Malware Analysis Report

2025-08-05 14:40

Sample ID 250703-f45aeavlt7
Target 225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94
SHA256 225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94

Threat Level: Known bad

The file 225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94 was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:29

Platform

win10v2004-20250610-en

Max time kernel

145s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe

"C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/4052-0-0x0000000000660000-0x0000000000661000-memory.dmp

memory/4052-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d2a480c6b868400f6820f95246df35d3
SHA1 fe4df3542d779584c17e5ab5cc74e239059a6976
SHA256 ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03
SHA512 c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf

memory/3048-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3001560346-2020497773-4190896137-1000\desktop.ini.exe

MD5 8431b25c5822aa17e16de08106384714
SHA1 89e60fe6ad59b6391867b8c072cffa27fa38ddab
SHA256 e80ca696dce311fb3a45a75ecc1aacda77d1b2488b9692726fb3f6a69a688a3c
SHA512 fff3595ab3ddef2b0985c285797186ad4adfe5f69f294845295199be16bef8f725e384051b5b56c17948797f939f5f17329534dbfec4d1e067eb0cdb6d8cd77d

C:\$Recycle.Bin\S-1-5-21-3001560346-2020497773-4190896137-1000\desktop.ini.exe

MD5 c8d2e2e5afeec34e176f304c21852463
SHA1 465bf6faf11c82cf9a233e61cc12b4f0e3e9fc25
SHA256 8d9487a46a264713e03331e8b632f615bc2c3ae9f2f56f91e0d8607fd4df38ae
SHA512 eb5808acccbe4fae15300c1292e20887758514392bd3198bbff00188874189f5b9a96defcbc6f31024f55d9e705728ce9a171864af6c253f1314ac4f866f3a9f

F:\AutoRun.exe

MD5 4f677cc5974ca6488ab85b641b60bd41
SHA1 517a750475fac27965d73574deea392d7b681f06
SHA256 225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94
SHA512 05e66b34f5d23a73429a89d4265c6c9f04af9d4ee319e3267f92bd50f0ca99a342289c684d7f668ac0a7640a354cf94f2e5147b2df845004dac08a643591e99b

memory/4052-47-0x0000000000660000-0x0000000000661000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3ff697c64ae8187e64726c566046f8e3
SHA1 f20c2a4ef4c8498a907e6c345e7cb8cb61fc02b7
SHA256 e03f7b3b426a4ee285b61e5b6de7ad2a346001bd9c690c29ac865a740c9e3a2d
SHA512 999336baf3f6fdb9bbe6f1fce08d564e0bbe3b5263e1461b3b9a0fdfea72bea4bd1659e7c19e60d57cbab1782dde69b118f3043a80a55939434c015273f384aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 12b6b54bf8bb692e8e4f2545a9902e94
SHA1 49bf6cf323fb800130c70b78b421d6b472e750b0
SHA256 d6067ca1b2b3914b6c7489df8c9a2efd98009a1a701b7d6ce7970e918a3be0cb
SHA512 bcd4c5e84500a4ff96232cc5cfe6876db95c167ca43471a02bb27ef27af03c97870b051197fe519382703ac4d2188a9b990a42fe879584e369eb1099cf216f90

memory/3048-52-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 71f7bed9644626644af227b785102600
SHA1 1fbe494ccd4a39470e5f8b19fe6f57b6f0a7369a
SHA256 4d593d7d0befd93ce5bed7da4b336122c24ea35e84ca7af574717c26bc426609
SHA512 31898e1a9fdda148a17f44ffb12028f664cfadce949343a35ba73e185a45b461fd0e31cbe87dab45e15dac6ce95ca6da922c4158c6c51ce6e065dac6b46992a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d86c759b5f0243eb8999b5220702bec8
SHA1 3fb7a89ea3c8f7d909b005f551db6c90d1e4b31a
SHA256 c72de5995597148b64ca0f96b67baacade4b53567f3ec89568ba0bb2eef00145
SHA512 cfce2aa0746708122f718b4a52667b8acfc0f03c5595abbe12f2605a6c62ae089d643bd84baa7836aca5775534ba7da79129179cf658a129abd56c4519a3f294

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b026dc65c17e8bc31725fd50991d4f02
SHA1 961522da79822598ca1250ea9b6d625bf77cda34
SHA256 5a47a875b80ef5c321a7dc6e6a5b7f8b8dec07e9bf4bc9f435419284917661a8
SHA512 ade9acaf151f9f9dd9953893efc878dcf53a83821997d3cd0164d563e64218e2aab2cb084f417674064f4adad3c44ef8722797b61cd6745613feaf5797ad05ed

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 86109e2e0868a5322489320219fcf70d
SHA1 531059f69812a3f1f9cf31ab8c1ccc425de269c3
SHA256 f8487d86d4fe8df805d879ebc6004ca90f7b98c14699cdab5869af43c5ca24b2
SHA512 ce443a35b18aead2b0bd32cb5afd581a47de76e112325ad5c381a4fe3c12bffcaf7870c2280f82705b084d7ee135b5fa0302a3c38dafd97b54211bd606a6bb0c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb99247b6920509fb55742303b814260
SHA1 d65542bf574020b9b34c6445e924f04c2c0a2465
SHA256 18109a50f7d03d2a401e7e7a6b6e5ff7d0f3991378a17e8a2b9c2b79b72676e8
SHA512 edccec36c1564ef1c2f25e4667b7d425207f495f9e39a1b65bd1ec36d95f6999f7130a83a5277841d6e892491ed348727ed6b31987c54794f6839611dc5cf857

