Analysis Overview
SHA256
225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94
Threat Level: Known bad
The file 225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Drops startup file
Executes dropped EXE
Enumerates connected drives
Drops file in System32 directory
Drops autorun.inf file
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-03 05:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-03 05:26
Reported
2025-07-03 05:29
Platform
win10v2004-20250610-en
Max time kernel
145s
Max time network
135s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4052 wrote to memory of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 4052 wrote to memory of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 4052 wrote to memory of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe
"C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/4052-0-0x0000000000660000-0x0000000000661000-memory.dmp
memory/4052-1-0x0000000000460000-0x0000000000461000-memory.dmp
C:\Windows\SysWOW64\HelpMe.exe
| MD5 | d2a480c6b868400f6820f95246df35d3 |
| SHA1 | fe4df3542d779584c17e5ab5cc74e239059a6976 |
| SHA256 | ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03 |
| SHA512 | c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf |
memory/3048-6-0x0000000000400000-0x000000000047C000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
F:\$RECYCLE.BIN\S-1-5-21-3001560346-2020497773-4190896137-1000\desktop.ini.exe
| MD5 | 8431b25c5822aa17e16de08106384714 |
| SHA1 | 89e60fe6ad59b6391867b8c072cffa27fa38ddab |
| SHA256 | e80ca696dce311fb3a45a75ecc1aacda77d1b2488b9692726fb3f6a69a688a3c |
| SHA512 | fff3595ab3ddef2b0985c285797186ad4adfe5f69f294845295199be16bef8f725e384051b5b56c17948797f939f5f17329534dbfec4d1e067eb0cdb6d8cd77d |
C:\$Recycle.Bin\S-1-5-21-3001560346-2020497773-4190896137-1000\desktop.ini.exe
| MD5 | c8d2e2e5afeec34e176f304c21852463 |
| SHA1 | 465bf6faf11c82cf9a233e61cc12b4f0e3e9fc25 |
| SHA256 | 8d9487a46a264713e03331e8b632f615bc2c3ae9f2f56f91e0d8607fd4df38ae |
| SHA512 | eb5808acccbe4fae15300c1292e20887758514392bd3198bbff00188874189f5b9a96defcbc6f31024f55d9e705728ce9a171864af6c253f1314ac4f866f3a9f |
F:\AutoRun.exe
| MD5 | 4f677cc5974ca6488ab85b641b60bd41 |
| SHA1 | 517a750475fac27965d73574deea392d7b681f06 |
| SHA256 | 225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94 |
| SHA512 | 05e66b34f5d23a73429a89d4265c6c9f04af9d4ee319e3267f92bd50f0ca99a342289c684d7f668ac0a7640a354cf94f2e5147b2df845004dac08a643591e99b |
memory/4052-47-0x0000000000660000-0x0000000000661000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3ff697c64ae8187e64726c566046f8e3 |
| SHA1 | f20c2a4ef4c8498a907e6c345e7cb8cb61fc02b7 |
| SHA256 | e03f7b3b426a4ee285b61e5b6de7ad2a346001bd9c690c29ac865a740c9e3a2d |
| SHA512 | 999336baf3f6fdb9bbe6f1fce08d564e0bbe3b5263e1461b3b9a0fdfea72bea4bd1659e7c19e60d57cbab1782dde69b118f3043a80a55939434c015273f384aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 12b6b54bf8bb692e8e4f2545a9902e94 |
| SHA1 | 49bf6cf323fb800130c70b78b421d6b472e750b0 |
| SHA256 | d6067ca1b2b3914b6c7489df8c9a2efd98009a1a701b7d6ce7970e918a3be0cb |
| SHA512 | bcd4c5e84500a4ff96232cc5cfe6876db95c167ca43471a02bb27ef27af03c97870b051197fe519382703ac4d2188a9b990a42fe879584e369eb1099cf216f90 |
memory/3048-52-0x0000000000400000-0x000000000047C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 71f7bed9644626644af227b785102600 |
| SHA1 | 1fbe494ccd4a39470e5f8b19fe6f57b6f0a7369a |
| SHA256 | 4d593d7d0befd93ce5bed7da4b336122c24ea35e84ca7af574717c26bc426609 |
| SHA512 | 31898e1a9fdda148a17f44ffb12028f664cfadce949343a35ba73e185a45b461fd0e31cbe87dab45e15dac6ce95ca6da922c4158c6c51ce6e065dac6b46992a7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d86c759b5f0243eb8999b5220702bec8 |
| SHA1 | 3fb7a89ea3c8f7d909b005f551db6c90d1e4b31a |
| SHA256 | c72de5995597148b64ca0f96b67baacade4b53567f3ec89568ba0bb2eef00145 |
| SHA512 | cfce2aa0746708122f718b4a52667b8acfc0f03c5595abbe12f2605a6c62ae089d643bd84baa7836aca5775534ba7da79129179cf658a129abd56c4519a3f294 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b026dc65c17e8bc31725fd50991d4f02 |
