Malware Analysis Report

2025-08-05 14:41

Sample ID 250703-f52kxatyc1
Target 0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545
SHA256 0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545

Threat Level: Known bad

The file 0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545 was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:28

Reported

2025-07-03 05:30

Platform

win10v2004-20250502-en

Max time kernel

145s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe

"C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/1496-0-0x0000000000740000-0x0000000000741000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 7b6b61e185a72804573ba5f5c4925851
SHA1 1b86f6e6d9531922018477d4ebe75380153e0241
SHA256 5407b882f4201dc3ad119eaf93e83269b8274f7142cd5996eb8f94992228939f
SHA512 050d2e85371780acd10ebf5c71cb0003bcaacded927aea0ce8fffe37e9ea23ee4fb6d68a13aa4d08b357d41081e1c2abb2b569773759ab3f60754541e74a6dd3

memory/3916-5-0x0000000000620000-0x0000000000621000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3951986358-4006919840-1009690842-1000\desktop.ini.exe

MD5 b1d56404a5d32be9f9f7ffdb60d32186
SHA1 93b609c841590617e56e24e6f17256d705c7a754
SHA256 57a13a249002f11badc60baf6c67b2cc5bce9972497b070c234329ab4f0ce0f6
SHA512 114f7356407a8db588b7cbecd93844730f009709b675d7336fc3ddc0a13a60d3d37d80f8b0d00b55a8bf189df5a495ed493d71d7908dcbf8b79bffe735590b22

F:\AutoRun.exe

MD5 3eb372432fa3d18d86217b14c6c463f0
SHA1 9ac67ab22d637898e7312b776d1b39da04d61cc0
SHA256 0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545
SHA512 365c95924d3c01ab9f5c4ae014f176b022ac15a76a0f184d43aabf9e11f4058e258350ef98dfcbf2462d225e104e855dbb811aa7eca979dbc4fc8bc4dbbcf072

memory/1496-46-0x0000000000740000-0x0000000000741000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 198c236a8e5ee5e00935459b8fda3ab0
SHA1 e879da7c73649bbcf61be4cfd96a45bec6fa8c8f
SHA256 0aec9ef9f4c148f29b3fd834e0382fe11eebc900387219bebc00c4a3fa0fea7e
SHA512 8330f7724251973a1a2f026bb950b63fa0a83e9bf2fe9aa2cdb2b01b9830f9d50f785459cd800fca7e8375c8117d3d62633d92f517550e2e5c4aec83678e8495

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7f9490d652650085a84d32c033db6e8b
SHA1 0ce964ffad58a1a9f6c57d2ac2d0c044cecfac10
SHA256 d076de05130eb8e5b0eb1919ffa3288ff3daa386569b6a7452e72c00969f2736
SHA512 3a7855447d6a283e32becfed0cf6d489b72ed51c47128f26f64dfb8434d5769a943fb9f31e420bb91456a103665e944e99e4d7464b4b72e8f77690ac4f606c22

memory/3916-51-0x0000000000620000-0x0000000000621000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ee84d1d0f2134d6c8eef72106d1e9eb8
SHA1 1a821b42be0ddbf3f5dcd5f1b167f836da399273
SHA256 bb57638c2d21614681b3acaa444d0b18a411c96198f79ffb0fd2de3adbfee2ad
SHA512 c6a332bcc83953dc217db61f48eaa77abb4ac3ee62ceb50be7e57d27a98d0eb1ba335a096a5df34f518c59ef82a7b3e3b116c55105cd746a67f29a11a15bdf62

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1ef5fdd30d8e5ec1e70e6d51d61d9931
SHA1 9fd5212dd90dcf358323fa00f9407f8cb517e1d9
SHA256 7dc40dc15df3eac7b12b48a8d225b7374dd38839bf63ac52813548e3005ac616
SHA512 88952a68d1e8440c36fe5ebfbacb3909d1b52ebb5c4aa9ae383a0273b7aa904dab48a25534da4556f41c296f7e4db255bfefc065a35511a32c651d9020ad2ac1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6bc11d626b53c7d3347f0526ef7ccc2b
SHA1 257ec17733305e42a9e175037b3ae63d451ac549
SHA256 ac44e6e67f21cdd879f304e0d9d65bb919d6609e41eebc9bb3ac17d4a68ebaf9
SHA512 837b54372582b9e85ad9035f3d6a663c77edcd044e12cae012804168a862cc7de5be397d64a65cf5ce388f99aa6454b04d7a5e601714a683ad6610dc2069d3e6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a813ce3a13dde3b424623e298483f72
SHA1 dd699960608167eadfbb180e47e296a4a8d9007d
SHA256 ec6389ae084e7d28c5117b826e1fc68b06b957bab7fcc8cd7dd285572d264ea9
SHA512 e232a47554d4e9f515831ee8923e07fc8737ba15974b25ddd29dc6810ff87ad86e13e4bb597ae65c8d61cbf50b3269eae326e9bcc3baf830ff34a5bd9f7d7eb9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c0a914b0619a7d3406bfe3a83defdb58
SHA1 6293cd52d36fc0028626b06082cc48ad30a05e83
SHA256 84b16c15cb9696c20cc47e68f46c0ab102d705df24b59f096058097bf185971c
SHA512 ea1d4da231c8e8256a7aeaa0bc324170049712cb06be1918cb7d8246a2ec7fd2cbf0d7459f2c517c7f7e3db78a2821d1cae5c1fee5ef6655e821292f09dbb03f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1d2bbf4220cebdb375a431237e4a4e6d
SHA1 d534cb2aa02619db24118d02c54c565e5b5e5be4
SHA256 0513a95a29f9bf0963f4b86f93673531b90712d792ac5a5048b31229fdebc6c1
SHA512 95da3ee44ed1b1135c84e94db3ced8a8f53e9a7298a5dc9ba3fc14692f939277c5db92967ba5eed585501bed375ff820e8770636702f5c7ce84194fb08f99967

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1a08634fe5eec1713933d792c8b4ba55
SHA1 556342d123ea95cc53abc7bff12d4f2771129245
SHA256 5325ae85bdf5ee4c6c4572af239f9b48474d9ec1455d05ca46bea8c858fd83ce
SHA512 2a43b05bcd9388be3f8251c0b0bcf84de29b17913a09f7674cb04ebab020b962cfc11651c18eb25c31a17eaa4266e420723326023869ec853797c84ea9561554

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f584732e1fdea5db901c0104a077557b
SHA1 c9db224da9c81214e0debc007a3a6d5e70e2c06e
SHA256 c94120795de35d7f3e425acaf06f41aee57280e9944351301f2ee8aa188a434f
SHA512 8f924a7364fc2b8d5636e963ef762b1f241f019196881d1d8e0e5459e157087a5ce291e74355c765c601a44580431320d50ef208b6035e73c8d8a8b222aa4e8d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 35aacb855302d6492eb41a735bf4ca2d
SHA1 fc68f91084e7793f839771ac195b303dc21f2899
SHA256 bcfeb5e34e7e1b766d6bfbfedcfe675a11dc242eff6fe32cff8d44322649cff8
SHA512 88ee5f509422a7d1d577076ac62890a22b579a9beebc6652df5610b56249cd7be89d0f5214a7a846cd490183b66aad98d571d866bc60f284e9512dbcaee03e77