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2572f96c8e54619249e7884ceabe6e60
SHA1 bc9c56a63a6ca3d29bb79e6f6847f35d8a8d403a
SHA256 101f2378b8b70cd8e2ec92a834dd667a4ff8027669333d95fad6e4bd018e3969
SHA512 409ec5b799e408971122a6be3c38857fa311789f15d265bd80a0b1435e00d984ae186d7f3c03d26abb2fa6b2310b52c636bd6280081d284895edaabcb93e8295

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e490d6bbf27cf18700be7d69110bc0e
SHA1 4abcd8c0c11438e72ab7e1e7229694038933efda
SHA256 fb27ca7a30c44bdbb862e78de7f77597129942cba5fb4b9c1b31ac0a3d1a8f55
SHA512 2f80839b8dfb7db1d8e38b7d670fc65730d803ac30e71c71fb08da6d5683fcf2c7b27e8fc1681cce2ce18208c4bf9659b8e943ecaf02804005f95fb7db39b909

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8b67aacae1c9e40fad38f93865ed4f04
SHA1 f869b7b79e7cd2a69e936134f09eaf64b5e8fb2c
SHA256 db0d4743902eaea3633c4c7f93c5abb0b98b1af63d91061a74b8869c6950d6b5
SHA512 66ea359155f14153e50e7d410234e8e056bdd7385c32a8d63817acdfe42a297c6136d785081011e350715ea57667095d90373c84ac3279e84f7dc0305a86b375

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4234207b7d04b3cf2f34c6cc320a736a
SHA1 22651e2c701bc68aba2fb83d199c7e4687a8cb3b
SHA256 8fc8dfa393c508dee1c369e3a48f383c9465c05a2d78641fd1a4c2905c539519
SHA512 2c2dc6f17c55eba84f175055843251b297f7ced87d7af514599bae8938ee62b144eed66660672e7f99d4455288968545a4c3e9eaee4a53c5e070d7f4955e3970

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 03baf25d7c0cfcb3f44afadfc9b0bd5e
SHA1 bba58dd3576f05a56bb31eea9f9a14ff9f782a68
SHA256 af21ea6c745a2bdbec5ddc4bc07121960bf34153011d573e1bf0f018c3b8af98
SHA512 6b0e5a1d804c3c98ef872803e87332e62f337149de129bea98da36dd4f013c169646535f295654b4d8347f088e59b1d9bd0bdd0e5b2a4665182d91d69ff03993

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 776632c98a33e40be2cfeed505282c42
SHA1 5409d19ae8855b87d1ca7c98a8e398b8143d0521
SHA256 a90fbc049b96ed042d676a40772d067834973bfe31f78291c725022879fa4313
SHA512 547312c4d01779ff06f5dc99ae00428a45909d54142b7256b41ff7495888a47c7f1ec18b4c439317215576499ae62ab33821fb683b75b4423da43d945b97b031

