e3f1bf0
SHA256 2cc43506e7c2a8936d21842a83d7f69be8f2868499a82b12303bd2c5e63ddf64
SHA512 fb90b737a8798f866cfda71f787a0069401f283373dde189611796423887e9de5cff62c55f2a566111a04039ddc02efc0b49378a6f36224ddcf79d9c2f94e28c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e8de86a5b13a8ef2e6d2cb2a1952e52d
SHA1 600f95787861ab4a5cca248f9036028cb7000b8d
SHA256 00732933348f186ea7f7f854c56f78069dfe8bb17d0e794e6259a5104ca7f606
SHA512 c72844d3e5de43ba61a14125aec140846a808c2644206f3da99e180602d724829e5d2893a5fa432d7e90739e31aa28d434409055738c0ae417c08c3172472684

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 60f33115949cb34ae8937fed24b252df
SHA1 01d53c384b1bf9bbc359f34205bcde4714e26cc3
SHA256 b00d58450d70b292655d2a609efcb59ccdb0fde326bb066415b2c7d773c314c1
SHA512 bdba4745b507dabd3b70d57d6348dc4cb71f82b47223f07e7192d34d9ad6950d94cb56cdcfecae9c368565e0d09d5fc5b55780988df897ab5ea1fcf12336c618

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c292f589ba6d775beb493736c8b393b
SHA1 1b15948c615b4e08c9479feec040320477f20912
SHA256 dcf7e0e73032d57ea9ce5ed4036cfe3590ab2fabe6ffd2e13521c988b327c7dd
SHA512 2ac6f53b47bc5296921afbc838a56ba5ca81a86a25fb3a389f0a496d696cc61a32b40f9fdc6a5f4350c7d0baba4637b848bf792aea329976277c8b3de156302b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7936b6b7984dc92f37cd334fdb64f3aa
SHA1 06b18294e95c99fdb5757e6ca43a71d749a1f74f
SHA256 d301e617a6153a0d05603ad12214a2813c908c5c162cb720b8b1ac9f34079fa8
SHA512 fe8fbfb0dec113bba259755e6e6ec3e448b24313400959c6b4e9301252c73f0f87034c662460a585b6857e4469a8e7fb7891b8cf0242c49a73144422350994bf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d9e65daf09cf420616715b6c5f090980
SHA1 0798a5d0f4a90c24ae218d819e5f9857e438e671
SHA256 41f93038f4063c6a276027a3dcdd2e4cfd2aae75e934a1fdf1a0e8620d9905fa
SHA512 9fd5f6d0958495325a0d80ff10a0f4cc06829559ec0b1176d15377bdabf9cb6f850aac80d6aef27340144f3879d7f82bf5a2e381959e176c1b80ae61960538eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2df59c5759b4442329c9cd98eec9c431
SHA1 b4247428be91925e3a836360ad52ebb54d130796
SHA256 f1294acdaf32e9e6fec3bc2ea48309f32b4e41a1a13d0080342ad262d32995ef
SHA512 b492f2ccd50e177f5afc4531d6bf53aa17c863da0d93ce00a1fdbb0e63c8c12a00cf9a85a961a9a8985f690cee146d93f85d3c2ac81778f65c0fb7ded4779b82

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c77ef75c37731c2f527e67d0644ce9f
SHA1 746d6deca83933136fe82a1ce7a69f14967520fc
SHA256 998bd3c8975b90d8637407c458e0a6061894af49b1cdcb7be219378db7298a0c
SHA512 b550e71565f85dd140862d1b56da4a9d11fc2e643d4223d77b5e8c2dca502ce6c5b3d7b0f7c8244f4f7732e84bcdaaf96c0410ca87ae6cd29dc660aaf48e0e78

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 90ea5a4395d0df5731ca612e47b66c5b
SHA1 270aabd45b3ba454e04dda14df3d5c9ca0718ad5
SHA256 3e93816ccdce33546d775b7fe92232d48752126ea7b40fa0b071bb8625d69e5c
SHA512 daeba504b75639dd932e05ca312d7d966d3365ef3ddbbcc55db58f229c630ad45cfea9978f013ac85cd76b237798636a8aa6a178299802f3bda47285369269c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6bda3a2412a1322b8c69e73de92a32b5
SHA1 402c7e53b95e978c9373677bf30ba2d9114cf4a0
SHA256 22d08a2a95b1e1567a1a35ad109bca6ed8591726f329cbbdba797559ace06f97
SHA512 31298809f769a2114f8a62b224598efb172d3aa2ff70c9a30adced70086f0698535bf6d6236f389e7a432a2728c2895caa3182aa54cb343b97bd378bd94b7356