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6b4e1c7d4c44c246f95717ab3a74ed52
SHA1 533d109fc5b9c8026120cc37c419c9e713f8a011
SHA256 c0cef249c78635420232b04c9782f5e49ea65137c51e76b659672243425f06ac
SHA512 6955ee6687644a51b2cf28f69b617c806359745570b27a72d611858798635b1d209d03dd944d2a7d19766419062058b703c628d8cf2cfde1151e09ec5e433eb7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 41544badf01a26ad310a7605d0100e70
SHA1 a5991b7762cd69bb76fe8bf3b792c902914ed769
SHA256 80ebe996e831483a56dc0ae572afeae93f1be8d5e08652236a66ac34b966339c
SHA512 a25aa21d0cfb0413dd62b641236e8aabe453c1b04ad959187fe9425b7d1a01ce00e38a812d853d32c261fb04e44b5cc2b242dfc1c0b8781f70b5f78f5083c40c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2d163434e1df94092ef34ece12950ad1
SHA1 6bd70cc35addaf5b81850c16cd52935cbe5c0166
SHA256 2cfa18cd0aee27d86a850f8960e9fc70d34e7270ad2ecfab1f58399f5c97acc8
SHA512 5432aaa925c0251487accf2356cc7ff4b067df2377ca9aa4897af840eba6aacfad9d12836a6b09581dfafd3745e8b677f4926e8f0959255df0474c9d6da05f6e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2e298f6ee2ad19265ea6dc18907bd652
SHA1 f0975a2d9d17f67f42ef158fb11e98d25a79ae48
SHA256 74a3c1b71535bf7d322ebdc4442482dc7dcb80b09bc2fb5ef32e589a7d9e84f8
SHA512 ddaa43be948c0529f78ed764acbb955050f59fd14fdeaf073007ddc7ac263246cd8e8d0c5177d6fad85f72b2bac3faca8623a0bc98a5d186af208d1a70eaaf32

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb48b9fb0152566360629131ff5af6ec
SHA1 9016c2775c4abca9f3a0039c7e526de98ae024ae
SHA256 76043924e770383df1b0e1f186c29d2e1692370aae5d34bcd2af309dc0feccfb
SHA512 44b9744bc3db611f1e9ea7d855175502362611330aeb6cb7ecccc7540f7e1f235298f48d0645c28d86b78c632226101bbb6c8adccdf86b4fa5b6602d7cf03b38

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db6219f950a18d71fba41aa5916bcfb4
SHA1 6d35106af645846c328b6d6f2a4e357a008579fa
SHA256 86ea9f7a9b5baedb5c9ef19cfc4cfd0d89d94ca9b47eadeff20e74555cf87ce2
SHA512 712671c552da3ce6db30e4b1f3ed45f8772c2ee9acc791868c4dfa6487c190b59d89aa1dcb3299e24b3368f04900b4e678d924623c7ad46fc14610be2767b84b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 917333e8de066f149545f9c8c13c0297
SHA1 d4e8937c8b08b4543f1fec6fff0fc72035cfcc9e
SHA256 1d26d3f204053af669e1929f27078847b77ff7cb057b6832867dca78ca668220
SHA512 41ad276fb91d0b169b6555caadb63656e36b6fb332da6fa7e739a4e69a03aef285df04dd9c5f63c7a583b03dae29dbccddcc4cf0a0c1ad1780e7352a09ea3a87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 31f55b46fa92cd0efa18536dc2d715d8
SHA1 3ebf3d1d0c5885f6851f313a135f543459c73fce
SHA256 804d0325f45b14688b3786ad8a78cfb874aca4075795acf11916615e152ac338
SHA512 706fe2d00e325936afcad6eab7f53389beb6d9d4afc8211249a5901523fdad3b732e27adae7577d01b3d5d844a4340780a3da33dfd26b382ea6a426e00e430a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78edff01de4664f5b2b587f32707bad2
SHA1 4242d2074b9c801c705caa4a7b7b620f956d8960
SHA256 4901585924a7fbc36b971082dd172af8e14249cab7c1b36473b4f1e103f69d68
SHA512 59db5c0991c382de1425a600c1aaf56ed914c0caa40885096521cafeaa3ca0b1a70d297e1b6daa00954be0f1bef3851a11419f893b2c89b0767e1d3efd779ddf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 26bf9d4452c3848cd084086e808a14e6
SHA1 a1e9edca15376c04508fa497643cf9027302d9b4
SHA256 3b730e908523cf7c52e7185332a26d8556e50aba0a81ddabf5f70d99a575edec
SHA512 6af4d497530481a935620af151f73ed817f8e275fa61d5cc2c31c02282b3163f27de73fceaefcf6219ad8702020a4f1dbaa93ed05ee49701072b89438c3eb4e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e1f0b50bcb960b8ddc6fc0b9367855fa
SHA1 75201fed90d5d63dfeafdf24e0ceb838d83e06da
SHA256 77668ccfb9d35e52017f42c7e112ad51d8fc237ed026689b86b67a43f2c4a0bc
SHA512 20f7757758f600a0a5f2899daf45b77028e81fbedcae4e577dbe8c3d7f91d9426a34d5df72817e96226173430d48c16f52297fc8a826cff8e6a91c8c45a7c853

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e9378e5df017d6d2373a09d5751e4178
SHA1 5ad1206f85f1b8a25dd7d56321b0ccbfbe8df130
SHA256 7a0c4af0ecba5856315ed4466a5a05c049267fb14068bc59aceefc1866ca2e6f
SHA512 5a28281dd797ca87d44699a697e068cf6d81cfd49f5a6fb7bfd54a3ef3fda5f2b9d40d4f184c33fdb12cc2da97f0a42e5b71a9e1dd8feefdb378f120b3881c01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 105cdedd4f5d13a1bed3dc110cc9894c
SHA1 be2b9b5b9889deae69b7a9c03040f807ca9c7594
SHA256 545cdd94dd88b00a7b3dfbccb822772ba9a0bd8fe6f555375ae0e9ca363cafb7
SHA512 5d8f8402a7d8847ff9af986edfdd5248920df43abfe8f5113b8e8192677a3b06313239b328181a3442ef46e2340b164a3e38e460264d904cf41e81cdbf85fa28