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0323e0975d477bc02027336ccd8090c5
SHA1 c69b6c14568a9c4822ad6b896de0a243bc7ce7c9
SHA256 7fac76dbc4f6aae8c222f70e89c9d3741723c4ff2f5bddde7af386e897958fd0
SHA512 99f851969cbd70ad867d571618e90b34df5881bada2712373d064ec0a17ba1dfad9247a76831267db20567e525a5748d0f0951f3a35f882f0bbb44ddf3025eea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4ff45ca248e9e340d9db42f45f7eb01e
SHA1 cb753def2f6698c3328f9d8fb90c8dbfe9ff832a
SHA256 8819e33d600b3a66caa763567ddb32fd1f64ac334e72e503bffdfb9285e3ec57
SHA512 a7defd44bedc483c359194570a05b34bd3b7c55600bcc2663f0fe669faf58092b6808e8a9651723883cf7f3753601c328469f231284c3e57a6155c1f814beff0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc0bd8db1c9521155e2397c4666d0d97
SHA1 eedd7e2e77fea152b11d7a78ac30e13a0642341a
SHA256 a1c8044e5de71122789074b05d0869a18cae01631fe187a4eef6d0a686350de0
SHA512 033661ce903486b997fdf3ba5b254070a6f8f097ce0e1bceb6a3e09e68c0aa584955aed4fab0ab45ca90ea376733d0642cfe07beb2a6f460535b8ed7ddf7b52a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 696994ab1f323d8e69a2c49885dc1013
SHA1 1ef6ff244fe049c3c15338caf7c90024fbdf85b6
SHA256 7e076088802a06c9926a361dddc885305c6d716b58feb2c98f2685c262f62258
SHA512 6e5a4ca758c457077aeb67fa122ad143aa02c2cb11e01f261875c4367a772bcd60fa76def33f4b7be4df6a83b2e8f85e08f4819cfaecd768e8f30ca682597dce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c6c900f299d08cff4af372ed71068680
SHA1 1926d4404edeed3fa8b889e42582dc2d746c14bc
SHA256 bc0b6d938e142c63216ad36d7a1b5564c71feb9eff2c56032fa99de72c1beaeb
SHA512 246aef23548473cce5a96384e4e9dcd7a60d5c40f93db10ad8a18acfeb780e4f6ed08f4ec9637568cfab9c70b03a2415188c44b175308ced099cd1a1e72cffdb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d2efcc12e4801f8232d0a7cc0d45e9af
SHA1 fe8ebc66d4f167b7e1fed5f0ea4d9bcf6a3c94fb
SHA256 8988b8082ef9fd0d210a20b294e0b6d556f2433fcedfcdd7068ad9a234e3284a
SHA512 e4393a99574b258afa44d55e1caf05d5a87453a8c14418c9ee13d66e92736e57c52aeae1f0b00b237e6f529a59fa926a9cb0c5afe60baf176c8e694facde79ee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 497fad329d3d7b377f2ea570dfcd2354
SHA1 7944b2016ef9c9885bbda88fc957915f7d2bd75d
SHA256 e6797f25866307a0b3aad643fb351692f691ef2f89598f8286a2bda2601cbfcf
SHA512 e734748eb02ec397b74ba9affa842da7a7c4ffae89d947ea45cd6646976edaa741e42e0fa687121fb32cce67171eee6af07f36b7daf70b374f134a08006b64a1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 96a70a5a2ce5033ff63e2a1392d044c1
SHA1 6f84a37c8a8bf9aa7f668e37a6abb91ef0141680
SHA256 2e6bb264c58a82bd73d269292b959b1953bdf9db8613e0b6ff37789a556eafca
SHA512 52d11e582509f434c498409f87b6005ef7d0c8e42f5eec060a068bf5996f5064749904c2a41a035c543797f7aa7ae05d32bbcd25e0c7cfcddb45140226d742d1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fbe531db67453108ba4a56a27935d115
SHA1 b2934a5ae30c6e4cec89531b651962bd087fd769
SHA256 247b331d70802340c1019f4dd3a9deb83d38477a780f318e3b4f0fbc3f29d723
SHA512 6533b7696495f2d425e0bc24c8fd465d33a77ef9be511e9f2f6cda6e4a7f5f0408a2f3571e41cf8e1346af86b03c1eaa7fe3f329e3585c9d36890f5f91f14d13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 65adc86ab4ea28bb2a7915c96cd5e2af
SHA1 e00d8c43e777d696a6f84ffd349a6bccf2f69929
SHA256 39a6549e7a438af94ca9b164205447bbb11440151d99c747f27404a7bea7a040
SHA512 4f35e6e015ff86663580e477bbba6a1d0cb6f6330f5dd39af3904c79af6e5daf5ac8b7adfad204c99a0f8810b6641796d8c117fdec32c66920521ad206d0154e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c310021e19a0c1404e4f53563437efc
SHA1 da43146674ec05e4853de1162c5da3d41f4e8fc5
SHA256 ec27b7cb9b18cca4201f1cb0e4b787754aa109589366df753fef0226596b7a67
SHA512 7ac5b95413db1c5300c81bffab7f3f8ea35df29456a3e8683794a1473e91bd32caaccba50acde8a18778c6561728340a47104fc5b617ba1551593c1acb29ebb1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f159e006b08181cba80724eec6139345
SHA1 10b8f2951396b73d0bab1f0375146dd139c4f5ba
SHA256 8d9e71543b46d6a0a0f22bf7d7c15b4bf7ef14d70377170e8c93e2ded0b03b59
SHA512 20d37f6a19e053d34323f6187c831d0411f98257a47633aaa743df17e39f6cc4c8e6a47118eb18803336b8909a682e732fb3a31c07fd67eb9c5f5086b481e993

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec7bf557843d4c9332a1e8d712daae14
SHA1 9ed4bfe7c4fd5312bf7f9712c1cc06b29ec0ee11
SHA256 b84833b4fea52ed0fa56b3803bc1cb239a3eacbdfcfbbee054075e642c35fc3e
SHA512 bc57d2c7903e9626b65bda82f1dda2c0fb4742cfcac8c1d03d71335f06f8987507a805994994c0e812f811b99f68f87dff34527d63fe19e20ebc6f5cf58f98a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd94401cd6457f534723eea3699624f9
SHA1 03c5ef7cc0b18c47efb8abde65a31f47a86a2bef
SHA256 362d3329bcd0221a96e193b883553834cc5a9da08dbcfaad668353037460bfa2
SHA512 0bcc822f772c611924dc513846616923ab77466806d212fe841eb8f9541e1d411dc0d89a3d6a4a83e062620d8368ee5f9fa440d8611df0bfe891b02770190727

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 24f5d6dc467065e5b963232b1c3312ef
SHA1 a307be0fd9a30229c8e77d0e3cd1209c695df679
SHA256 0e84d091acf68261392bd96fb5ee37aef9476449c44958916b5db30023df8184
SHA512 7507663ff27be9412fb94f77d8b609c1e0d57e2ba457c1ea4d1a6702676e30fcaf34d1033caea977e1a0deefb59a0b149ffc37e6fcbc991fe246761e57683567