| SHA1 | 961522da79822598ca1250ea9b6d625bf77cda34 |
| SHA256 | 5a47a875b80ef5c321a7dc6e6a5b7f8b8dec07e9bf4bc9f435419284917661a8 |
| SHA512 | ade9acaf151f9f9dd9953893efc878dcf53a83821997d3cd0164d563e64218e2aab2cb084f417674064f4adad3c44ef8722797b61cd6745613feaf5797ad05ed |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 86109e2e0868a5322489320219fcf70d |
| SHA1 | 531059f69812a3f1f9cf31ab8c1ccc425de269c3 |
| SHA256 | f8487d86d4fe8df805d879ebc6004ca90f7b98c14699cdab5869af43c5ca24b2 |
| SHA512 | ce443a35b18aead2b0bd32cb5afd581a47de76e112325ad5c381a4fe3c12bffcaf7870c2280f82705b084d7ee135b5fa0302a3c38dafd97b54211bd606a6bb0c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | fb99247b6920509fb55742303b814260 |
| SHA1 | d65542bf574020b9b34c6445e924f04c2c0a2465 |
| SHA256 | 18109a50f7d03d2a401e7e7a6b6e5ff7d0f3991378a17e8a2b9c2b79b72676e8 |
| SHA512 | edccec36c1564ef1c2f25e4667b7d425207f495f9e39a1b65bd1ec36d95f6999f7130a83a5277841d6e892491ed348727ed6b31987c54794f6839611dc5cf857 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 2572f96c8e54619249e7884ceabe6e60 |
| SHA1 | bc9c56a63a6ca3d29bb79e6f6847f35d8a8d403a |
| SHA256 | 101f2378b8b70cd8e2ec92a834dd667a4ff8027669333d95fad6e4bd018e3969 |
| SHA512 | 409ec5b799e408971122a6be3c38857fa311789f15d265bd80a0b1435e00d984ae186d7f3c03d26abb2fa6b2310b52c636bd6280081d284895edaabcb93e8295 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 7e490d6bbf27cf18700be7d69110bc0e |
| SHA1 | 4abcd8c0c11438e72ab7e1e7229694038933efda |
| SHA256 | fb27ca7a30c44bdbb862e78de7f77597129942cba5fb4b9c1b31ac0a3d1a8f55 |
| SHA512 | 2f80839b8dfb7db1d8e38b7d670fc65730d803ac30e71c71fb08da6d5683fcf2c7b27e8fc1681cce2ce18208c4bf9659b8e943ecaf02804005f95fb7db39b909 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 8b67aacae1c9e40fad38f93865ed4f04 |
| SHA1 | f869b7b79e7cd2a69e936134f09eaf64b5e8fb2c |
| SHA256 | db0d4743902eaea3633c4c7f93c5abb0b98b1af63d91061a74b8869c6950d6b5 |
| SHA512 | 66ea359155f14153e50e7d410234e8e056bdd7385c32a8d63817acdfe42a297c6136d785081011e350715ea57667095d90373c84ac3279e84f7dc0305a86b375 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4234207b7d04b3cf2f34c6cc320a736a |
| SHA1 | 22651e2c701bc68aba2fb83d199c7e4687a8cb3b |
| SHA256 | 8fc8dfa393c508dee1c369e3a48f383c9465c05a2d78641fd1a4c2905c539519 |
| SHA512 | 2c2dc6f17c55eba84f175055843251b297f7ced87d7af514599bae8938ee62b144eed66660672e7f99d4455288968545a4c3e9eaee4a53c5e070d7f4955e3970 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 03baf25d7c0cfcb3f44afadfc9b0bd5e |
| SHA1 | bba58dd3576f05a56bb31eea9f9a14ff9f782a68 |
| SHA256 | af21ea6c745a2bdbec5ddc4bc07121960bf34153011d573e1bf0f018c3b8af98 |
| SHA512 | 6b0e5a1d804c3c98ef872803e87332e62f337149de129bea98da36dd4f013c169646535f295654b4d8347f088e59b1d9bd0bdd0e5b2a4665182d91d69ff03993 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 776632c98a33e40be2cfeed505282c42 |
| SHA1 | 5409d19ae8855b87d1ca7c98a8e398b8143d0521 |
| SHA256 | a90fbc049b96ed042d676a40772d067834973bfe31f78291c725022879fa4313 |
| SHA512 | 547312c4d01779ff06f5dc99ae00428a45909d54142b7256b41ff7495888a47c7f1ec18b4c439317215576499ae62ab33821fb683b75b4423da43d945b97b031 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0323e0975d477bc02027336ccd8090c5 |
| SHA1 | c69b6c14568a9c4822ad6b896de0a243bc7ce7c9 |
| SHA256 | 7fac76dbc4f6aae8c222f70e89c9d3741723c4ff2f5bddde7af386e897958fd0 |
| SHA512 | 99f851969cbd70ad867d571618e90b34df5881bada2712373d064ec0a17ba1dfad9247a76831267db20567e525a5748d0f0951f3a35f882f0bbb44ddf3025eea |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4ff45ca248e9e340d9db42f45f7eb01e |
| SHA1 | cb753def2f6698c3328f9d8fb90c8dbfe9ff832a |
| SHA256 | 8819e33d600b3a66caa763567ddb32fd1f64ac334e72e503bffdfb9285e3ec57 |
| SHA512 | a7defd44bedc483c359194570a05b34bd3b7c55600bcc2663f0fe669faf58092b6808e8a9651723883cf7f3753601c328469f231284c3e57a6155c1f814beff0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | cc0bd8db1c9521155e2397c4666d0d97 |
| SHA1 | eedd7e2e77fea152b11d7a78ac30e13a0642341a |