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f01ac263c43c1a4d04f4613496cb4c0
SHA1 af62d0d2089c6c6a9c67db60c845979576816a0c
SHA256 3d02aa35053c49f5af8ed6d9f4fe54d2340d5a036bff2f66c6dfebb8211873eb
SHA512 cb8bf39b9abef24a0db85f16046e0d3b11759ca2e4daf74ef8bec19e0d36380d83d6b077699ec3bf0753dcf7caf9a971210cec063a11016f3c2c15a426595c97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c634cb5a7b78cc0154dcfcd4d2182cf8
SHA1 f6fb3eec1189adb72ee7f8f4a2cab4b70769ab72
SHA256 ce2cb70dd56fa1e1d2eb1fe65630507e879d15fc1d75b8742a6951a8acd996a1
SHA512 0074845a0cd9ebc7b4264ad85215e9ac510cc65a24db0fda61fd68d862ed30b4ab73ece493904d911cbd4b5e8610dc5a5940d1f751b25dc9fd760a040fd2b7f5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a6bd5fe6a704af5781d9e93e0762baaa
SHA1 fdcedf5960701e981a59ed797b757f5c5147dba5
SHA256 12bf478e6a7d9555213649ac3fcbdb5e6b4982772c1083c07774032c5163425b
SHA512 f77c61899825be7366521c2d5efc2b8b7e978ab2c47dc889418b637d50821562810c6f11a0ce5794e205d8182fc9ea22b3568cfe051869423bd334caab67841f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a210050022765722f5dd5ee81645f9d5
SHA1 77babd67169e4405dddba28790d47c7fb45dd65b
SHA256 2f171f0e995b7e0ed038a4a9d34944d63b021c38fef06a7357d73da85707ac5e
SHA512 a7e1034086fe7ec65518e62fbfa890768b96f39455c9b0af9c86cf9ba5a9c4a67662f729f6f09702c2f84de29519d99efd55718943219693f0b2b0753ea245d6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5dce80e236df941db025356f115f3ed4
SHA1 ce2ff2602935ad868a6546501c5eac6a963e268d
SHA256 3e16b1595cc94df1f5fcb92313a8e488a9345e47846c20e42b2fdf976b513df1
SHA512 e8ed26ac7ad8396516d0fa093a60490b6b70d9e9555ed01472bfe250da462108e3ef08fcf75bd2a7c789d146ce1759661454d10620f510d852498097c1c469a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 304c90115b9aae073c63866f2742d1a2
SHA1 5184ceff61250a4f7bfb3c24db42fe654b7cf4ea
SHA256 1c6ca8a1398622c09b3fb4c1c7492a8ebd6a0cc5426807302db71afa0550efb5
SHA512 83fc7dac1d3a9ffc98d93c6045fa270c135d79a6aad3af9400e103be26366aac45664db02543900c9f6785c9c8dbe558b250fb54caf9e9ee44217c4219018f28

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 44107e8444240f292874fa9e96a284a0
SHA1 95c3ca509fc74f2f9fc3530db162b24eceea737f
SHA256 7d263f70d4da23764cae254326abd67d779ae65f952e8aa3c33342522cdd5014
SHA512 689bcc88c285f523e715008113cdbb6143cd8864dce1775d21f1e4e43e7e17df2589779cd1461f56e6ecc56c4c389a2b5297c3953a5ce8aee652cacd59dc2333

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f601a99e64b56b318edf72d58040a843
SHA1 78cc7a3565ee613f26079a69d0c1afdea4e75ff5
SHA256 67e55c455612d1ab742c3f54e701574cd6e3748aa30059a01e852621f0477930
SHA512 80cae9be69e64b81504a6ba773aa18b305ef3dfecde6647c7f91c7676f7905e5305d1b836fd8eb7b3239826b1b69cdf181988d60baf4dcc52b54368246769278

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a3379c37caeaf3cb5baddc5d647a071f
SHA1 d5253f7a019672d60fa6de5f2526347d7a48bfa6
SHA256 3d34a76606e595ab54af8cb569a5059037028fe1a0b93cbef14341c7bf06381e
SHA512 b5be3e278f0e584996cf4135604807f68b96436c1c463dd891402a5970d10b75a9d86be177e01fc20e0f832371632d02f4859da1c623ef25c6babd44d0982898

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bc007c77244955442259baa4b4f9d89c
SHA1 9c359dc3bd5d0aa6b4be3d5f5b491e637c1b2f60
SHA256 a8aa531bbca9f28f2258bd65fb49a4a1a7a79355bb74f65124903a15b300f182
SHA512 af818727d2ca26a5fbf290ddfee05bcba550185746e64d5c0a4ee59979cf180bbddec10c7cb86491fa0f22b58928a89c3449e4fe1cad5f6741c21b12720fd30c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a6556cf6bdb983c318797e3305fb91e5
SHA1 ca9749e89a245e4702e2d8dfb7fe7a658cf95403
SHA256 324bbbbed647bd7aafd44ee82bb9e97781191cd28e85ce6ce423fae4fd499469
SHA512 6d115ab6459bf1f8597fa24d85dcaeabfa6aeb2bf501afc468574132402989bffd4e7f7a14656d961c23a116a0956f5a11c1dfd2e500212e7aa41fedbe3be322

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 960a57eb737b608ca63906d88ad0627c
SHA1 77d62fe1a0aff27e80a32eb8a2d3bfeaeae427b9
SHA256 7c0d8895fa5de665cae9f01e36408d2b84ac3ad74432c5a53c6b16170d74e820
SHA512 f7ac6acb05b5c50b500f5eee5a627f0ac633b93cc8aebd88ac6eeaaa194028836004b3dc36a4e5c16d8c56e6f073f35d2b74f831da213dc1860b6b0d583685c0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e7372443a02575269f6a7da028fd6263
SHA1 a5ee9233b6b64bf0b94ef850bdb18ccfe2125a24
SHA256 fd3f73453b2d8529614b40e0e209405e24a02fa31b4760ecb849acac9ed95fad
SHA512 ce99e6b254bb7aee81b70042e3a6301bb07b12ee4a2ef2260a0a4718fc54a74ea383391f65b860f253f008e0368bdb5284c13a924070e8650a7bdb3941c379d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 096bf611229ff5aec13e24db6a75bf81
SHA1 c607f41e4831b39375c07cdd6f03154efbb0880d
SHA256 5159dfb7be329676debc9a45b6f59f2d5774928343bd98a077a1ce7299f2c23e
SHA512 b520fe83bce114011f7257a80431782603357ade1de155b785e58bb18a4ac6a65f2dd0a19c1d7add90814a23244cf0a552cb7fc0b2ce55baa2227a420eb6f75f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c19d87388a31c9aca3459d9c29500900
SHA1 e587d14b03fca71521b5fab00680aca2cf50e6dd
SHA256 7168f9ddaaf34a937a3f68e19069abd6f5c8b91aa7703b351676378ed1eea48c
SHA512 a94ac348b7d526199ea42043db3846effc1eb0d38d81645484912d47d076ea6fbbf82b4023221a6bea18d310613fa4ce6e4930c1e993445435c17e1f0e768ca0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 70fee8873db89ea7ccfd8e7a6bf61ddf
SHA1 fcccc825709ac56293bf8c2f1710c7615041dc7c
SHA256 644623f6f9323d3c5d6c1f2399c08f0beeaca351157a6b1e208883ed546ad543
SHA512 5f76c0d7fdb3ef2ee864ac9ed3d2c86cc5facca7d6ef7ea1e79be4c5655073b1bcf57af770790551df5538750fd0a03c836292929d9ef1247fa47d23b5e075ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d0263ac3684256e5eb58f454e893815c
SHA1 1f11b3035e9f6ea1c9b668b7c23939b1ba26fe7f
SHA256 0e0e6ca5bfba40c8e7fe2ee5b086e704ca1d10e51cc8837167b0a5aee685e4bc
SHA512 7b7e00a1026e1468e2ef950a768f3f156693cc8f3e23f6dbaa16b8d1579a5e8f3260a4d200c7ce5eb8d17244223c6c5d6ea057c7d74edfdc5ee0a6bc07becd9d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eb3a0927eefd48cbdca9d5e3d47f3874
SHA1 e2da5eb70d7be8e08ee57d3a16168a4c12be3020
SHA256 51663c58d02d62d186e86c700c3b63228773c18862d6e6cd8dfee25f035cb5e5
SHA512 9370ab22148176478496505e4b6fb104ee7ddc8da2af142f1b41897fdfb4d29154deb1abdf392580de9398255cba2b88ab5311e485a08d950a6c28f760b4d528