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f52b755bd305908c96ca3db957c6f19
SHA1 86cb06a74284ca2e6864a6fd99aa86c6e54f7478
SHA256 c24ce47c6a6226fecc65758a101d0b675c13c17ce2c49b07e81077c4701c62c3
SHA512 7ac7813d5a831b7efc3680f988cbb8af48deda3ba6f5c152e278feda6d0c7bedff10908eafa7226cf0a356477c02300dfe969e6bd7aed75b67ed32ae9e7c1f02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b7a6a241e1603c9beae53bbb6d69cb85
SHA1 482b8a127a21f4339111bb55ec89fc45bcc60f0c
SHA256 eea39b9974edef1a9f66fdf9c877a21baeae6810a620bff1954d966e37dafb00
SHA512 d76f1646219ffe8e90c0badc36357abc2ce57629c128a7a4c463043c8d581a4060f298d94687a956758bb739ed5e1692bdeaffec3e32b8d993f0113500d51322

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3908c167702d0081baa428c69c4660e5
SHA1 453f749cbb486f25b0fe572ca6fa26b24dcc475c
SHA256 d07fad92f50858e3cad92b37c5a047702096cc8ac114b13cfe991d6d7578c74e
SHA512 da9558b6408c6a5c4aa1d6802baca9dd01a9822e8f14289c2852416ccd1157f7a239e9700efb7a8216dc1a9040dbad12de166b4fef65097d19766422a0110361

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 464056090043882e7f8eb6915ba2b77e
SHA1 1a9c5c40edc1f6d5927a6614ba30a9c23ed521b6
SHA256 8dd2a95448b675846a39e77b0985dc92e20c66fa15f22cec3bd925d92ae2ddf0
SHA512 c5e228da3a6c7551f5ece7d9a50d20562d347346ec6fed3de6a581c80b39df748aaf4af5fdfb098d87f274b4a8b407e2d182c9448eb5cc1f50c590c3a82fdc3f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ce741fd945f15e5f25b1786baa8928b2
SHA1 9f1d8830348f9b6e0cd0d389efbb7c55f40ad61a
SHA256 b3ff754c9da39d1e523e4362b854327ba107285636a2d54c7c4929040a137a7a
SHA512 13c68bdba800088bc6372b228954d110ba03f9ef17130b4db12a55b9abf8730b65ad2f98f5dfb684308b80c4416eae13ada060a3cc92ec4c06267c0c3085f14b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d2a6e8d5abf1fe26d48265e8bcd33481
SHA1 40ecaa3f28664e34c3be53ecd0af7ebd54fbe3c3
SHA256 05b35dad2192df8b5377bfe6117446a229ed457c726e8463f35998aa3d552cd6
SHA512 cddc7c2fb897eddfdbf1f7f4c3d6f8efa89edbbcd6be2bdb1e8eebb55d38291f84953ee79a66d546b1e763de8025893bcbff244c57e08166d4ba9c27c51502d8

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:29

Platform

win11-20250619-en

Max time kernel

145s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe

"C:\Users\Admin\AppData\Local\Temp\225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Files

memory/4704-0-0x0000000002420000-0x0000000002421000-memory.dmp

memory/4704-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d2a480c6b868400f6820f95246df35d3
SHA1 fe4df3542d779584c17e5ab5cc74e239059a6976
SHA256 ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03
SHA512 c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf

memory/2704-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3625340254-1625357543-1797847221-1000\desktop.ini.exe

MD5 e1c88ca0c9a32844173d37d241bfe754
SHA1 3375c4c296cf2afbd4a4c7029d0d6ef42e81fa4c
SHA256 1984f3b05ebc87231bd1538d571d930165cf948a367ec3bbf73225f9765b7012
SHA512 3b30d2ea63ea30d75b0cdfec59e8bde24bfde6a626123a95b090f1949dce218caf0305676e7468e8788785bb922f52b5cb024186b3fb9601a81539ab14852965

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3625340254-1625357543-1797847221-1000\desktop.ini.exe

MD5 d8a7cc4c85fdec5d09b8910bc4981676
SHA1 21cbe2a74b44b85047a06075bf978336e0b80050
SHA256 d6a8857a0e247b6e61fb2e0337df2444631e773d7800dec8fc4685534ca87c73
SHA512 75c89569c9b74d5d9376187854da73d30202f073961f5da87924a5f7cd45cc8fe6ef4522df42b62a0f07165c2d019a850c103d2bf6d0ecefb1947a5765153f13