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dde1f3a42da536db5e2035f4bf6d9bfb
SHA1 68d0403abe4259f628ccc518808a934990e46797
SHA256 da81342c5362439d635a1036dd633419ec243074b6828f7ae5a0295b230422ee
SHA512 769327e7a1323a1be1549673e756e8807b66b51ce2229e407eb346ce1ea5f9f81637d9b558ee725420e478a0fbd3cdd0b30da58fe2a8e0dbd166be262553b220

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b3b6696d52545b10aadcce7f2940b30
SHA1 5b10f6351af145072574d5c387db38f4b14c20dc
SHA256 0ec4840c953609231bcd740231cf6003ed05a7a216e607b03dd34ef253e45afe
SHA512 ee6032d43f733ed47433d7d10e4f59da6b718792c69919db1c38f07474c19f5bb08f1b08411d460e3edbc226841c0eb71af95781aca8acd9122a01148e7a87da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f7cf1d36516b4351e3d84bb7ae5a264d
SHA1 b17ede498fb4ee60719acfb3fb1780f2816eb309
SHA256 d4663b79c3931dd1aa5493eab2892e9832cf407dfc7b262ce64959c6a8b78992
SHA512 a80b3c5d5861eda7c324f5955b157718cef84dab6df9551c6b83f2f81400687fb27f7fa2370813863333ed43cc57abd32c31a62c0bb03796f1874318b2451122

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 deda49e67de7bfe77803ad16f41d0ffb
SHA1 ba0c423985f477da033e5f80d741dc3e79931153
SHA256 cf677f524b421f54cf5cb1d4012af5c09bba38c8749608ebc14383fb6739d2a8
SHA512 2bca0049d185c5e175f0e02f10e89e07b9273aa95fb7c2d6f1c12b6a439cf657af71e4339c4f720555c11f609506aec89825b26f7f97be77e9dfe27747b6770b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f4cae9dc6901adbbc3697221dc5c7eff
SHA1 ac59f7e5156f0855245ad62ae171f7499ffdf316
SHA256 ef224cc00eb5ec153af80613f3bff284d9c3cbcf80d49728bb2570be40dc0556
SHA512 05ce184205f46917f4a6d82bc0ffa001d6401c05f1a4bda2e97016f18155c2bb866edae89b846bd50009486e2b62985c7cfcc2cde4bd4004f96ad9118ded7a96

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 039c8c417907972794538998e3bd7422
SHA1 7c5980f0237729b217f7bbfd5470bd0d6ca8fb8c
SHA256 79fddf47dc24b0a64eb5020058d77bcd6f302efe053aac4550cb9ab4b9a0f2d7
SHA512 3df8b5533d0a8bfc8ae06aa8ab38daef59df827b6668893ce6baf439463daed2c1faac36e2f091df83dd8f427b772fcf789a86966a238d936637addde50a163b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fbaf78b5cc8173a84ef8024d9ef38509
SHA1 d1dc3bbfc91d74bfcbb05ef303d560f3706ec831
SHA256 3cacb31e82d6dff51eefa1b10f2ef76ebf63188912cdb0b3b9838ad03401e368
SHA512 84722b1a99aa81fa63f201f1f4bc5a7601c04fc9cddd863d589ceb48639eec7fff6c389ef541f5ad41bdbe1cd35e89cd60d458616d482d3e9fc7361a9437cec7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a8cda9e927c2cf5bdfc9678d033ae3af
SHA1 6e8acdbad34bacce0e3243da838f12c57a8c7000
SHA256 c3474b7710e94f22da5fc152d5106cb432c55dc7a0fce53b31529a7c8fc17c03
SHA512 389f431dc9c7f1b03c80d530b3b49d9670e98f6bb055a7aca988f41b19edaea3987c8f78998d25f2bd7b533e51c8e009c899c06e7cce68e6a9791352e3024f4f