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 379ed0900a0f507f8667d12230e91a71
SHA1 2498710e79f413a2569bdd91d29890958de49047
SHA256 862e4458e668527952ce1a5743cf139239708e953dac3e0c1be86a936f2d4cb3
SHA512 cfc44d58e83cc28f3f28f05dba3452a3877b8d49f790f65ea7d8a3c95f58d36f49db55024073f7cd9e44a7b5c9e67dda54971a1568d6704c09859a3fe0609c79

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c4893c20dd4e7d72e2fbe8f94791bc4f
SHA1 8306d2c334a0f863c177432486c979e67bfd23a4
SHA256 d965cb2559d61090aa2996f2b848f4afc93b8083c7a35496a872c7b3aa03cb4a
SHA512 80cfa5dca9f66140021c38f50b9748c3c50fee3a0cbd3ba366543f91e28db8756b01c932a4322797d5fa8e200dfd0ab8de52bdbbea2c53c69fd66fdda449c046

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 271cfa54dff3b81338fec0bbaf77e908
SHA1 21fc07e68c082702e9180c2674d883fcf4523b2f
SHA256 3bc26ff24da22ccd790ccdd0456dd2e0954321608800b036719be376bccc3e0f
SHA512 5bdf4a1efd1468a5caf4271461b301261594a1ef71c74533b1177ae31bba091b12f6e02b07c10c250b2f5845b69f3279acb5b03eac03aecee2bd06b0f0e43890

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 39ebcbaa1579ed3caf6e7611519574b1
SHA1 ff8115be80a7e3ed254eb0d991c22396e32a42fc
SHA256 9090169e47b9926dd6dbf48a90829a734e23d4d8ef4217a6b3c1d4ec4441c44c
SHA512 f9719f12e659b5b32e0a6dfcf3aea055aa2a504bdde35b55153187fa9135f3ba5ead8ff2dfc1901aefb52942e0d9a52d6343abe7a39cf9441d24f900c5889540

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 323542526aa528038c675d72f1e3a5cd
SHA1 6185d14d1b033d2c023f35454894eee9c671d5c8
SHA256 61de683cfc597bf1c174a21b1d2177e7094cb69d44fb74fce90d6251bbf620f4
SHA512 8e9b3e86d57716ff8490f7261dd555b2fdee6e8b31e210a492223a355a2ce0ed65f2924f67ecdef3a4082f723f5027e0b9954ebf7791d6751d854fa35ff8e85f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6105d96c6c7c2b8913688496970424a3
SHA1 aa4fe032b0b4835d221a12aa515a0335c234a14c
SHA256 1cfdc9a4c8fde1b0404557707631ffae9062be1cdcdd2e11178ec797dcbe79b4
SHA512 fcf7706d47dacc16764fbdf4530cd001bc96fa8387dadada79921a0dec09e2b9274d41e0a7f9ebe80ee0bdafb1b5ecdc4ab50e0b428a0f980fcf7340ad0e532f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bf34ec468286ce3ee0ffb5cf06d81ea4
SHA1 761ef8bd8e19b463cea15069243b67507faf7c3c
SHA256 debcc59363d0b09f0dd30b2241df55d527a19884a7ccf7989368d954d38b9fd5
SHA512 2e3597e70e2d8d1fbe5364003fe1df279dd434289d81c0ee77b62f4f7de5dd9cf878ddcc4a576049f3d9c5865fafd2a15ac6ec8b09eda504358cd2fe75fadc95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a966d50a71cd0b7517ee1793e1353c02
SHA1 d82eb4c0d587dc8f23e314808b6843b38cfc5984
SHA256 eb184c94502564c2a9320c808d7813c74a22833fe863e6b0213ab3bf6ee9b3a4
SHA512 93a89180c1d5d7b9712f3162f2d88098fca16ed0f266cc287eb0442252fb0d8f289f0c6412a48578f753bd11d8daa2395089e717e7cf4ffc20cb20745d14d20b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0fe13bafc505e643757142c65241caef
SHA1 381a5026816c17e1f67b42d0a273a9ce8b0a03de
SHA256 43a76bfec71142a8242f1df640235a6f0b76955289a03f2beb43be574229e768
SHA512 aa13a95999bd2456b0083cc5087b031dcad8a74171e2a1662ec0252d5294bb807e24bf2edd6b9e3b5d37ffa86aa4e44a9c1c6c0e4ceae11b0c3d4c6a2a632fbd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e4640cbc594f77678232ec9ccba7e683
SHA1 4427a51211122c9bd7cb0930598be2dbd89da42d
SHA256 7ebae39064628fb738967553512c771724af5005a4043e612572c8c57cf47d13
SHA512 ed054c9e17240c0898f27477742ab2edca15a57aa870ae62b2b5253352b9ff6f7ff505d7bb1e4660e0041efcdf8850f2807626d1393f2c0e8700e4cf4709b76c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f359a8c1363145f7e2147b3ea53d1acf
SHA1 25db7daee9a011dcaa103362e11d762744e1baa9
SHA256 347b45bd47ef11e89736225272c0632aabd088aea6793d4c5ea6bd072e1b3793
SHA512 08c94dbe8051b180a3f3fb7928c6d6573e78b605118ca58e06a90ac617ff059082c1f4b03de503e18ecb2ef296de55354ecffb45d9ebdcba58a4997fdea97ae2