F:\AutoRun.exe

MD5 4f677cc5974ca6488ab85b641b60bd41
SHA1 517a750475fac27965d73574deea392d7b681f06
SHA256 225626c1840c1d19132dd5631bff1580d16ffeca6a0e5b7d4ef85cd712282a94
SHA512 05e66b34f5d23a73429a89d4265c6c9f04af9d4ee319e3267f92bd50f0ca99a342289c684d7f668ac0a7640a354cf94f2e5147b2df845004dac08a643591e99b

memory/4704-47-0x0000000002420000-0x0000000002421000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec089c978225d1fcdb175324938e7bec
SHA1 ae6579425a782c3ae79e69952e0a53ae9615b00a
SHA256 356e1d83141431f3f91b4cfff20c5a0aacfd2254be4134b5e4ba04ba3254513e
SHA512 37d5185ca8b468c336f518b19a916408aeb1c8107541e8cf419a10859c0d48ce5c36e6e78b3ae63f05e86eb5da433e39b7d5fbe9cfae9953e55545c70d47f8d4

memory/2704-51-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c21080a01d7907c1236f20d4cc6f5b2
SHA1 fbf616df7ca709c97ec90e1fbdcac86b51443dcc
SHA256 d70d9c4f92fccdd8f9e7f57545dfcbf8a6d6b17396deda05fd3aa112d06aad01
SHA512 a1777ea529152153be668142de3ee56e053b6d19a9df7e6743aa69212ed626b113a359e6f503bab80da3702bf0cec9b0df2a49a1f0103a2b20036b40458f40aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 786646ab7bf8a078a40acea6d148e009
SHA1 9a4db6606041c773320c3e4555f937347eb96c6f
SHA256 55823fe37b69c515d88c817e9c2acde1931f357590c4127f1f59d7ab933068b3
SHA512 d131c5b62d1a612e3caee8ea157e39215c4bd50332bae83fd8d503d118709c607c0f823cc7b8f69a136a3970ec0fc081540326a17b651890b02c49702c583e43

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bfaf210b9c159bb9559f03358e81d518
SHA1 f4b368f931796ce3e23f8c162ab3a14d80eee58c
SHA256 61bc75310eb6db8d0f273c7589a1a93d435683d959081bde44d7a5d15c6ab4bc
SHA512 9c8eb3cc8ef32cc038a765e097735f41d066e88bb976bd38207d68db5a53603b5814b5e7b96dd5f441d04f0d621ec794aebab614bf94a0320506b2a29af53bd1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2c7bcb3bf2634753e1a992bbfa2342d
SHA1 48ba9dd9b1b5c2a5adbf3d1a163f47ad75f576cb
SHA256 9d9664d9e64a322155cea7ea33b928abeab291d19809e4f4bddb2df08af9dc49
SHA512 62db481e12222a5e4004f8fb581a376cbe16fb5a5060a5cd2f2138a0a9eacc665bcd63199d84e8066e1eb9fb2fcd9c8eb38d9c721614553ce9b9706342b5ebcb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 55b52642b0fbac65ff34a65ac3b526d4
SHA1 69a26344b675b44d3f66ba78243b45114a2b2593
SHA256 c6bc4bcbcb465dcfd8a7a4fc42cf11929e3a2ae3934df17812e8500e32effc9f
SHA512 b01f62771968837a5a751e8779ff8e2769da54322fa70cdb9d1e08b8cac5b6df594bd738bb72e192b532bb07e5b6da2d91381a180d396ba1d10edaaec406b6ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1bb969c38fde01c522eaaf2d3044c89a
SHA1 104e3c3f7e37f9ad8a6527d2700a432e6f0b4ce6
SHA256 b1d10888b8bc000dfa3eaaac16011c7ad1f7322bf8d5c6a21c9cf6cff1f10ad0
SHA512 fc5a1f864a16bfd30db894839790bc4da275360885a60c334ef69cdc5a741ae1e94da5703d1b9b3df460d90c1654d40e4824cbad513b6d36fd0bd0636a6f3606

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a726cebebb05a5a2ed3a9f118f2c6d43
SHA1 5b747aea136b44486bc88f8302419a6d39038f98
SHA256 82040eb27d46455c2c25db57945f018d96ff950b4fe71f944ee826f152348664
SHA512 7a58e9c97033b6a5e94352abc31b344c6c78f298ee325232bb3fbaffac471fb12953d8747693c4fee06710a87c4cd174226ad361359a4ddbe4f8d371803c1e3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ceb6aedc9019b7567a064f90158cd838
SHA1 5bd37397dcd2b539ab3ddb3b13f0b498a821cfe0
SHA256 861b6a9915007f3abf97220ea9714f9bd045f645fd33027662af28b89426d2b0
SHA512 8ec057cba5bc36cff1d83e1c23b1b52ee77c8d80a18a7202d52d40e5824019a0cd602aea55353c9bc69884374d2be5b7f78039af540f89f1375dc0c8cee7b90d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9f151db7693c4e1a2bffb6a8d6260d28
SHA1 860ad5dcfd0282a7589a80a55dbb5f5de1d02d40
SHA256 da257e59a9a9c6afb2d6271e2428c94c99f6b1909a10a5107c6cc82948d205b3
SHA512 b12ea0aeed4f583e0f6bb928f8f6c847cc6fd9fc140f210f1a153770cd10a41dc9b77576a0aca0d97c9978242306d5517632d55b10f6d437350bf327387820f8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c493e52f592304e6b367d293ca113578
SHA1 16e7929a54f5ca331dfb4049ee6bd8b51724c474
SHA256 91f89be505b8b2cf856501e17a48a0961333be5141e309fdaa1549ac6aa41352
SHA512 c60112166584309d8f3274a3e99798170a913f598cbaf44b902c9affc20240990992e7f750b15f23999c39cb97c669fe83044ce53294ffba328abd2580b12622