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:29

Platform

win10v2004-20250610-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe

"C:\Users\Admin\AppData\Local\Temp\52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/5196-0-0x00000000021E0000-0x00000000021E1000-memory.dmp

memory/5196-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d2a480c6b868400f6820f95246df35d3
SHA1 fe4df3542d779584c17e5ab5cc74e239059a6976
SHA256 ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03
SHA512 c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf

memory/1104-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-2012121138-1878458325-808874697-1000\desktop.ini.exe

MD5 bb8576e4014c2322b8ba764aa79e0f5f
SHA1 774175b6912c87f2649d1142e808ca0bd1209495
SHA256 583e950d2198f9a133741684f7da3c6a9d750b111faa87dc206755804f6e9c27
SHA512 b026b5f481c434194842f4344d9cd285994625523bd5a9995bbe7067915f1c4e1cf90b2905fd67e41bef8c4cae009e1f24f35ab4978dd5911bfa0452b7b53d69

C:\$Recycle.Bin\S-1-5-21-2012121138-1878458325-808874697-1000\desktop.ini.exe

MD5 dcb3969cc07120286b3f9e27ac10fcd3
SHA1 ba993d22d49ab1093bbe5361d9fb17c11b1f7bcd
SHA256 c24f584b89cf93e82f80a37caaecae083fe3cd1679bf87551f43ae01406ecbbe
SHA512 ea18c129afd9d8f7911efcafe5efdd8c1b0e77fbf2636dc972e68a692fb01ad403309f66852100c1b5f262faa38130fc8785fab05cc80b8166b989b4f0291aba

F:\AutoRun.exe

MD5 8aa0ba3629c385b6e4b521eb2a5aa836
SHA1 506a869e34b3e3efa92700ad0c623caf25ae0d21
SHA256 52ae383de8f9e34cc65d5bfd7a1a3635362f8316e277201a692035095fc629b1
SHA512 49ec0a595530ebdf9df466c87fa58f9d4feae283f97449f4d63492e0b0d53a9d61631c624647718e7686f1798c398d2675678e075ef20509a97d07ea411ebbc1

memory/5196-47-0x00000000021E0000-0x00000000021E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 094f2294f465287d399771064fcbef5f
SHA1 7ba73f9ce0e619f5c2024bbf0dd4b6fa37ebaed2
SHA256 1ce6a5693011758b8f59d1b939f853356843ed5a513c80d79a2db8a976598859
SHA512 7920ae318d7953ebc24b04acc4f3fb660f8557d3dd9ceb2561e1759d6207326fdaf7e0a85352ec8ec9f1b356c056e9370f3c57f16d2f3754b6a6e00d82db6c8a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f5fe9ca07c9804719b04cf5101bb2bff
SHA1 b2e317b06be2f7f78e70383592453205ae8b62b4
SHA256 5e5c9e9b067ed95f87fed190d39c14779aa76d0ab75ec533ae882a20fbbbd16b
SHA512 448f379f6636124c5f0b407b2829df3aa8a6fac29e3800ede5a32427fe7f5399e22dd1edec100d9f123ccc07d23b7e6bea068ecf8df939821359024b5ff7860a

memory/1104-52-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a65f2d2012cf339987046a4f5bbae99c
SHA1 a5f8bf275cac2d4c1d71ba9516c51c3fb8a409c2
SHA256 82a13c3e8bb82f06b8ea3d9e638b15431e093edf490613d3de8c32a6654d8d84
SHA512 480b71d8008201f84a5bbd104ede0ef837ff5f2569adff59f2ee7748dc1eb39fe7dcda7be2d35872991a0996f955f9b2f8a57332eb1bfbabc96186f37de5c257

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a4d97927d2acb67fe1e3e37d30f65cf9
SHA1 d9079e5d50b4387fd2b6dead3a6cbbad3ea13fc3
SHA256 973a14e1a61704a50a8681049f8da2ca4a87923f948aadad994dfaa143c05117
SHA512 9013b44d9628c3b463f4eb4357f8933dbc7d266c9728674cce550e57248a4e27bd9ce9500b56c448276e1ea30a24edc693b0765f19975f664eb07931bf57f748