| SHA256 | a1c8044e5de71122789074b05d0869a18cae01631fe187a4eef6d0a686350de0 |
| SHA512 | 033661ce903486b997fdf3ba5b254070a6f8f097ce0e1bceb6a3e09e68c0aa584955aed4fab0ab45ca90ea376733d0642cfe07beb2a6f460535b8ed7ddf7b52a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 696994ab1f323d8e69a2c49885dc1013 |
| SHA1 | 1ef6ff244fe049c3c15338caf7c90024fbdf85b6 |
| SHA256 | 7e076088802a06c9926a361dddc885305c6d716b58feb2c98f2685c262f62258 |
| SHA512 | 6e5a4ca758c457077aeb67fa122ad143aa02c2cb11e01f261875c4367a772bcd60fa76def33f4b7be4df6a83b2e8f85e08f4819cfaecd768e8f30ca682597dce |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c6c900f299d08cff4af372ed71068680 |
| SHA1 | 1926d4404edeed3fa8b889e42582dc2d746c14bc |
| SHA256 | bc0b6d938e142c63216ad36d7a1b5564c71feb9eff2c56032fa99de72c1beaeb |
| SHA512 | 246aef23548473cce5a96384e4e9dcd7a60d5c40f93db10ad8a18acfeb780e4f6ed08f4ec9637568cfab9c70b03a2415188c44b175308ced099cd1a1e72cffdb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d2efcc12e4801f8232d0a7cc0d45e9af |
| SHA1 | fe8ebc66d4f167b7e1fed5f0ea4d9bcf6a3c94fb |
| SHA256 | 8988b8082ef9fd0d210a20b294e0b6d556f2433fcedfcdd7068ad9a234e3284a |
| SHA512 | e4393a99574b258afa44d55e1caf05d5a87453a8c14418c9ee13d66e92736e57c52aeae1f0b00b237e6f529a59fa926a9cb0c5afe60baf176c8e694facde79ee |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 497fad329d3d7b377f2ea570dfcd2354 |
| SHA1 | 7944b2016ef9c9885bbda88fc957915f7d2bd75d |
| SHA256 | e6797f25866307a0b3aad643fb351692f691ef2f89598f8286a2bda2601cbfcf |
| SHA512 | e734748eb02ec397b74ba9affa842da7a7c4ffae89d947ea45cd6646976edaa741e42e0fa687121fb32cce67171eee6af07f36b7daf70b374f134a08006b64a1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 96a70a5a2ce5033ff63e2a1392d044c1 |
| SHA1 | 6f84a37c8a8bf9aa7f668e37a6abb91ef0141680 |
| SHA256 | 2e6bb264c58a82bd73d269292b959b1953bdf9db8613e0b6ff37789a556eafca |
| SHA512 | 52d11e582509f434c498409f87b6005ef7d0c8e42f5eec060a068bf5996f5064749904c2a41a035c543797f7aa7ae05d32bbcd25e0c7cfcddb45140226d742d1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | fbe531db67453108ba4a56a27935d115 |
| SHA1 | b2934a5ae30c6e4cec89531b651962bd087fd769 |
| SHA256 | 247b331d70802340c1019f4dd3a9deb83d38477a780f318e3b4f0fbc3f29d723 |
| SHA512 | 6533b7696495f2d425e0bc24c8fd465d33a77ef9be511e9f2f6cda6e4a7f5f0408a2f3571e41cf8e1346af86b03c1eaa7fe3f329e3585c9d36890f5f91f14d13 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 65adc86ab4ea28bb2a7915c96cd5e2af |
| SHA1 | e00d8c43e777d696a6f84ffd349a6bccf2f69929 |
| SHA256 | 39a6549e7a438af94ca9b164205447bbb11440151d99c747f27404a7bea7a040 |
| SHA512 | 4f35e6e015ff86663580e477bbba6a1d0cb6f6330f5dd39af3904c79af6e5daf5ac8b7adfad204c99a0f8810b6641796d8c117fdec32c66920521ad206d0154e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6c310021e19a0c1404e4f53563437efc |
| SHA1 | da43146674ec05e4853de1162c5da3d41f4e8fc5 |
| SHA256 | ec27b7cb9b18cca4201f1cb0e4b787754aa109589366df753fef0226596b7a67 |
| SHA512 | 7ac5b95413db1c5300c81bffab7f3f8ea35df29456a3e8683794a1473e91bd32caaccba50acde8a18778c6561728340a47104fc5b617ba1551593c1acb29ebb1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f159e006b08181cba80724eec6139345 |
| SHA1 | 10b8f2951396b73d0bab1f0375146dd139c4f5ba |
| SHA256 | 8d9e71543b46d6a0a0f22bf7d7c15b4bf7ef14d70377170e8c93e2ded0b03b59 |
| SHA512 | 20d37f6a19e053d34323f6187c831d0411f98257a47633aaa743df17e39f6cc4c8e6a47118eb18803336b8909a682e732fb3a31c07fd67eb9c5f5086b481e993 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ec7bf557843d4c9332a1e8d712daae14 |
| SHA1 | 9ed4bfe7c4fd5312bf7f9712c1cc06b29ec0ee11 |
| SHA256 | b84833b4fea52ed0fa56b3803bc1cb239a3eacbdfcfbbee054075e642c35fc3e |
| SHA512 | bc57d2c7903e9626b65bda82f1dda2c0fb4742cfcac8c1d03d71335f06f8987507a805994994c0e812f811b99f68f87dff34527d63fe19e20ebc6f5cf58f98a5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | bd94401cd6457f534723eea3699624f9 |
| SHA1 | 03c5ef7cc0b18c47efb8abde65a31f47a86a2bef |
| SHA256 | 362d3329bcd0221a96e193b883553834cc5a9da08dbcfaad668353037460bfa2 |