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 65d98764f7042ea0c36f82147e4c6124
SHA1 c55b1e1c368c9a17294eee43438a753529f55135
SHA256 e74c587c96a46ff6ffe07810589608ef5fccbf2da38d7d41b4b2f6f36f7a643b
SHA512 579c5b02cf71935b0320abaee94ea3fc4d33f01620eed13a1c82d42045713c912ecb17781e0c00c1f9781bb2ef4638e0486f7c2324624d1c177d3b35ab390cb2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c4013349d312f88e72ed7549514c430f
SHA1 fa55f89a954ae5a445185474095c8eee15d50051
SHA256 eeb8bac08e20490011de25f471273c86facbb8a8043858b7dd539c9f9ff0d9a0
SHA512 719e1726e255f6f7d686c12b7634d7943f347b1d25ed77321a7ef06a39e9fedfc277827f5c4ba26f04aece0984bca68b2b25f5db575bf3cba586dabbf45125bb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f76e3b4f2fbba97b4b1d68a6fa71169
SHA1 db0146eefa867fbf49f2a3ca6afa12d51a547fd7
SHA256 b8ed47e17c2490fb82c9356ea86627f3caaed7be5ed6885a955d007779582cce
SHA512 f8e9a570622fbaffe10ae63caba9f6f52930083a95e963f4679c975d26bc3812a7ce6b4c2b65f1cab2c2a8661d05bcf6471d311a37f67f227d85007c1c71d0da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 35b14ce72136e92bbd83c9362b53d61a
SHA1 db5862b888d6617b17e426de63c0a8ba3341bc36
SHA256 f26f46209eb1b224e5ce25a928f97157fb3aac72570cbff519d7280626bdcf3d
SHA512 32107e01a67081454b82e326a57ac9c69a88e91c7aaa39bc28428d58e6089ca8976a0462e80769cda6cf795f458eb0241b0819e0956c7e46e8a0ba7d0c00e2fe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3315142401a31d8d9da1cc63da434147
SHA1 0f066ee04f923fbdb82bd2f60d98f32c27f1c460
SHA256 9393c131cce6bf3280a118754baffa7fc790ff4f23a7dc2aa8821245ee0687b8
SHA512 e66090689e03d4d7923e32a8c12afc34505c0ddc774944db5e52e68e091fea1dac36b5798a9052414de00156a5168946bf5f7395a2e059c180b7aa1f5c2734e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3b8926f190c7f23538c66c269cb42fd8
SHA1 9edcbca49533971184abc2ffbddd55f6c585d61b
SHA256 ee60d153a7bd6f184be3233bc18b6f0331e5d879690a2c98a80b14d64fb3f097
SHA512 a059f179d7e15039a49ad5f1b5c1fbc86bb8ac7263e164125090eedeeb5b3a0cb1baf21ede3ecb8032aa258825fe7031f44cb65f692d41df7cb81ff36675ae8c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e41d6f0b5fcb516ff5b51b5402ca9fcd
SHA1 1424be8dee9c4b791d1e56869a8097ab0f17f4a7
SHA256 4a4bc73cae4f92a0a89675a431a65d51c16d4fc339ede6c6a79e35e623f6e95c
SHA512 64e8c8197a74acf1586f50e8c14cbf92cbe16ce5c531beb47a4df16336cc3aef4740b956d07e1e8b0450ad533a3abfdecc9dcdad9259f361dfcb54de6c992c75

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 acb7c103322096521684fe4ffb5203ed
SHA1 1f5d7cee8560c489a580d60dc1e2768579c5c217
SHA256 bdda059fa913ac9cda04b893cd21a7dc58febb96e60981dadd427f260476185a
SHA512 c082f4c3cb709deb31a5aaa8cf376a828b8c398a4f22972f79b1ffde63e50247a82eebb7333635f387d1481bebb5d0412030c5d15456a2e63de447c3e3826140

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fc53f897ce3aecdec49637a05d8e57a1
SHA1 e99a7ee126c27748c14fbb0175135511e535b4fd
SHA256 1dc5a96ef4fa496b134dfb377df8ab2a7d1ca3df32a8eeb65ef756e9dbf3bf34
SHA512 753fee4fdf3afd64475153d7e2de954c9ce3c528add3fdbfd162c5e519e8e5bdfdd710025641e152a824e7a30efc7ad25259f6d936f0d50fc26793db2c65a433

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6342aaa466c755b4aad9fec6c0825d1a
SHA1 72126c9056fa70b8eb87ebb636a1007c561a699d
SHA256 3d8fe758d252a26dced3bdf9dd77039fcf9e440eb90848a11913529b587515ca
SHA512 5044d17e0f42f026c9bed65449225c07a06cc2cd0c6d66b2f4e7fe3c661f14c76723b1cf83c856a4753a462613338155af8467510ea99dde3fd333ac411077be