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 68a16284fab23aac54d6b623c6716a39
SHA1 e679eee774864d9654531bf1472233ed98c0b315
SHA256 ea8de76386648277cf8c1e6047f937c1bc8014e1a377e02db01bd6c76a189ac4
SHA512 01333e05b37e04ac9855d38546d66cb3eebf4fb976e4a335a9b556cad47a821be2c5d83be7f9a99871449aecd2dc83efb42eaffce53313ae0cbd3e8f3b7764cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6563dd3b292da1065c97f4270e0094bc
SHA1 2eb8e67de10c6a9e0fd242dd52e9dc97615744a0
SHA256 b2468a30c18aecd8bb5a92d83eb7be383c0d5af3d041f89fda4044806ba5ba4a
SHA512 5e4db0bcda6454bd373509e8cbeb240b00719117817f04e654da11687ce41811f06fb1bad25b7eca9e5e616b39f708a01a458a95e40325ee2fe77e065dd24b73

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 49658f75e184991bb83ed63ad47a8fb2
SHA1 1691351c9e0507364905826a502fc50563e80f7a
SHA256 be9d4b09fbdf5d22aeb19d4ad020a7fd45ced6624aaa8bae6c7366887c9d9248
SHA512 a5f6cf42f60d5a3f534feb97bf402333abe68711cded72e68048cb0a80d59de7d8979de37c9758025cf4c8aa0bdac8877985ccf3ab2f2a0647149f8edff74510

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7f31664958fa494c5493699722ed152b
SHA1 6b07bed584c52127c84cb52f6c6637a068212432
SHA256 f5e3c6e28a7d5c5683dfd10a6d217b0623c822bc94d97ad0b4fcd6dcadd6cae8
SHA512 2c5fa2fb07ec39587d8ace0042001fb137270ddf1052a877ff00b585eddec76b53cfab8c3d8763d1f1ad91c16fca72ff31e03a7aeba3aaea0830250da037fd17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9dee71b28266e04de7fb273502e78d3d
SHA1 1bf8a9b549d2b6b1ecd2b346d99bcacd11f9bff0
SHA256 68a2de5a04ef65acf319309837e492df50597b22660f30e267b4dabd15af559b
SHA512 4b5102c9a3f6537a8ff7de14cb2379677b6c1ed02f0e4613ad1fcea2be57378192b2877795dbd10f18593cd9f7621f2b3fc90a75f19eb0b0dfd34a1f15275082

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3539427b9afb1d9e8b120f672b352cf5
SHA1 0969f7d013d48829e34d7a04e44c46ebe6333011
SHA256 c024367becf08bb4cbfbf01ac090f1073b56765a1bbc8950461333bb1c849822
SHA512 d5fcb36781e7a4bd5c9a774e30d604a1dc55b996a8ab165647c00318ef20607ca58d0a7ea261d56d79a5d5e4b475d144334eec2bdb576a0e40bd656e3ebe1146

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5111fb22df68efcac0bad95b39363894
SHA1 e101bc89b6e0abeee0b1a3f0477e7b07214ee9e0
SHA256 984cb557f11c9d94fb8ee25600ca40991b7e2e13026d97ea41c338796249d5ff
SHA512 93eced8677abbb2e65c6de827c7c89be990f26aa5cb3fd53d8b61f9f1b12e41f31379d080752aaf3d5bd024617554bc213a465ed4aeb5915d00967ae6056f56d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 92897636d4f5c8c1c5d8780f41441aba
SHA1 3e971d0ee38f43a7a5d1c9a383227d417c3c868e
SHA256 221b7bde83af64f7b9bd1d9971da9c3e16cac6e0c23f8964d33bd437d4cf0529
SHA512 97806a9bca891b3fb23562d79e1da0e63f2416133bad02ba154b398ddb2ae8f5edff608aaab4be6429341c72d8a33d0aea840d23496ebeed190b5d76183a8856

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 95ecf7b2f6735efe1ceeda670beab6d8
SHA1 2b37c360729f36882c89bbf2be2a9bd410af0241
SHA256 6b7c39d702a56948c1f53f31ec04956742ed3b3763dbbbc8dee1f0256bcbe8ef
SHA512 9bbdfb5878a3a9c16bddf0615a422ced2aeb2300479ef871fa40fd67c4b47a8a2cffa0876f14d252acd56fe8feb68a895a08a984635304c3cd26bfa4f78a112f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 65cc918880d7144ad30921999b1f6d27
SHA1 9dce416bf919b583f85c20f7194eb50e18db619e
SHA256 f4c3153e5e637c646c89c77c23bd916af044d3b448920a7094b03b15b5f803ce
SHA512 6b81910c3660e08d72fc36a7cc5869ea97f332807aef0a0292001eab17ea517b5b625800042c69f51806a1f673a5550e6073de9e83782c463cc95f488f089a7a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa71e1eacfdcf172ab8ab9d64f2fb5ca
SHA1 2f8ccf992a28cfec0f026e1a7405bf35d55c4e81
SHA256 216f3e89b07930d601556ea35ea1ecb1013f9d35785f7685ecd5ec782d525ea3
SHA512 de0a36a1d6c4c656992d8baba648bdecd45b2e81b9b419b3fbeb853eb6f8746c33bf0dabf8a4254686226d6abaa30a408acb7b45289e00e0c1b74a5c96a1e040