| SHA512 | 0bcc822f772c611924dc513846616923ab77466806d212fe841eb8f9541e1d411dc0d89a3d6a4a83e062620d8368ee5f9fa440d8611df0bfe891b02770190727 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 24f5d6dc467065e5b963232b1c3312ef |
| SHA1 | a307be0fd9a30229c8e77d0e3cd1209c695df679 |
| SHA256 | 0e84d091acf68261392bd96fb5ee37aef9476449c44958916b5db30023df8184 |
| SHA512 | 7507663ff27be9412fb94f77d8b609c1e0d57e2ba457c1ea4d1a6702676e30fcaf34d1033caea977e1a0deefb59a0b149ffc37e6fcbc991fe246761e57683567 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 5f52b755bd305908c96ca3db957c6f19 |
| SHA1 | 86cb06a74284ca2e6864a6fd99aa86c6e54f7478 |
| SHA256 | c24ce47c6a6226fecc65758a101d0b675c13c17ce2c49b07e81077c4701c62c3 |
| SHA512 | 7ac7813d5a831b7efc3680f988cbb8af48deda3ba6f5c152e278feda6d0c7bedff10908eafa7226cf0a356477c02300dfe969e6bd7aed75b67ed32ae9e7c1f02 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b7a6a241e1603c9beae53bbb6d69cb85 |
| SHA1 | 482b8a127a21f4339111bb55ec89fc45bcc60f0c |
| SHA256 | eea39b9974edef1a9f66fdf9c877a21baeae6810a620bff1954d966e37dafb00 |
| SHA512 | d76f1646219ffe8e90c0badc36357abc2ce57629c128a7a4c463043c8d581a4060f298d94687a956758bb739ed5e1692bdeaffec3e32b8d993f0113500d51322 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3908c167702d0081baa428c69c4660e5 |
| SHA1 | 453f749cbb486f25b0fe572ca6fa26b24dcc475c |
| SHA256 | d07fad92f50858e3cad92b37c5a047702096cc8ac114b13cfe991d6d7578c74e |
| SHA512 | da9558b6408c6a5c4aa1d6802baca9dd01a9822e8f14289c2852416ccd1157f7a239e9700efb7a8216dc1a9040dbad12de166b4fef65097d19766422a0110361 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 464056090043882e7f8eb6915ba2b77e |
| SHA1 | 1a9c5c40edc1f6d5927a6614ba30a9c23ed521b6 |
| SHA256 | 8dd2a95448b675846a39e77b0985dc92e20c66fa15f22cec3bd925d92ae2ddf0 |
| SHA512 | c5e228da3a6c7551f5ece7d9a50d20562d347346ec6fed3de6a581c80b39df748aaf4af5fdfb098d87f274b4a8b407e2d182c9448eb5cc1f50c590c3a82fdc3f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ce741fd945f15e5f25b1786baa8928b2 |
| SHA1 | 9f1d8830348f9b6e0cd0d389efbb7c55f40ad61a |
| SHA256 | b3ff754c9da39d1e523e4362b854327ba107285636a2d54c7c4929040a137a7a |
| SHA512 | 13c68bdba800088bc6372b228954d110ba03f9ef17130b4db12a55b9abf8730b65ad2f98f5dfb684308b80c4416eae13ada060a3cc92ec4c06267c0c3085f14b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d2a6e8d5abf1fe26d48265e8bcd33481 |
| SHA1 | 40ecaa3f28664e34c3be53ecd0af7ebd54fbe3c3 |
| SHA256 | 05b35dad2192df8b5377bfe6117446a229ed457c726e8463f35998aa3d552cd6 |
| SHA512 | cddc7c2fb897eddfdbf1f7f4c3d6f8efa89edbbcd6be2bdb1e8eebb55d38291f84953ee79a66d546b1e763de8025893bcbff244c57e08166d4ba9c27c51502d8 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-03 05:26
Reported
2025-07-03 05:29
Platform
win11-20250619-en
Max time kernel
145s
Max time network
103s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4704 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 4704 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 4704 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe
"C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
Files
memory/4704-0-0x0000000002420000-0x0000000002421000-memory.dmp
memory/4704-1-0x0000000000460000-0x0000000000461000-memory.dmp
C:\Windows\SysWOW64\HelpMe.exe
| MD5 | d2a480c6b868400f6820f95246df35d3 |
| SHA1 | fe4df3542d779584c17e5ab5cc74e239059a6976 |
| SHA256 | ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03 |
| SHA512 | c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf |
memory/2704-6-0x0000000000400000-0x000000000047C000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-3625340254-1625357543-1797847221-1000\desktop.ini.exe
| MD5 | e1c88ca0c9a32844173d37d241bfe754 |
| SHA1 | 3375c4c296cf2afbd4a4c7029d0d6ef42e81fa4c |
| SHA256 | 1984f3b05ebc87231bd1538d571d930165cf948a367ec3bbf73225f9765b7012 |
| SHA512 | 3b30d2ea63ea30d75b0cdfec59e8bde24bfde6a626123a95b090f1949dce218caf0305676e7468e8788785bb922f52b5cb024186b3fb9601a81539ab14852965 |
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
C:\$Recycle.Bin\S-1-5-21-3625340254-1625357543-1797847221-1000\desktop.ini.exe