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3621e04e5f9ca6d6b486c83d2f11a6d6
SHA1 5fa1c05b6e9944d752bf5e72eb35698a5a90ddbd
SHA256 0ef892264c7b2c113135866a35e90fef6ee7932546789d0ddf3a0a6cd258c2b3
SHA512 280b91749f54925103a9bc4a2ec619af1e6fc4e5302039eb6c48331eb689a74588439041f09891e194de27442951530db5074b2f93110ee79a95c5b25be18580

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a78f469076827e1650fa9834eea65c5
SHA1 bb99eb9e37a180bf95afb34128a9efe03fb6d59c
SHA256 20bb26ba558488162c03b610ca443b04d138f2e35640e529a8c0f6ef83f57c0d
SHA512 2111a94b37943192433ed54c74be89a28c3ffe8dd397679691d673692a117dca240bbbcb46ffa1aafef92da6867ed1c2db0a8e443f8b564366c4b752685856f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c437b6049867b618bda6dfb62ba3044
SHA1 2dc7d38a39e181793794f465a652d2a57d248eed
SHA256 d0f504a92039c70cc1638701f6e6a48aedb5409df96317d77f3cc7a55b94df2e
SHA512 4757103e4b5d83240b09c5fb6b4bd282d771edcde7437cdfb74c26b444af128163ca6e0e0be63f870d37775353d874499fac8953e33cc8c8d094e5ec748cf55d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 01f4b6dcf84def84205751d24adb2c2b
SHA1 e952a6e6fec577223d59178b42da4c39ad759a20
SHA256 bb6951ff124bf6e312f2f150f3b6716d9d9d63a34bc689f17c91139153e0a155
SHA512 1f7dfe5424a63862c8e1a4d493f19d0f88a9e73adf22f698dba0beb625dd4a85c95385ee2cfba7b908f76e7a6f9f59f4c50740d533c17e4ceb53bd913a3613ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 43aa36c6676d4d104ebc57c9ee5cccbe
SHA1 d2fc04dfa009a0c2c4fcce1fd8a4f561bb2f78d2
SHA256 a764ab043484c7d7bda91438776ecb833c517aead24431c1de2516f8f1845595
SHA512 3c670d51b1a5d316637ad772eba2111cd831007127378fbb1010a1c303cc95ea257371251c08435e4f1a917ee4e84e25813b83b888addde282490ec7d43e8446

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a33993291139bd9745458d36da4b15be
SHA1 e52180f8a29662cbbeb5dda0609403c4b73ab00a
SHA256 341716fb29588165c7b2bbb9ea3ff52b9f0db4a90c5dc8a3a752717a4bb19804
SHA512 efe9fb405f32f09d5f9205075ffc12dba43c3e920ec4e018332db66f3ac5cb05370adcdf76266b5c0885d6e7775b3a27383b920d77256e5e9dfcd141a5305ee9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 74c0c29a9f062ce76eb5f5c8e36383be
SHA1 9374948e40b2eb5d7f15017daab045db56230ced
SHA256 0128d6478b2b8ef189cba35100ce7906b3d4eccdcda4f90af04c1dd0a598315b
SHA512 02e957a2e8ecff1bc958cdbe04c66d074ebdf3af654bbdd9e6bb0961be44043011af90ccde16799868ec2be338176410625756b6b2d4a6727a172001bab2741b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 152e0676f7feacbc346e3763f12273fa
SHA1 fb98672162b4ebcd19605e75afe9c78201454a9d
SHA256 516374fa52908f251de8ae8398b27ae6e16aea3f1123bce765500d29f3690114
SHA512 17c0590d8abbf755a2cb979e555ce26a1dac37bf2ec9027944b3383a39afe0bc9a32d5da9d0ddd228efbcd021a41f8b22af8d88c06437e9141a403a4fe3f6e9c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1246a3f9fd4fe675e82450d001ce71c0
SHA1 0d8897a581cec647c46d34fc518e1f77e5385270
SHA256 39a511f36b7382deac2ef9d7c1acbfb1d1c6cfbb340cadaac4243ae0253eb187
SHA512 a52097d04b0bbc229bdbc1eb2f6bee04fdcf12f02c600b9912448db52b74843e198a6fff25ddd52bad0e7239ae6413a8c8857dd6da690dc77414299e9b34862d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b904592b162a6d6aae7cb4747ba8bd75
SHA1 d662d43d3df38c364d51ad9606503c310ad561f4
SHA256 6fb1c0a786f41be04cca7ec16b02ba7c97fa55c0ed4fdd4a7e5b9b7daccbe505
SHA512 a74d960b8733726ee305c8516bd4d2310a933aba81dabe73fa077fb9228dbf98d8bc5cbdcec2f1835969513e37307e13e6bb2309fae1dc13fa72cf987e43a631