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 336e7efc2be4c2d2a4806631d81a1fba
SHA1 d85dbaf47c895232b3b515db5030545b6a971f26
SHA256 340c0f63d4dea12f38d855c0406d4994cdc4eaef427ed1ec350a5573879570e1
SHA512 03d57cef76a87fc455795db09d7747e7fc0bce10f30a5b7c8eb9bd64a3d62d66a6b5497d04a90086d23494d68a2bedef83477f64c9d29a300f15b34c5b3c4891

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dcd888e379a2da47b0c6e7c002d34ed9
SHA1 098aeb424f8ff5804e81ce2934d7bd97b7918f0d
SHA256 2e4e8d7829f650eb5dda26f411d8371177559db272b294c3133828fd4734ca14
SHA512 47f87928bb2bcfc25fc8e0b3d0b837823bf4490d0c2522ecff7eea3a18328aa30adb98c5ad52ee2184102443fee34506174f0c4993d3585f05372abb7082e948

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 50c6d96266453907ceaae95fb416ad44
SHA1 af71fab1395d4422cd099552bb7e4e58df20bff4
SHA256 ec0099969a23cccb110ae2b425d86192cd34fbc4e7828cc44e8a107b880defa1
SHA512 cc292f3d84ab67dce4f166e2a648c9c6c1b25f082f94fc36f3f0745e4e9da0a33c73f61df0861b6ac8b6cc1c098d7a08216c66afcc39f4c40b64df66bd626aa0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c29059dc11f86729956c556d82b3fc73
SHA1 3598203a45494effff6aabdaaa3904e6525f43f5
SHA256 68f1d183ab7cc35bb298ebee780847f562dd348531a13676b26c92120d0e6954
SHA512 47d4c6413a61cb51086c9b7a5942d967bb49a81d2c3a0bb6824182773c64de43bf2340703a98b7e931b61cc9ee90f463b1e50dd90e3833e62a7b0d39c5da0f95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 93d06c2465c711e60de90a01461f2dcd
SHA1 0f999aec5db1a04f99779a9cb44c4808b9d8908c
SHA256 796662e9490108cb2e1e19d67ef034867894581bf0006e1ee411c4ad02c25d24
SHA512 bd9ab5d707cd7c13cc84af0ca60df45fcd76118a9e806eefe3bf2f287a19304ad2843531d4e4f6402ff37d154dacad25187fc3e4ee9ab3f87dfdec9b6b9ea932

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 199158ba77151173659042f262907be0
SHA1 dcc64a9132904a7f63b73cc6b6e86c7377884841
SHA256 b669a1e80528afc6c52a6e2f91770da5027abcc41c4a494b47ca26ec2abbabad
SHA512 3d6ec09e23c2cb8303e8250ea82716b3ef62b805e3729cb7efdee003367d3d6442dd2f08650d5a59960d8954ad995ce2df8654c8477a1e6401b696a91b087370

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bbc55229454287d43f452b40af80143a
SHA1 48d32e3718d024de85be3307297b56174a3dd69f
SHA256 2ec38e7e325767ac37a8420eaa9cf9e681c23d954725c73439a006017309617e
SHA512 15c7e132a4d8fc35b6ae307a318b60f9cdfb2f674c4f4944b128df45930497eb4f4be1484d0f1087b1d1d4dad403c95f6575a8f66bd8d40997857cbc06941fd8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 379205aeadd171e7bff12b978f98b863
SHA1 25051147d33ffc07e1fd2698d4bc8ebf2315d746
SHA256 a69712fb50a5726edfb9e7ca217df7dd82e1c8a63dac9eccc35916e4a1a4ae46
SHA512 29c19dadf76868b0fede4cef729e5d218395e542e70dc117ae59b8041dad73f98872812000ac0a3bbd2a5f73704ac8dbd5cecc44baae71fd1beed86854acaa05