| MD5 | d8a7cc4c85fdec5d09b8910bc4981676 |
| SHA1 | 21cbe2a74b44b85047a06075bf978336e0b80050 |
| SHA256 | d6a8857a0e247b6e61fb2e0337df2444631e773d7800dec8fc4685534ca87c73 |
| SHA512 | 75c89569c9b74d5d9376187854da73d30202f073961f5da87924a5f7cd45cc8fe6ef4522df42b62a0f07165c2d019a850c103d2bf6d0ecefb1947a5765153f13 |
F:\AutoRun.exe
| MD5 | 4f677cc5974ca6488ab85b641b60bd41 |
| SHA1 | 517a750475fac27965d73574deea392d7b681f06 |
| SHA256 | 225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94 |
| SHA512 | 05e66b34f5d23a73429a89d4265c6c9f04af9d4ee319e3267f92bd50f0ca99a342289c684d7f668ac0a7640a354cf94f2e5147b2df845004dac08a643591e99b |
memory/4704-47-0x0000000002420000-0x0000000002421000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ec089c978225d1fcdb175324938e7bec |
| SHA1 | ae6579425a782c3ae79e69952e0a53ae9615b00a |
| SHA256 | 356e1d83141431f3f91b4cfff20c5a0aacfd2254be4134b5e4ba04ba3254513e |
| SHA512 | 37d5185ca8b468c336f518b19a916408aeb1c8107541e8cf419a10859c0d48ce5c36e6e78b3ae63f05e86eb5da433e39b7d5fbe9cfae9953e55545c70d47f8d4 |
memory/2704-51-0x0000000000400000-0x000000000047C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0c21080a01d7907c1236f20d4cc6f5b2 |
| SHA1 | fbf616df7ca709c97ec90e1fbdcac86b51443dcc |
| SHA256 | d70d9c4f92fccdd8f9e7f57545dfcbf8a6d6b17396deda05fd3aa112d06aad01 |
| SHA512 | a1777ea529152153be668142de3ee56e053b6d19a9df7e6743aa69212ed626b113a359e6f503bab80da3702bf0cec9b0df2a49a1f0103a2b20036b40458f40aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 786646ab7bf8a078a40acea6d148e009 |
| SHA1 | 9a4db6606041c773320c3e4555f937347eb96c6f |
| SHA256 | 55823fe37b69c515d88c817e9c2acde1931f357590c4127f1f59d7ab933068b3 |
| SHA512 | d131c5b62d1a612e3caee8ea157e39215c4bd50332bae83fd8d503d118709c607c0f823cc7b8f69a136a3970ec0fc081540326a17b651890b02c49702c583e43 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | bfaf210b9c159bb9559f03358e81d518 |
| SHA1 | f4b368f931796ce3e23f8c162ab3a14d80eee58c |
| SHA256 | 61bc75310eb6db8d0f273c7589a1a93d435683d959081bde44d7a5d15c6ab4bc |
| SHA512 | 9c8eb3cc8ef32cc038a765e097735f41d066e88bb976bd38207d68db5a53603b5814b5e7b96dd5f441d04f0d621ec794aebab614bf94a0320506b2a29af53bd1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c2c7bcb3bf2634753e1a992bbfa2342d |
| SHA1 | 48ba9dd9b1b5c2a5adbf3d1a163f47ad75f576cb |
| SHA256 | 9d9664d9e64a322155cea7ea33b928abeab291d19809e4f4bddb2df08af9dc49 |
| SHA512 | 62db481e12222a5e4004f8fb581a376cbe16fb5a5060a5cd2f2138a0a9eacc665bcd63199d84e8066e1eb9fb2fcd9c8eb38d9c721614553ce9b9706342b5ebcb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 55b52642b0fbac65ff34a65ac3b526d4 |
| SHA1 | 69a26344b675b44d3f66ba78243b45114a2b2593 |
| SHA256 | c6bc4bcbcb465dcfd8a7a4fc42cf11929e3a2ae3934df17812e8500e32effc9f |
| SHA512 | b01f62771968837a5a751e8779ff8e2769da54322fa70cdb9d1e08b8cac5b6df594bd738bb72e192b532bb07e5b6da2d91381a180d396ba1d10edaaec406b6ac |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1bb969c38fde01c522eaaf2d3044c89a |
| SHA1 | 104e3c3f7e37f9ad8a6527d2700a432e6f0b4ce6 |
| SHA256 | b1d10888b8bc000dfa3eaaac16011c7ad1f7322bf8d5c6a21c9cf6cff1f10ad0 |
| SHA512 | fc5a1f864a16bfd30db894839790bc4da275360885a60c334ef69cdc5a741ae1e94da5703d1b9b3df460d90c1654d40e4824cbad513b6d36fd0bd0636a6f3606 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a726cebebb05a5a2ed3a9f118f2c6d43 |
| SHA1 | 5b747aea136b44486bc88f8302419a6d39038f98 |
| SHA256 | 82040eb27d46455c2c25db57945f018d96ff950b4fe71f944ee826f152348664 |
| SHA512 | 7a58e9c97033b6a5e94352abc31b344c6c78f298ee325232bb3fbaffac471fb12953d8747693c4fee06710a87c4cd174226ad361359a4ddbe4f8d371803c1e3d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ceb6aedc9019b7567a064f90158cd838 |
| SHA1 | 5bd37397dcd2b539ab3ddb3b13f0b498a821cfe0 |
| SHA256 | 861b6a9915007f3abf97220ea9714f9bd045f645fd33027662af28b89426d2b0 |
| SHA512 | 8ec057cba5bc36cff1d83e1c23b1b52ee77c8d80a18a7202d52d40e5824019a0cd602aea55353c9bc69884374d2be5b7f78039af540f89f1375dc0c8cee7b90d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 9f151db7693c4e1a2bffb6a8d6260d28 |