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:28

Reported

2025-07-03 05:30

Platform

win11-20250619-en

Max time kernel

145s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe

"C:\Users\Admin\AppData\Local\Temp\0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Files

memory/3364-0-0x0000000002310000-0x0000000002311000-memory.dmp

memory/3364-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 7b6b61e185a72804573ba5f5c4925851
SHA1 1b86f6e6d9531922018477d4ebe75380153e0241
SHA256 5407b882f4201dc3ad119eaf93e83269b8274f7142cd5996eb8f94992228939f
SHA512 050d2e85371780acd10ebf5c71cb0003bcaacded927aea0ce8fffe37e9ea23ee4fb6d68a13aa4d08b357d41081e1c2abb2b569773759ab3f60754541e74a6dd3

memory/5908-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-4024151881-1944119507-1574723210-1000\desktop.ini.exe

MD5 0b4903954b82b6becd136d57265dd635
SHA1 49a8f4ac32e7572d2cedf301a39a944fb3af570d
SHA256 41a77394b15659f7c95d43f62b93295f20d6b8e415db9aa4bf320252e85f71af
SHA512 736e0a1b314da93d8ed78157cd098988100c12deb32a0ec1fafde05f814a7c3886d6e250aa77fe7eb8013518676a5813975578b4be68ac843690dea39df7a7c7

F:\AutoRun.exe

MD5 3eb372432fa3d18d86217b14c6c463f0
SHA1 9ac67ab22d637898e7312b776d1b39da04d61cc0
SHA256 0b8125c18b46f26661993d615034623e812ad27bee784e2db06630021a798545
SHA512 365c95924d3c01ab9f5c4ae014f176b022ac15a76a0f184d43aabf9e11f4058e258350ef98dfcbf2462d225e104e855dbb811aa7eca979dbc4fc8bc4dbbcf072

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3364-50-0x0000000002310000-0x0000000002311000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f8ef67714429e025c9f07a5127b8848f
SHA1 e9c660b8dd68f582c402893eee96f05a99fa3ef6
SHA256 8a73217a6ae0583f7a46cff22bf644bc4f34c6de067f32192093d53fa8c0e1b2
SHA512 ec2d3abeb0ca7994145591cdce4b14d13993c52b1d5bb620517ea68cc3fef44de2ba5254533ea87bfc797190d1e537b68e91ec44828f37083fbabe9457ad16f0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be9eae6ec9a789eea13817c6c87496b2
SHA1 3c10302fa2a86c4b98cf859bf44a9b6990af7f1e
SHA256 a4ca0e365c4f5b5a2f740f0e49653c6fcfff11c8ad0011f4413f55bfa5c295f2
SHA512 5b611c3e5f771f29be958d1b62dfb4d8ab182122bb930443c93862fe248a5fc7682c2fd9f18e3be22131161d282cf11c3672673f011277f25c5d119ed5c89619

memory/5908-55-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dabf95accb3b3f950953649fa252d7ac
SHA1 b8b4fc5676d092afbfda9bc5c6f6dfd36bf02dbc
SHA256 ffae0fb4dbcdfa6db10541a73fd20018d840b1dd6ed2c17123c7ee0a76818b3a
SHA512 08aeb4ec3f5ab186285f728773c103b3d4e5117d6711c2ca740e54cc83831be6cdc290b9558ecae10877b9fbbe69a9257aaaa6f336b7208b8e82b74162cb0a05

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 98d564927c359870254c470c4de794d6
SHA1 cee213ea092b4ed8a0d1216d5f147154b2fb57ef
SHA256 a8cb87cad0719218ec80a4c688300d9cc3b73346d421f43f6e5e105e21ecc7a6
SHA512 e0b5486c057f0ef66a4631c68bb09c27a5c6323a362d070cff4822ffca3a1fe49826dcca295ed00ead0eb5a92f693fa7ab9424df1893ce9b43457d0f7216547a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b0d322c3e082d46787f1908737923e12
SHA1 e093c12a5dbf7f0f2e1a7620707416d4bc3d8916
SHA256 272416c7b7d7a1b9cbf7b9d2d89850a8fee491bafc557edc145a11647ca788bd
SHA512 7e1cb80da6bfeee26cdc92d567ba32de600fb328fdcd9a0dd7ea7d2dc128f8cc27c7445f3981eb1c26305299643415bd42fc0b75e77fe29427b650c95d02a70b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f08002d711c27160a95f5f04efa53b8f
SHA1 8d4953d6fca449748754ed2a0eb0e46c618c8856
SHA256 eed841fbaedc5af755868dc24977274bb90a7b2bf2589f09179fd45041d3d9d7
SHA512 16debe377aa7f64ac5be9186a3c203190ba032a629b6d15eed6621c9ed5bd9f95e1bb9c50820fe9dead1291049097dd90905abc41256e376000740a99aaaa696

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7b83162661540c283dacff1dc8afc031
SHA1 490e5f9c5ca159bace4937b58b0ca7500be58239
SHA256 8c7f4375e7a8efc9fd093f58e72b44767fbf29e4c4fd19e54886680dad870274
SHA512 6b59a08ae390e414d340e540c8dbb9c7ffb5ec6d7e264b6026b0959d48b6e75a7eb3426cd5f1f5a335d7925e29a843923370089dbfc0959d42017a0c54ee7f56

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4a2ac50480c63e84afba35dbac48dfcb
SHA1 d6adf8c6fd9202f96e7f7f7ed0b149a9776ad038
SHA256 0f52df2f521a349c2b29912b25a61b991e4360a53630f4eace65e9ae0c18c72a
SHA512 fcc3ad8c98e628c6316142cacc624ef979700cce8c8d38ab9cc398b1d4484ec73f38509eba2b56cbb96554846072d8069808c77fdd19f7c1fac005dd42ca4a30

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 801dcbbe54b52e04f1c8229783cfe5fe
SHA1 95f0619d18ea4bff5e0b3850f7dfc04c78a24281
SHA256 f1fb78db0bd45bc1d8136f2777e7520fbe56039cca927af458531dc253dbb520
SHA512 8c22dadfbd47a29083e01122d4189d18e90f52f633bb30d5abba1121ad4fa768a91e1ebe2fbdc297287fe631951e8a586ce6c9a72fa8bcb1cda8a28813e100bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1a1f299244c6be6dfcb9c2990beae5eb
SHA1 4c4fe47dd47d9bd8bd429bbb06c905492f1d1b7d
SHA256 4a4c1b689805f5342c753da6772c7d099240555652dc73cf42a26b6df2f10e68
SHA512 582fd5d98117843e3c340227263064be7c7bee6290d9672bab15fe12c6fdff9a0b13dc8c257718655c5eb0a219f2c75d4aaa359f2792d5455223e6c7621ab708