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 686046dc0553b99edb02c469a8c72bd1
SHA1 6eba6112ca5af626a5dca03da889afc7938c186b
SHA256 b7ea42cb5a06a56576dce6940a52349de7f3cbf6e020cb78173899a0c7741723
SHA512 829c8884fd01a88687b3ecc89134db8788fc1720502f203247779047963f39c6dba6bba5230998165c38bd5e112643db1d7ba970e1b3c6b983eafb31679e1af6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 87a369be7e6642bac08d7fdcf4be3876
SHA1 27f4e7730c733a846ca4e1283df8faa906c9eb68
SHA256 0e05a4e1b4f538efaa18709d34991a078cf1be4b873fec6d3ba2267ca3b13502
SHA512 bba400a1577682345ab27dd99d6c783187b9405283f4d73d5a10af0484a27e028832263d88462a4737fa3d25efa8f098ba8ae320a2322610b7ae27c128351154

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 76f73a71d0a7fe866e1809f07123fe76
SHA1 1581aa45dc1ed127e2ac6a3c68eff9fc568882b5
SHA256 beddb297edd44e361bb6075e770d40d11df0422306e4071f508ea144eaba38fd
SHA512 244b313fb192aaddb2b36e6c52f3b885eb4f75c0f4b47690eddc67d273364852b70196ea92b06e49e3b5f281d75e0e6d5549ff4d79da7a4fd97ff7102ca818b3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e6dabe016ffd1c5efea05242ef0eed86
SHA1 665d839aee5a414e51f9f1a353bec468da48e643
SHA256 d371c27224a9e2225161a88e10c5b3774f047dc6bd0ad2a28f449ffa1e3a7a7b
SHA512 95b29f2223bffaf8d01820ca2c08cdbf368486b6fd70b535baaf40d3c985474be609ac307e100b18000c6b786057658f201d2171bce134b32c0892d1f93cb186

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 52b36ff58225f70fad467be64a750311
SHA1 2c9ba61a33491ff01aa1ea563654116665f0e2ff
SHA256 2558ed693121e8c75a3d05199c1be6fa9d1d7f8bb7a7c09285728c907146fdba
SHA512 d56b074aea83ab18622e947c70aff29484e4f2ea50fdefb48d1ec3da9f8193e8ec7374863c616623862c1655f39cc91cbfce5b2d565996491c302922ddd1178e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f08612eec7baa43e824af5e2d2415dcb
SHA1 194e9dc0bdd00fe1f1c5e79d50ba681ecba5d805
SHA256 0911ab9bb823ff0788b3085c903b712ef48eb5d8aa3708078f8124ad375f25b5
SHA512 8a6dc37f39bd5230acaaa823b95e7da5a2ee4e2edce90e6ef72e786012f419e78601796316143d05700b5b03d57d89885e6edf5f36d330ce4a67ea79903b44e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8ebbce593fd7ffdfac5ffabee49d2fd
SHA1 d14292272ea7602693e32b01ca158b1334837371
SHA256 142903a321974947b62d9da71914bb83d6362f6882646b332ed3296afc0052ef
SHA512 8452fbdd84e2cc539697394495c0e72388c78b98867ca73397ecdbb9d89c91d7bfe64c5d96a14dc2f04a74cc0cfacf4eaece5a0abb29b7bc336c3ab317515fc2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da1ab26a4ac1e781712b422daa1b38b4
SHA1 86f3543b12830235bc90b028789838df80ae7ef5
SHA256 b3b0068e076ff56e12e5eb525ee12166d4da7530cfedc914124713cfecac3240
SHA512 226902f40c32ba0edc1a88bbffc192cbbfa630560409a52e59f372e54ed88a481937f1bc57b0d2f8770fa6013299418b7905618b361f5e1980e78a8107e41252