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb82af5da1cd3a1b82ce33ac76e7e5ea
SHA1 02bdc17f5f37c5ad59cbd514ca3ff576f205993a
SHA256 665fd78f38e39313d87bc33d1720d777b02d03b6459cc725c70671f44cd0d23f
SHA512 c95b09850bc412babf1c3a7956568422146a117ddf0a8f41699edd0391e45f1c933e6968865cbdd5772b8aadfe761e9278bb0bdce5658a3fdca0f750848cd5d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bb90aed9c0a36d678b9a8186dc2d44fa
SHA1 3478544cc56c30390c20c6e980feede6e24f3ab5
SHA256 cab7412d0f0f214d87a80731dccfc0a23791556a01a0ce0fd096cf0de7dd5c25
SHA512 30830fc51d99cd863b427b725f0394f070fd36ad9000990c864975f7fea8314cc1542298b2db4a3559ffb69ef74dad6f2a0e55d544f2861564925d360276e52d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 af9cc98ba3b8b94c16e0d2b7ff79df04
SHA1 e466e26250e672d3d6a990c18a8a1a7129817818
SHA256 747b69ef53236cf46bb9110838b8bdaa7e55a88e45538c7424ca374cc2f3151b
SHA512 0e7527f319c0027c9bc3d2b1db78448bee093e3c53af0b1586835282980d4285ea0c8dd9ac1a14c8b90bb81c14dcf747193a93e3df5a711f1712f7c4b67393b3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b45351a238765132ce29b9f5952a1300
SHA1 64e370c0b947c74b7b1dba0a3481d78d3f74fa12
SHA256 94295abc943850cd98d5f565b48da1fc2b1a2c89564952c907d352b38d7ecdb3
SHA512 c452965f9a0245cc3743d320494bb879c22a3890751f9aac4e6f0353a0783f638d43ed21eab3cca53bff67cbcb950ae123ffdcc99285c1da8b2bb7ce938d8cfd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cacab250575e200cb3214222e0175ae9
SHA1 2ca6630644eeececb045c20199fe099dd312335f
SHA256 d2d52e31393d5cfa2f346c97e6164ffc65ceb6dbaa0231dbc947c9f3c0fd9b72
SHA512 a0497af4ef806516f587bfe5ff1176bf27e84021a06746ad2a424f0548e5f3e2b1a7e024f05448519223ec1c6be419ab73b9412caa52aca120fbcc670c450393

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 58344128a9347927d0e3e67156592175
SHA1 8e5646037b82d839250635275100e0f3fc8295bf
SHA256 e49f6992aaca1dfa668614792917217fb2f1fd9c8e85ab176f64ce895926db99
SHA512 ef6a40d5f5e2a49b71d33f0c0b293d45c2dd00508f2ff06af810cd5e4a08a35836c434f6f6c5893912b619cdce749d47b9bec53a69cb17b2f072ef21c56e3cc6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e9ab5ad218c19c1f012e257bca5d7580
SHA1 ef714ccb4ee511440c81be670c7de70b051f1494
SHA256 bad26f113e5c0d135498c40c0b041e9e7bfdea7436add52d955ecde479d799f3
SHA512 b6a3f72d527c71601024e46a6dcd949479b5dcca0e3d5761dcfe7b7ca7ef2cf55d848916350b1c444a0f8aca2badd4d4a17a2e92bf1bc53c9fe7a6972900ea89

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e651897660d8ab3024ec0e4d2ab878d1
SHA1 73aeb9cf1a0adfa30313339c8cec14df1631e0a0
SHA256 eb3df3b54698eed905119e73c65cea6a4bd0f9a68e944a2fd134d7425a77359e
SHA512 21c2b8f6738e77f536129db92328b447210762b20f99f67b6d2531915815dbb375e0e5035515c589f610ffbf877132e97ace47840c8b2e526af27e7c8b74621c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 844ce3006350a9cf8c068d675f655457
SHA1 6870de46969104ae7d36b23a79134e9fbd264d6d
SHA256 3d5ddb4e259055fb2bada8613a18613c9a78715147cec83505bb714f5c6d8386
SHA512 49f80c222310f1d1ad4006dbd9118551f9ed158fa127b41a5cd9f100e9732217b445a397642d6b2e1034461290bd90c28d8df0b775d9cd8824069ab24928ff81

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c78f9987325f4a8c4892de63da0c597
SHA1 a89105b3198443200f1f846d7d2b2cdca61abbb6
SHA256 52c67f5e35345277fc4aef00b6571fcbdc7ae5be2c3ae64ceee573db98926d0c
SHA512 2ff54821f794058ef885329e0c0d215e9f816b50ee9b2ac2c76c67ee9935e7f4975eb908bd35d9b540d2c93ef4e73c870e5ff7c32b3e9358eab97d12bb7dac31

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f8bafb643a033c7f7c1f7809dfe1a91f
SHA1 d920972d3560823f63aea09cc4fcf974cd8aa639
SHA256 e0ad03cba952d89b79c44de732fbe6a03923815a12d3141ab8086b8d91abf7c6
SHA512 4ecd8e1f7387e88ead2ab1deb3b3f221654242a391f4c2050fcccb3773caf554f67c45543375c2bee433e3092ac0f72c69f9c204314528710804d6c988166384

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c3832f61f1b63ae89732a8249a6f09b4
SHA1 998599dc35f91d537ab17a216f411c8030fac4a5
SHA256 89200d34a491db33b4e11590341caa39556f9756f33bc2bd09946d70ea024d0d
SHA512 089e4d32f8aeb4586f46505ba74cbfda281fdb3575fd6b5600b5c6dc01d67c87775b17726d2cb9a7cf35fd23c45196da229461215fff08c2d14bf06d99f995c2