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 df7e451ba103cde846fda8947c5a5381
SHA1 f848fbfa532a77903534120a0df3340096a7ee57
SHA256 fb5640dd075129fa5a28d74e7c1e461acbba07f6a6e77f4c4d2238bd414dbdd1
SHA512 3c8bed0969d96d6a7afc48eff18704c36ca9370603a32aa95f94bb881a95ef36624d2eb13c0158bbacf244925ec2de2ffb76795e8e83f76d464d527ba326bcba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b08466f8032160dc1e5f55411858f7b2
SHA1 6ba108e5c511859b563d834f3fac8dabdd79feac
SHA256 9b286f7b81221928915d943934c08fb26f9d07fcb4fd18c47a5433c333ac784d
SHA512 b4685b4799fd7a0c06ff19cf4625a8cacba8a7c68e4c1f7643977ba57511e4b1e513038e4c80835efdea9f3120d3e02dfebb96ab100bc7f4a13f2661dcba3592

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e9c32571c25c32fc58e82653d307ce6
SHA1 368cb6c8ed3887a396274348037fe25d24bb854c
SHA256 2ed568b475725402e22eef155c35d85be7f91033dc8fa332eefdcab95294a0c2
SHA512 010992909f9fc792482096090ec3f0d4b41010bd8029cd45761fc398516fee5686beb69f7a4b7b27e46e1f62853a1a98ef4a0ddc03bb1a7fa5184709965fa969

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5dbbd7749f5e6bb72e064797e67c2675
SHA1 6ed3065f6e6353b0b2f674826e7410234d6c2f51
SHA256 cc8aa1750a4372a0c9c834a2b43d7b6ce795c39c6c8161fadf08e9407216e916
SHA512 49061ae016d1d0dd961efa5363c6b4ed80a2b75f91e2bd7e7a9d9456afa6da18e051a5dde5e1c90899c402d9ac7a64ca6a9e2b6bb042c26e38ee66db517456a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3dc2537b9b7e9b788d1bae338fc9b12a
SHA1 953294b5ecee1eedfc316fe06be2e4ebbee15049
SHA256 5ede4331003fb00c75b8c3b94bdcb3e13c24429d96f918514c0d99b3a7492ef1
SHA512 1dfb99a24f2c6956a9c8693798ec6046ceb04adb171ed92409af0554aa4fdee937d0bf3adc328d5a0b987a1bb66d07100ab47d85eebb75fb4bfba77b099b7c45

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 56957cacbd5cea9700922c99e7685224
SHA1 62470c8a460319fd4c349ad962c94de9da8c842a
SHA256 1e958d1d84431c7cc0fa72da7effceb126e88d4b87cf1858d34a5cfe04b6878e
SHA512 0ab5bbc68bf6436bf8a5bd99f169b861793e8def8f03509ea9cec98c94bcdb568cfac96f94c02a0305a5a5f2dbb108f6a71418a6726f1ba435fd2630f0adeb51

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 829450d71a4eee323726c3290a072949
SHA1 85c55cb2db9dc09935e7fcc9a13534e3d3da19e2
SHA256 feee86554d4f2f1e6f8ff589491d117a44504de15f014d424efe25abf07a6a91
SHA512 f86e017d979e7ba6cfa44cd39fbdf9b0f82296abba69b2a1711f8af8771852a786984568a562022fc9c4fd7f5b9f3becc2ad49183c74fc6b2127bc410b2ceed2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7835ec3d72d1ab2951b5a7f6b99ba299
SHA1 7f4bea2f7b103a312b10836418f39c74197d1e1f
SHA256 0d3473ace8c6c47a7737e8f84c6ae8c3e8e0a0a6d4c254c8d1d2fdc6249181b7
SHA512 dceae443959aee712e60aa30a13aca11bc2e58a9fe5b1fecbe085cbea006bdd4adad850386694bfb681aaf4a919f3315ae9377a2600259a2762d032038ada131

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d2ab10f09937fc9415dc26baf5c73d74
SHA1 1a9263a4214c0581723c6a6e15b032d05ce4fd0c
SHA256 fefb1d7fa74cc969b892d16c407881425737bcb999cd779e71d76b6b0093bdba
SHA512 0e782d12713f349018880ded607a373fec6b9219ab6bd98191011d78b4bb1bc2ea75f7e8603f7836fe54d9675588f6daedcb785a86966b0fd3758de1067edf0c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1bc8e1da098010968a1848ee8a4cfe03
SHA1 5be4b62442b8dae0b367ad6a7ea3778217ad93b2
SHA256 7f0835cffa2e504f493fb6a0bbba032fe61f8b17d532bfdee8afa3b566fc2e73
SHA512 a8d4570cd6ad08247456c7985bcfe7b65c605c0a6e9163d4e26dfe11fc8445eb9af0db6636292943c2b8287b4a006af74efe1f2ff2947c8a9596aff1baa71d6d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 57e2d9d51bf3c16037f8b90cb730e4df
SHA1 450b5a36dfb24ec04a34629fc3c70ef7e5d148e6
SHA256 a264f5280118197a6b8cc28954b374493eac2bc15a286428b9f6c3b90db3122a
SHA512 b4479ed4be76e68d21dd4a86680541a800738683a4ff4bfa2558da88bec43729a312b4529d73562c78dbc51fdce2684530a9e2ac7a357dbb55ddbe2a4fac4aff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b8de3d94fae272a8d7c8e938316edc7c
SHA1 795183d9baeac96fe6748ced50c12fe937df59e3
SHA256 4b8da11643c6fe0bd6292df7f9644b44ce828c5dc74a701fe5867139f7bf33f6
SHA512 681aba1863f92d24975cf3acd2de73215194d9315ba86d61651ffd4ce318d7f9a753d198c45be116b6c1cbab56b4cb830af6ee741a57db3c1e264fe52956ac80

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 85fb1243dec5e61f62cfbc9ef38ffd84
SHA1 4abf87f4e5235cadf4fade76489ea94f58c83b99
SHA256 4f6f4fb9c210818158f4e9865679ce960b8004c59db093b6df71ab4bca888de0
SHA512 0c604b26bc8e7be66690dda3ee5c14fcef70c863efbd257abe2ba168b4a1dc285135fa40332a5f086abe2772ce184ee49c3362753620376b7a30eff8b0ae84bb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 764fcb18192e163b8e21fd90e0d8336c
SHA1 c1e281103d728258761117051219fa127cb2b217
SHA256 a3624ea76bb010b1fdee484cee6f33d7f6cf2c4d57e5231a0bce30ab60c0c5e4
SHA512 9cfb3f1171306021b0ae44d4270ddc8508a9e5358037061ceea5faceac32432729a6c277f16a043abdaf7ae3687b74da98ebd7664c9cc11cbc3488f9a9956368