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 643c5cec2508a1c96f876f556127364c
SHA1 830a5a45b74ebd3bd5f2acada3e09736083c1d5a
SHA256 cb6da826260f483f075b3f53362ebc9dfc13cce67fdd932420dcbfa581858b43
SHA512 b55143a55de044cd6c98a49ff31c3942c8ef46419da7c26127551ec641d48441cfba8ac24004ea25a18900fce7fc7cbe1e254a867fba335b615540c67711bdce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5d5fedbb98544682335419237a8de63b
SHA1 c7cb7c8f424074f70b360cdd7d896ac0f536548c
SHA256 ae86817a578cfc96ff3d78d89755987431ae1a8f2cf761a297a877e7b5342fba
SHA512 2d4d28b8eda78e4e786532a595cca1bfcfdc0e65c64e8641bc9d070163f04f4f39ed90abb43dd66242bcc49cd49761ced98259daf385ad5e4a42ff0483e0554c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1f2ded09a74c22cdf19fa738f1891ca4
SHA1 679b6ad9314545cb62b851743d24adc3f0a83615
SHA256 96e5837d4e966f350f1e854dd8a98b65cfd9b2b9498fda6d8003ddec0fd60f69
SHA512 ae82c142e1c6f36e6fc41fa246d8cdd551466b82526c0d799f3ddf3a86681afcd1288d0c2cf078e0b682fcc1c04d52e034eadea4540beeadd1c354ba752ab8e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 868fb0b05b4feb7e6667bf4d12cfb02f
SHA1 ae07d2f14d113cb127a835b44ed1ebfa397be2c3
SHA256 a4a8a2f6169c7509cd0cb31ff8c723b13895fb6dde956ab4912a4f000ffd099a
SHA512 8866c9a9eabdfa2e0feb8703420193399d4dc3e743d485b9973f63c6031579d17be64146a8100f199e981d85cd0d1201f5385ce2bd7358e7ca8c7ed763f755eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5763600a43b617addfd866af035bfa08
SHA1 92ba26c0db6686ddfbedf5dc9f1e5fdb2c763455
SHA256 643f5bfeef5a242c7ddb8537eb34e2704d9caa9a87fe4487b3b54b1660c952a2
SHA512 49a16799ef98d54059b2f5af2236e16a5279fe2bd687d91ab83c846a8085e87da79cdfc37ed0060d8e8f336e5c93820884dc77f5fce40b937061c9659fe09c98

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f0f4e3b81c185c9df56ad71165dfbe25
SHA1 3f431c456ad799d39da10b4fb2791b64d8a86a45
SHA256 d079a77792f59cfe347d6470fe4d901e3df392206b9a6f49075ff2d7c8ad9f51
SHA512 6d09d21e282b57e2e5d272cee56cb817fc9d4353fe9279df21fe9c6bce739dee2cd8ab2ad4d6618202807acc17cd8c2e309f229dd9fd6e2e83824d4acf0aab8c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2ba385dd819edfd60b45066e61901667
SHA1 c59c4213470fa5a9841c7f517543c3952d23f688
SHA256 8464ca628ab5b67abf59370b93caefb48fe92661ed238ffe4fbc551021510e3d
SHA512 2e9809d42a7243708769c1e3fe9c057d43966dbf102fc652866543d7b4a50835d478aebc2bb7f00ce948836dd9cd8c28561815f2158f2c4306e53f206668dfb4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 01aa15ab2fc527c75c8abbbdf039a055
SHA1 f49187f18e6a77135b8353b63646322fe2391adb
SHA256 7e1357163c8567e6939863272a2f5424ae609b187484b750b31c06818f4b7556
SHA512 008d8bfb4374fc6abc3f83a7b8dd15c21514923378f9948bf7ab0ef0a7c855a3bb90ad6bddc098d1e28edc7b8e21183b4193824b63fbbbc7d397bb2f6ffd6fe9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6b6e60b16b45865817698eb1bcb6d007
SHA1 933a03a1a4661fb13f1b453722b00de024d0f908
SHA256 509420f15d2c18327b2e02b8600c1e779fbe101fae9c0e356645ca0cd6ad1bb6
SHA512 9270c1926e09d1684f079f879266bd31ad5d8bfad6cd333962f4d355386b5e17782926fbe66203b85a5bf055ac9e73d398cca68dc48f325e75dd2537258c7c67

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b2e10a749d436037c20725892170528b
SHA1 95e0661caa2c53cef7caa692e2f28182baad7bdc
SHA256 2bbc8add2198e9e0f6a094072d1d7170dcfea0bebbf11a58697f7af5dc72290b
SHA512 b562ff57e22b6562f618cf420b9b418a7a04e14f9bb92dbdcc5bfc47930bdb5dfa122243be3ba04cd80a292c31ebbdc80411a2cabb2eff4274f418d9a69c9907