| SHA1 | 860ad5dcfd0282a7589a80a55dbb5f5de1d02d40 |
| SHA256 | da257e59a9a9c6afb2d6271e2428c94c99f6b1909a10a5107c6cc82948d205b3 |
| SHA512 | b12ea0aeed4f583e0f6bb928f8f6c847cc6fd9fc140f210f1a153770cd10a41dc9b77576a0aca0d97c9978242306d5517632d55b10f6d437350bf327387820f8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c493e52f592304e6b367d293ca113578 |
| SHA1 | 16e7929a54f5ca331dfb4049ee6bd8b51724c474 |
| SHA256 | 91f89be505b8b2cf856501e17a48a0961333be5141e309fdaa1549ac6aa41352 |
| SHA512 | c60112166584309d8f3274a3e99798170a913f598cbaf44b902c9affc20240990992e7f750b15f23999c39cb97c669fe83044ce53294ffba328abd2580b12622 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 65d98764f7042ea0c36f82147e4c6124 |
| SHA1 | c55b1e1c368c9a17294eee43438a753529f55135 |
| SHA256 | e74c587c96a46ff6ffe07810589608ef5fccbf2da38d7d41b4b2f6f36f7a643b |
| SHA512 | 579c5b02cf71935b0320abaee94ea3fc4d33f01620eed13a1c82d42045713c912ecb17781e0c00c1f9781bb2ef4638e0486f7c2324624d1c177d3b35ab390cb2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c4013349d312f88e72ed7549514c430f |
| SHA1 | fa55f89a954ae5a445185474095c8eee15d50051 |
| SHA256 | eeb8bac08e20490011de25f471273c86facbb8a8043858b7dd539c9f9ff0d9a0 |
| SHA512 | 719e1726e255f6f7d686c12b7634d7943f347b1d25ed77321a7ef06a39e9fedfc277827f5c4ba26f04aece0984bca68b2b25f5db575bf3cba586dabbf45125bb |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 5f76e3b4f2fbba97b4b1d68a6fa71169 |
| SHA1 | db0146eefa867fbf49f2a3ca6afa12d51a547fd7 |
| SHA256 | b8ed47e17c2490fb82c9356ea86627f3caaed7be5ed6885a955d007779582cce |
| SHA512 | f8e9a570622fbaffe10ae63caba9f6f52930083a95e963f4679c975d26bc3812a7ce6b4c2b65f1cab2c2a8661d05bcf6471d311a37f67f227d85007c1c71d0da |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 35b14ce72136e92bbd83c9362b53d61a |
| SHA1 | db5862b888d6617b17e426de63c0a8ba3341bc36 |
| SHA256 | f26f46209eb1b224e5ce25a928f97157fb3aac72570cbff519d7280626bdcf3d |
| SHA512 | 32107e01a67081454b82e326a57ac9c69a88e91c7aaa39bc28428d58e6089ca8976a0462e80769cda6cf795f458eb0241b0819e0956c7e46e8a0ba7d0c00e2fe |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3315142401a31d8d9da1cc63da434147 |
| SHA1 | 0f066ee04f923fbdb82bd2f60d98f32c27f1c460 |
| SHA256 | 9393c131cce6bf3280a118754baffa7fc790ff4f23a7dc2aa8821245ee0687b8 |
| SHA512 | e66090689e03d4d7923e32a8c12afc34505c0ddc774944db5e52e68e091fea1dac36b5798a9052414de00156a5168946bf5f7395a2e059c180b7aa1f5c2734e5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3b8926f190c7f23538c66c269cb42fd8 |
| SHA1 | 9edcbca49533971184abc2ffbddd55f6c585d61b |
| SHA256 | ee60d153a7bd6f184be3233bc18b6f0331e5d879690a2c98a80b14d64fb3f097 |
| SHA512 | a059f179d7e15039a49ad5f1b5c1fbc86bb8ac7263e164125090eedeeb5b3a0cb1baf21ede3ecb8032aa258825fe7031f44cb65f692d41df7cb81ff36675ae8c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e41d6f0b5fcb516ff5b51b5402ca9fcd |
| SHA1 | 1424be8dee9c4b791d1e56869a8097ab0f17f4a7 |
| SHA256 | 4a4bc73cae4f92a0a89675a431a65d51c16d4fc339ede6c6a79e35e623f6e95c |
| SHA512 | 64e8c8197a74acf1586f50e8c14cbf92cbe16ce5c531beb47a4df16336cc3aef4740b956d07e1e8b0450ad533a3abfdecc9dcdad9259f361dfcb54de6c992c75 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | acb7c103322096521684fe4ffb5203ed |
| SHA1 | 1f5d7cee8560c489a580d60dc1e2768579c5c217 |
| SHA256 | bdda059fa913ac9cda04b893cd21a7dc58febb96e60981dadd427f260476185a |
| SHA512 | c082f4c3cb709deb31a5aaa8cf376a828b8c398a4f22972f79b1ffde63e50247a82eebb7333635f387d1481bebb5d0412030c5d15456a2e63de447c3e3826140 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | fc53f897ce3aecdec49637a05d8e57a1 |
| SHA1 | e99a7ee126c27748c14fbb0175135511e535b4fd |
| SHA256 | 1dc5a96ef4fa496b134dfb377df8ab2a7d1ca3df32a8eeb65ef756e9dbf3bf34 |
| SHA512 | 753fee4fdf3afd64475153d7e2de954c9ce3c528add3fdbfd162c5e519e8e5bdfdd710025641e152a824e7a30efc7ad25259f6d936f0d50fc26793db2c65a433 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6342aaa466c755b4aad9fec6c0825d1a |
| SHA1 | 72126c9056fa70b8eb87ebb636a1007c561a699d |