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e68c3043554e6822481e0d24149f948a
SHA1 c1ffbe34628254da7984aab60fd3b41e8fbc08a7
SHA256 98cff96b8ad9ec8d9c62769d997b1c3dabe42670c2bf71ad68fd9b3a91818ecf
SHA512 a27f0c759769f1a6f9a283c1c819587139130f52441a274cff8968eda915ed2fae1a917da20be354c857f98eae5b205caf9aea0c2b5993c54bf2638cb93ec6cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7005a66568cc5d2ef590fdd0e9046cc0
SHA1 1076f9230e84d60a56fa726e1692ed6d2660e324
SHA256 e311b1bc6701a7b08aa9e83c72d82e82bbddf1dfbb61c800c762380d319d203b
SHA512 cecd4ed5d275945644ede9a771fc86fe8e70452f897c20bda6e6cb3b05158fcea63f758a6a2e4e85647f7b5f6dc0624e95c19455f6fa53b45e7ed14c35e02dfa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 efe826d30c53fa48014d7c25431dcdd4
SHA1 bddb9ceb98cc9b194672808baf234b28c27725eb
SHA256 8ef567213876282a580a30e769346057b496e8f0d77c6fe234b46976bce64561
SHA512 f3d708d0e8b6f283c8c4939ad57bb4e0a5db1515d5d218e5bd5bbe1befab2a0b607a62c24e7c79e359bc030a3764edda55ada06e6304afd368f764dadd901591

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 933d1fc7fab5a351906441841eb2da7f
SHA1 1eb6286b52ed3840a1b86afcae7cbb3231421efb
SHA256 bec5f72dba1f82a7e25c1c9756d106184b0366d647ae3df0b20d6f5937efb9f0
SHA512 692633e041b5c60f61008945cbfc3462685b8cccbeb106037bf38773a09b8af21c61cd4506690f36fcc2d03b23ab613655ab092eb208287215b9baaaf44fc007

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ccc4ded965dec68b3112db169f4bf1d2
SHA1 90d56ee3268bd0d9440c4af21908ef2ff628120e
SHA256 5b00627de79963bf4655e776ee036560c9ca28d9317805084793de180c343bfb
SHA512 f72488c7afaa7b9065a500f6235932d7caeb2a71b53fa22bb14e43cf6c0adb60a777173e2f33764cfc7f786802d2fcf8a82b0053f9268a7cd9138706f338511c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bde2f4138fe931e0e89aa9ecc95a4632
SHA1 6b0405f320b2862a655708cdb34e368f98f6fccb
SHA256 1c39104480c845e19faefd4775677b85bbbfb556d39575e3151843ed737fc827
SHA512 2d1e1b5e3d3488a332e7b817e05bb7250c25499329f6c27f0bb613ed2a5cb1f488b849e1cd5bec7d033f21c3b03b4fb78caae3a3fd0f977df06fb85363f378d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 92f073aaca6248b3690629d1fc592003
SHA1 8c15072b056a20e47cf9890ef54243ead6917565
SHA256 bc1d5c79afc822ee0960db5d100ecbb2ee522a576b8824eb6c4e610d1d38fd19
SHA512 9f670e0cf993d14e7b060cf52d20d4bb19dfe50a52669f36e8d891cd42a7b45c95b624be44a05465a33994d0e1b301fecb498e4a4825eaa0a822eb4991492d09

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da7426a6a7bf9316989e119c71593d4e
SHA1 ff89af526e1054e6bf2827108167a7c957ae6c60
SHA256 f3d5cda177eca030c0dbc7bdaee3f22e0c582013d0aa618a745f59ffabefe65e
SHA512 b7228677ba4bd56f70fb7297ce0eda95e9ac7da4ea58739994c558ee87317972c4cda2db007b45a6876cfb18a494b9670541aa34b800f78e79c8feb49c02e179

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cbcdf63ecdd324d9dc1f3d71fe92418b
SHA1 f7a647dd4f8660deab9865d8f2d9eff6790f5d68
SHA256 46c802a9732ea344bcf6f0d5a207fabad8020aa2eb1089470173c0acb4955ad7
SHA512 f13935a4a6582b297aec2d623345a1b58355f9810c6ea6b39cdd5e8a0e37dc9239602b8abfa63c191dcec0dfd0f25db5b1dfc84e38df0dd7803f41ec6d7bf164

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 443acb523804d96f361fbf297fe31cb1
SHA1 1bcd4a3795884cccf5db3c873e9bcd1aaf37c2f2
SHA256 69051af464bded116b3de5383304a851c8a762d6da955311634b0fa5a63a846f
SHA512 e61f9edada5f8dcd5ba304cc58a7cc480b4ce85deb2cecab10743159c29db8a6e55b8155641a5b5357b24064199208afa6f260d3b204eac8739bc90948a34e29

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5781e43983a03728e058cbab0e584af7
SHA1 70a341c0e6c6f60cbba1f8fb85c1def96fbb95ff
SHA256 c49610d5a61b1f770a74c3a72c4d9d41892553d8cd987cb3a36a4b5f0336c5ad
SHA512 95769780e4f4d2e77cdad3209a95c6211e1186d9842a09d7b32508ff476662eec3567f44215220db93484f05040298701fe037596341e6a81db23722ee8fbc91

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d04f26870d08f15efda8fbf0518da41d
SHA1 d5ec6b2748ce0f23824c4448e03ade1b8eb15d07
SHA256 7ec0522ac53a7fe6348d71da034f32a7a2a7856e9a7f7e5106b6c37570b63214
SHA512 4970af85cade98139ac6cf265ba0db2df0fa6b009b098d5a0a6e397b2e206818683db2e0eebb0c50e33b089bf6ca9d987ba6bd95b24553ba668fc3d7107b3a2f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8866f0849b93e9aa7e4a33db9348e06a
SHA1 9cf20814121ff94eb6897f14cc787059cd0e9406
SHA256 3f6ee5f1a264472a35bf3b105f8988e4af066de01fd56341ad65716651270b25
SHA512 c6d78b0d44b3424359d4effeead6a36134b88e6874ae55595621cb9f03c83c6a01fde1dfb718bbc53c700d8ba27cce052ca61923a829de01a5d0030c0c649377

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6b701fd554ff639e71ff728f175f5372
SHA1 7c2fe2edf21e193a38d74e88644da45f08812b18
SHA256 1a06e3505630ab050c8bc0d71b00f37556f6511bd5509d9a6aa919c2b59d4e90
SHA512 5a30b31108998281c5e6f3bdc663956ef30addfb467afb3cf084cb21fe8983b4ca2dde8caf3672ae22200e38ca3be86cacb2e07d1995edc8534168dd709c7069

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 37bcfc69c2f3f2722e214b8344b9249f
SHA1 9a47a52c6a5ac0cac8ffd578f427945ad6b33475
SHA256 f29f1995ff645afd757d6b4551291709e4b4490a5e6a4e714c342adb74d230da
SHA512 0f698279703c6d65b2acc6c79c7c3892b6c3b5939c4b9da777024e56899cc67c0c70f87b0e46de93d8845c1560a48c0a60adce8bb20db68f32077766a5fb76c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1ab932ec129dcdc19e3b0b43d0a2cdd8
SHA1 4e5b5b42414593286a990649bfc6dcc9a28ef847
SHA256 63091da367aabdb66c54e65bcdbf69f54d19fb8d56a010bed79ae47f2d15e44b
SHA512 d8840c3320f02c3326dcc4c4405ed8def4cf17172b8b722ece513cb98abb50aa16f2fc1a12d684cd6f89eaebce089ec65b5334ccb1a58a4285d0d4560efe530d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8ab76d54d5fc8a8341d11c0e9a3e9249
SHA1 1f775faa875f3aacf182d4f47ec81718f6c293c4
SHA256 ff775023d0f5bfd2e4ee209be394277f6a832008b10866d70a75e9dfcc1cf42f
SHA512 aa2bb88fd69280d8dce9e216224d5721d9b87e8b138bb8785f316b23e0a62a0b02191f0194dd2def90453be73a12f043a29c82822146b770e238e67c1b00b916