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b321922eb54b8dda6950de1c0a60622d
SHA1 73e658469b69d1f966e9df07199cd9f1b75d097e
SHA256 cdfda9536477ffe461cbae37be09cbea51f7930a51644a93ae528b04e3eae1df
SHA512 6010284bfd29ec8a741a4548b7f05bad633eda013fe9ec4d2b1155e53377c7040e7b3625d6aa52995620bf88507fccadbf35962edfa04473edc84480abe68733

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 661a32b364be2cf14e737c8fe36ea30e
SHA1 31d74f08bd3f0ef44aca426ef8f0d990c50e44db
SHA256 6cc33db258df696227d90ea1dfee828895961c06cc6801f503f9dc52131423a6
SHA512 24f2b8748141edf97eddf54112c299f55bc6d4a035bcb863dc2fcc9c04ffa9c3a715efcf749144910e98239667683de7b3934718d44d2bd9e3528acf9ce8a3bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0eb7de6944c7410a4805802abd7308a4
SHA1 33b9478afcad92e955850322d5900d4724261aa0
SHA256 c8888f5ca03a1949cfc9b2b3efae4ea1073e0709a47f7c785a0350ba4a0c5706
SHA512 de175f0af44b154d17830659a44e7056be413369acc75f38701894a2ee14f7cddf3d68e794972048f8c4f71f2a09249614353a52d68d1e5f52292cd27ba935d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f67205f294bc692bf7fd80d7c509650
SHA1 76643ae9adf510f84db4fb9d8e0d8c4fdf41fa37
SHA256 f1faeb41a2e4e7e1ecb62df19f724997bd2ec7605733615beceb3ad73f0ea0b6
SHA512 e090a2cc52a4485a447e00b273b9584aa8528d0aaf256318451c9a9d09a339866accd68ea2f3d7654f4346ac3c4aaa7113f49faaa6c374d0d2a04f28487b60c7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fdab3f2ea7438a281a971007461965bc
SHA1 d95d6ba25c253ff4971acaff98b21a7ee502aaf9
SHA256 2647a6525f8546fcd2376d89910e6fc58e7782b21666347f31ff5521e7c6ddf5
SHA512 57ba4e27005cbebef5ccad416724a1b5645b59b99b033683f85c2dc2085cc674a04a817f62028536dd9d8cee0f8d381c00d2c55c46014df5c69efb05c1f2c33d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ef49dd3cfcb4292161f105c90608ed89
SHA1 3b331f3f26fd491676e02c9bea47e3270ab48007
SHA256 73b007e79134684b5132c27347d515e2a5adb9076ef7cc810c4acf15575775cd
SHA512 fbd07aa803654a0ce2a1df1cb609558b4b2d862bfbd5cb3ae194a54453d20d4f23b1b0acab2e6c6f4fb8e7ac578ae4a8a65f066be49a869f17cd1794b8533d18

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6f3f398bfc6913dd9cd027dd8d5813b4
SHA1 72aba34d7fbe0629484ee34f057f6a825addb245
SHA256 f739318f7573530b0b55a24703b315acec0e3977c505be23c828b3dacf304ee8
SHA512 f51b203d2a10e47cd96e9fa1dc581831286eb67ce7eaafddfd01e29cd9f3f7d6b3502a617f438701e16b03d11a5b17346040bd8de44cbe72f9ee7d1a6ddc66b5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b783905ffd67967de32fca583c6dd028
SHA1 866e49c8a9e17b5264e884c3111e26bcd09c33b8
SHA256 4230daade63b5f0e5ef27ca4da485b12127ee5b401e9a349259ffd62620f5b7c
SHA512 cacc7ef0f6be6a93a1ee74623f530f43dae11840f410b0e9d33ef79184b71f0c8a94e813ad1a690886eee50c829fde7fe5f3cdb5fa88150a25b07d0f9a545237

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 41423dc848bc53c3b4275cebebb5617f
SHA1 bf911aaada8d9de4615e50169d13cf2657872ed0
SHA256 70af3838087231bc8861613ccbc870e0c03dff3325ddea8837b5a7a1fe09e0f6
SHA512 c6efbd3cc193387925d95b43a58321ea706f90ee7d4ce7317158c2727cb46a603694b3ab58b444d505e9c6af70fb04a5bd59aa83d8591f57fe8ee081664356d7