| SHA256 | 3d8fe758d252a26dced3bdf9dd77039fcf9e440eb90848a11913529b587515ca |
| SHA512 | 5044d17e0f42f026c9bed65449225c07a06cc2cd0c6d66b2f4e7fe3c661f14c76723b1cf83c856a4753a462613338155af8467510ea99dde3fd333ac411077be |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 3621e04e5f9ca6d6b486c83d2f11a6d6 |
| SHA1 | 5fa1c05b6e9944d752bf5e72eb35698a5a90ddbd |
| SHA256 | 0ef892264c7b2c113135866a35e90fef6ee7932546789d0ddf3a0a6cd258c2b3 |
| SHA512 | 280b91749f54925103a9bc4a2ec619af1e6fc4e5302039eb6c48331eb689a74588439041f09891e194de27442951530db5074b2f93110ee79a95c5b25be18580 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 2a78f469076827e1650fa9834eea65c5 |
| SHA1 | bb99eb9e37a180bf95afb34128a9efe03fb6d59c |
| SHA256 | 20bb26ba558488162c03b610ca443b04d138f2e35640e529a8c0f6ef83f57c0d |
| SHA512 | 2111a94b37943192433ed54c74be89a28c3ffe8dd397679691d673692a117dca240bbbcb46ffa1aafef92da6867ed1c2db0a8e443f8b564366c4b752685856f7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0c437b6049867b618bda6dfb62ba3044 |
| SHA1 | 2dc7d38a39e181793794f465a652d2a57d248eed |
| SHA256 | d0f504a92039c70cc1638701f6e6a48aedb5409df96317d77f3cc7a55b94df2e |
| SHA512 | 4757103e4b5d83240b09c5fb6b4bd282d771edcde7437cdfb74c26b444af128163ca6e0e0be63f870d37775353d874499fac8953e33cc8c8d094e5ec748cf55d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 01f4b6dcf84def84205751d24adb2c2b |
| SHA1 | e952a6e6fec577223d59178b42da4c39ad759a20 |
| SHA256 | bb6951ff124bf6e312f2f150f3b6716d9d9d63a34bc689f17c91139153e0a155 |
| SHA512 | 1f7dfe5424a63862c8e1a4d493f19d0f88a9e73adf22f698dba0beb625dd4a85c95385ee2cfba7b908f76e7a6f9f59f4c50740d533c17e4ceb53bd913a3613ec |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 43aa36c6676d4d104ebc57c9ee5cccbe |
| SHA1 | d2fc04dfa009a0c2c4fcce1fd8a4f561bb2f78d2 |
| SHA256 | a764ab043484c7d7bda91438776ecb833c517aead24431c1de2516f8f1845595 |
| SHA512 | 3c670d51b1a5d316637ad772eba2111cd831007127378fbb1010a1c303cc95ea257371251c08435e4f1a917ee4e84e25813b83b888addde282490ec7d43e8446 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a33993291139bd9745458d36da4b15be |
| SHA1 | e52180f8a29662cbbeb5dda0609403c4b73ab00a |
| SHA256 | 341716fb29588165c7b2bbb9ea3ff52b9f0db4a90c5dc8a3a752717a4bb19804 |
| SHA512 | efe9fb405f32f09d5f9205075ffc12dba43c3e920ec4e018332db66f3ac5cb05370adcdf76266b5c0885d6e7775b3a27383b920d77256e5e9dfcd141a5305ee9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 74c0c29a9f062ce76eb5f5c8e36383be |
| SHA1 | 9374948e40b2eb5d7f15017daab045db56230ced |
| SHA256 | 0128d6478b2b8ef189cba35100ce7906b3d4eccdcda4f90af04c1dd0a598315b |
| SHA512 | 02e957a2e8ecff1bc958cdbe04c66d074ebdf3af654bbdd9e6bb0961be44043011af90ccde16799868ec2be338176410625756b6b2d4a6727a172001bab2741b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 152e0676f7feacbc346e3763f12273fa |
| SHA1 | fb98672162b4ebcd19605e75afe9c78201454a9d |
| SHA256 | 516374fa52908f251de8ae8398b27ae6e16aea3f1123bce765500d29f3690114 |
| SHA512 | 17c0590d8abbf755a2cb979e555ce26a1dac37bf2ec9027944b3383a39afe0bc9a32d5da9d0ddd228efbcd021a41f8b22af8d88c06437e9141a403a4fe3f6e9c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1246a3f9fd4fe675e82450d001ce71c0 |
| SHA1 | 0d8897a581cec647c46d34fc518e1f77e5385270 |
| SHA256 | 39a511f36b7382deac2ef9d7c1acbfb1d1c6cfbb340cadaac4243ae0253eb187 |
| SHA512 | a52097d04b0bbc229bdbc1eb2f6bee04fdcf12f02c600b9912448db52b74843e198a6fff25ddd52bad0e7239ae6413a8c8857dd6da690dc77414299e9b34862d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b904592b162a6d6aae7cb4747ba8bd75 |
| SHA1 | d662d43d3df38c364d51ad9606503c310ad561f4 |
| SHA256 | 6fb1c0a786f41be04cca7ec16b02ba7c97fa55c0ed4fdd4a7e5b9b7daccbe505 |
| SHA512 | a74d960b8733726ee305c8516bd4d2310a933aba81dabe73fa077fb9228dbf98d8bc5cbdcec2f1835969513e37307e13e6bb2309fae1dc13fa72cf987e43a631 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | fb82af5da1cd3a1b82ce33ac76e7e5ea |
| SHA1 | 02bdc17f5f37c5ad59cbd514ca3ff576f205993a |
| SHA256 | 665fd78f38e39313d87bc33d1720d777b02d03b6459cc725c70671f44cd0d23f |