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a0582f58a9844a55e47dee5eec63167d
SHA1 351d2396dac981b138335040f5cf63fbcb4aa0ab
SHA256 d417edc069fa0e0933b8542ab629550b801093ffc7487784240b9b130b3ea6ba
SHA512 7c3dc18f4f2c62a8e8fb2b5aa9c87c04c99b551fa84f19d768bac28bc44eae81e417171c2656361d404eec9a23b42559d207bc364aaa688b90ede374713b3aaa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cdec7a4b19ed7d0ca952351bf86e1e0f
SHA1 2d90cfc089da4cf4ca9a8ff0423c906801577a72
SHA256 e694e4403bdf1fd08a74d46bc940ab656f1553588b41ae0f9dff53aaeaec1d5d
SHA512 c81c2c246bd2d1df1eeca32ec33c52bd40e19e941a62bd5a54e69b20ae42bea14aec23cf3facebb9d10852a15c2b635058f81d035ae680a689a09e3c2cf4b0d1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9d445ff8dbdab32dfb264dd3a0f2c3a7
SHA1 f8d42ed8b6d256da6fa75f9b7664b41d9f6d629d
SHA256 251f1d15b8c71258a9e58a3fc8b201b4dbf68b12adaf41aaf072be0b32e1b39b
SHA512 810783049f0fc67436d50a60e09414d02317e633b977cd67ee45d5ec3a4f2bad742e3f9b3cba535b82295e510611ff1ec56d969786569cf0b082a81c1f799a71

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5a1dbf58a7d3b1a870c29c262cb76db7
SHA1 625539fdcae562bdf3ef43d898a2e48bfd77b40e
SHA256 2b63b0dbc390fe434970584cd25ff030c5daf84c93fdbe9eef7b33e698b412d0
SHA512 5687f0f88a85b01899464616ffcb1e341053be0bfa8052b6b8de8c4835075b630e1c82e898e193276749dd517ae2189af25310a3b170f48f08a818d16ca7c0c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 08c9cd6a59243feb3ae77220f28ec158
SHA1 89440a1289f23d33664f8c66497a90df04a9294c
SHA256 4d3938655384570ba77ac92ac3d710e8509f7ad4a655e95685b4dd5843738830
SHA512 081c96d3f2c7a84542c17817faeb88f9a14ee2fe1a4394fd01f7b8870788c94b55e2648f40afe7586bdeebafe7a58d77c98919b83a9e65985aa3361838b5ec0c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5382b48ec237285d6ee7447cd5298451
SHA1 9b8e29d445abb95e2c365e27378db8680f3f9464
SHA256 222ab0668ac882f0530ddb22238877b89fc186d35bcc64f236f5757668b33905
SHA512 c1519b82f826a08b85991736ec8cf00d77c3b452a6443c5dab2d87b7e9ea7f3b9378e27f72a19a4ad77cde3515cf632bec0c4b928ff78a20c80a779e273e7b2a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 82a4ef1460e1d44320e91edbcedee57e
SHA1 eda85a3c712848705ac568743b5ab936db171f67
SHA256 cacf3c5981ba8f731f530ee264085b1ec58403f5bf960f719911cd6ba8c26077
SHA512 ffbedec1ca6047d8092ca3e6f8595cbde729d12d548efb404b98e893cd04c7dd8fb958395e94e632ded7bde112a360ff757143af48001d01c52fe1659251c844

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c28acc230e5782cdb77fc5bccfab483a
SHA1 4814d785ea5b2e5023683d1bc927169652adde41
SHA256 653dfc892db3cc355be6f807d9edace3ee0e3fa41038a6fa08e773140aca4fec
SHA512 62af62d6669f3ba1ff2bf6e68d99bf2dcc341827ed71ffd8d0ce01855dbf0db130335457bcce9a1fc5a6147195a0d771b13f299a7cf0d2363601ece39b24ea62

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac2e5495800f143f0fb65fc935b200a2
SHA1 7e70e0a2d21fa42e53e50ab2b649ff21add3e9ee
SHA256 9fa85e92de2dd1a6693d93c6b9bc339b4bf58dedaf7dc973e8fcc65b164611d4
SHA512 701530fdc068fd13bfd4675b5ed03e625dfac99e68d124e74b8f36638e1f55f24f985d9e78f925622bcbeb204ea31874a795eb88259e5b78ac5ef1d8f3a4c121

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 acc77ac7ffd85e36fd75f961c18ff91b
SHA1 e69f81a97a5c40cf108e41ee2a90ccb4385a604c
SHA256 5fe3edf3078c10caf514f2160d48df2d3ec918fc37df921068dbeb9d805c36fb
SHA512 eff7ef6139d47c5fcc41a2c04dbb1d0f1963097430970a02e9a8fd245d1eb708b463a7df0325fe3b767b0391d17c002c3cc6af67e5b1ec156a3f100655ff25e8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 44e22b285645a5bbaa6eeb3c0a76288f
SHA1 752f15470dec6369797c300f89aaa7db02208e9f
SHA256 bfe6ed1fd3b5a92eee2517c169a462238b82239a2e72147fa9caadd316db9ca3
SHA512 80038ecb55f06d68951d8399a89c663f632ac8881cfa0f0373cfa47ee3eb1a9c967195d3709927ed851babd5f012dbb85f2c3d4a3cb994a78acef9802f49912f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8e987be20276f836b5bc0fff62f7c2c5
SHA1 57d5a892353e1bdf7e4007dd39b0d7b76bad6788
SHA256 392e11c687f8a1196e592a0f7a425f610ee5907ef3f1c47c41572ab22385bd6b
SHA512 974186222da1aa61064ac1835acc1b07426e770298eff269ba4241e70559708c6f3d0168fb474052a1ebac1021d3b916adb8afc30d24a04e9dc2b7701b5fe88f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd05716617cb6b2d0abdb56dd6726086
SHA1 98532d961418a3a954fb09c8b84fb293c3703e0b
SHA256 23188f2afcaf1aab76395d4f90b390fd18a69547ca674754be4393ad64d8c066
SHA512 dd8655d74d3ecca885eba2a1ee6edf00a4192800be3019de9eb1cb8b914aaf69ca67cdd9292e014b466af2a01a4b30a68a93fc99383219aa926a4a6b19f7e83c