| SHA512 | c95b09850bc412babf1c3a7956568422146a117ddf0a8f41699edd0391e45f1c933e6968865cbdd5772b8aadfe761e9278bb0bdce5658a3fdca0f750848cd5d7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | bb90aed9c0a36d678b9a8186dc2d44fa |
| SHA1 | 3478544cc56c30390c20c6e980feede6e24f3ab5 |
| SHA256 | cab7412d0f0f214d87a80731dccfc0a23791556a01a0ce0fd096cf0de7dd5c25 |
| SHA512 | 30830fc51d99cd863b427b725f0394f070fd36ad9000990c864975f7fea8314cc1542298b2db4a3559ffb69ef74dad6f2a0e55d544f2861564925d360276e52d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | af9cc98ba3b8b94c16e0d2b7ff79df04 |
| SHA1 | e466e26250e672d3d6a990c18a8a1a7129817818 |
| SHA256 | 747b69ef53236cf46bb9110838b8bdaa7e55a88e45538c7424ca374cc2f3151b |
| SHA512 | 0e7527f319c0027c9bc3d2b1db78448bee093e3c53af0b1586835282980d4285ea0c8dd9ac1a14c8b90bb81c14dcf747193a93e3df5a711f1712f7c4b67393b3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b45351a238765132ce29b9f5952a1300 |
| SHA1 | 64e370c0b947c74b7b1dba0a3481d78d3f74fa12 |
| SHA256 | 94295abc943850cd98d5f565b48da1fc2b1a2c89564952c907d352b38d7ecdb3 |
| SHA512 | c452965f9a0245cc3743d320494bb879c22a3890751f9aac4e6f0353a0783f638d43ed21eab3cca53bff67cbcb950ae123ffdcc99285c1da8b2bb7ce938d8cfd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | cacab250575e200cb3214222e0175ae9 |
| SHA1 | 2ca6630644eeececb045c20199fe099dd312335f |
| SHA256 | d2d52e31393d5cfa2f346c97e6164ffc65ceb6dbaa0231dbc947c9f3c0fd9b72 |
| SHA512 | a0497af4ef806516f587bfe5ff1176bf27e84021a06746ad2a424f0548e5f3e2b1a7e024f05448519223ec1c6be419ab73b9412caa52aca120fbcc670c450393 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 58344128a9347927d0e3e67156592175 |
| SHA1 | 8e5646037b82d839250635275100e0f3fc8295bf |
| SHA256 | e49f6992aaca1dfa668614792917217fb2f1fd9c8e85ab176f64ce895926db99 |
| SHA512 | ef6a40d5f5e2a49b71d33f0c0b293d45c2dd00508f2ff06af810cd5e4a08a35836c434f6f6c5893912b619cdce749d47b9bec53a69cb17b2f072ef21c56e3cc6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e9ab5ad218c19c1f012e257bca5d7580 |
| SHA1 | ef714ccb4ee511440c81be670c7de70b051f1494 |
| SHA256 | bad26f113e5c0d135498c40c0b041e9e7bfdea7436add52d955ecde479d799f3 |
| SHA512 | b6a3f72d527c71601024e46a6dcd949479b5dcca0e3d5761dcfe7b7ca7ef2cf55d848916350b1c444a0f8aca2badd4d4a17a2e92bf1bc53c9fe7a6972900ea89 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e651897660d8ab3024ec0e4d2ab878d1 |
| SHA1 | 73aeb9cf1a0adfa30313339c8cec14df1631e0a0 |
| SHA256 | eb3df3b54698eed905119e73c65cea6a4bd0f9a68e944a2fd134d7425a77359e |
| SHA512 | 21c2b8f6738e77f536129db92328b447210762b20f99f67b6d2531915815dbb375e0e5035515c589f610ffbf877132e97ace47840c8b2e526af27e7c8b74621c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 844ce3006350a9cf8c068d675f655457 |
| SHA1 | 6870de46969104ae7d36b23a79134e9fbd264d6d |
| SHA256 | 3d5ddb4e259055fb2bada8613a18613c9a78715147cec83505bb714f5c6d8386 |
| SHA512 | 49f80c222310f1d1ad4006dbd9118551f9ed158fa127b41a5cd9f100e9732217b445a397642d6b2e1034461290bd90c28d8df0b775d9cd8824069ab24928ff81 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0c78f9987325f4a8c4892de63da0c597 |
| SHA1 | a89105b3198443200f1f846d7d2b2cdca61abbb6 |
| SHA256 | 52c67f5e35345277fc4aef00b6571fcbdc7ae5be2c3ae64ceee573db98926d0c |
| SHA512 | 2ff54821f794058ef885329e0c0d215e9f816b50ee9b2ac2c76c67ee9935e7f4975eb908bd35d9b540d2c93ef4e73c870e5ff7c32b3e9358eab97d12bb7dac31 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f8bafb643a033c7f7c1f7809dfe1a91f |
| SHA1 | d920972d3560823f63aea09cc4fcf974cd8aa639 |
| SHA256 | e0ad03cba952d89b79c44de732fbe6a03923815a12d3141ab8086b8d91abf7c6 |
| SHA512 | 4ecd8e1f7387e88ead2ab1deb3b3f221654242a391f4c2050fcccb3773caf554f67c45543375c2bee433e3092ac0f72c69f9c204314528710804d6c988166384 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c3832f61f1b63ae89732a8249a6f09b4 |
| SHA1 | 998599dc35f91d537ab17a216f411c8030fac4a5 |
| SHA256 | 89200d34a491db33b4e11590341caa39556f9756f33bc2bd09946d70ea024d0d |
| SHA512 | 089e4d32f8aeb4586f46505ba74cbfda281fdb3575fd6b5600b5c6dc01d67c87775b17726d2cb9a7cf35fd23c45196da229461215fff08c2d14bf06d99f995c2 |