Malware Analysis Report

2025-08-05 14:40

Sample ID 250703-f5ar7atycw
Target a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943
SHA256 a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943

Threat Level: Known bad

The file a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943 was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:29

Platform

win10v2004-20250502-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe

"C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/2436-1-0x0000000000460000-0x0000000000461000-memory.dmp

memory/2436-0-0x0000000002310000-0x0000000002311000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 3c7cf9f3bb85ac4eb465e276fc11fbf4
SHA1 71d759688a7548b12ee2c59288394e2986192f97
SHA256 1752d6f61c1f3d4ee64fd934a2601140b7124c1f1f916b0c5e3a21524c98f24c
SHA512 37e84d30fb671ef96a5c29dd00ead410eaaca93f961891d10cfb91d2041c06407da286822cabb4dbab86d8a561050c33a4fa2e79f8deb04dbb95fe3ddc277369

memory/764-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.exe

MD5 2b8c3dc8e016bba7cbe541c7b131be81
SHA1 889044379905b3cf5023f79aa30ab3e569672f90
SHA256 0a124dd9f08508ebad96098e981769f7b085231809ed4e4c3ac28066c3a44bb0
SHA512 04583bc646f506aa174045ad8b3eab44ea2b7b25484ffb534899da3fd403c1ef4f59b7d5eb28f70cefcc54aa3e9ae0f0a8123900167f83792dcea54ce810eb80

C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.exe

MD5 4cfd0b899febb70375461a4841186057
SHA1 5858b80a12c0345772ceb0dbdcc85737853064b6
SHA256 9f6218df722fd3f7274d4b9a4eab9d27b8698de1b10f37ba17e95e62554b1878
SHA512 9aecfccfa210c914303711d27917cdea089d394f90043ecf06602259ac181d7f091d104ec55ac8144a6a79b7aff3b492900cbc9c7873b1b5a84637e33096ab20

F:\AutoRun.exe

MD5 eafbe162e08d83059547aca5b50c3143
SHA1 502409915c2d68f34a66d7d10388e69ce10ecfcf
SHA256 a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943
SHA512 1b5351450276dcc863049a7439ab1602a3de35ae57eaf41d1d9567294f90bb25595124633a109243f2859b966fd1b23e45c485a08108055dc02e9a23ac490b76

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2436-48-0x0000000002310000-0x0000000002311000-memory.dmp

memory/764-50-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a7b41237887797974fc12d088a0717d9
SHA1 1bf37576d62014fe0d6240d53f1fa05107a9b024
SHA256 95ef225c569617823ba49f1130211869a3c53aeb47294e467f5c586381f27bd9
SHA512 ec839ecfa316a63efbd7e138469b75ddab6b45239360b90c2f4f0aeceafea56bd37ce439fbd21890a6b52892d167149fffe95d80aecbe3eb99c2c1391801d4e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 810ccc1b6fba0fe90597de38ec1d19c9
SHA1 36fe43f4dc37e303d129a038083c5d98fc9cb5c2
SHA256 b83d21b6290e1aac7bbff165ff86831cb4d44bfe1fe52243cbccb9a2827d8de9
SHA512 2a63b730d6e0673ee0df758ab7004fe62fb4b58b0c9b13292cf378d94dea0bd3f121321d2b2be588389d64647632ae620a8e67222d3d2d2f11b5a1b986a69b11

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8355e2b36825833074941d964018eb14
SHA1 074771c98cb5554d05944e08f7b80c7312092d02
SHA256 d96dcb5039c2bc7d04793c74fcf034454319def3f0106280ae4fd62a2dc83fd1
SHA512 f4f3d7855c21891fbad4a127adb379c395ed03c16ce1798fd1e25b1d9efa0013977fe5b7e84b04b8cf737113119812d42de6d543fadda47b0f2f6a8454d23332

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 81d9d5a0365e01e870536acc043f0c1a
SHA1 66925e48456d76ca2adcfe436e83c6e1ceb26d6f
SHA256 93dcc75b2844fb0e30118df2fcdd2613226deee72b1f817b3e5f9d1c6afb98c7
SHA512 3bc7539fbee8e9b52d88164f69986df296df21dc3dab537c37ecd561769c1891c1485a1a9b1dc6c13ac5f643173ec7b18494a8704a1d32190f578300eb65b3e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 14ba1b254132e26d05f2ad01ffc4636e
SHA1 7d9279ceacbe64292ff9838dd2af0a8d75400fde
SHA256 f5604f408f4aad89cfdbcf145b9d7cc55b2a8c48ffddb5dbcd5ad23c1fae0640
SHA512 71f41076a682ae65c29ba4f1309598d8bb1a4716ac013b9e51edac64f898a1ac74fae8d54d253f907425e4ddbadda046601fcce72292c91e25b2883c6d8d33b8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ae8c3682091b4f8ffee830d1a86c7f52
SHA1 c77b4126af0e3cd3fe0395046d9a296cf97288d7
SHA256 aad62019544ed7eb5e92fd387fb940f56611647c118d96e18cb2d787c79133f3
SHA512 d826ac40cd8394cb6779722e2324b2bf03692a11279dbadd3921740c990bb41e45fa7e8ffc0c45fb364964c7437d819588b5882f47ba0eb5bf57fc9959731dc1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9a855cbc04e522a08b795902ba9a4fa3
SHA1 4b306a16acb8afbfdde87714ea8bf982e9033653
SHA256 eda874a9837800080645f43f62035a270805bc5220464665baf1a1496dd07dfd
SHA512 40aa27f5d91bf9a0a552c05c3049d1fabe5537f447b0c46d7f23b7b5c5e2ff69bf9dcd30508fa10f1d9404cf25e69db43a3ff54e6e1c0ef42bfae8bd93620295

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 09b91f46fe5331ec10869a908865d8b4
SHA1 2212d610f9c1d6fb858b7e6f3dce369a2cd2946a
SHA256 8a976b81c1d5f7b308ae26c1cb33ff5365c9f06a56848b88713df0071a7cbea2
SHA512 737b3f8992ccc5c70e1657a7ee536208f114d15e4e63604ddf312a6d2fa5a1527a6e153959bdfb7b30be11ed33a4e98330d3fbc7386efd12a342979c55f390cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d2f7167f2b503d073e5ce555bded26f0
SHA1 c602efdac787d824898bc520cc3e132605e052bc
SHA256 30309b3e65b5e52f8f8c10124b27bd9cf9e745b49bd45139fe97d9f7f0f67174
SHA512 b382e61b18dafd2c92bce9a3e9d94633db6d35bcd038a19946880e9bc8cc5ab21b4bdd9c9ed3aa9f212ff152c2ea7da48f04e06ce66b37f58ad814cc889e9b2e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 509f97020b5cb36463bbafd2f2a4f36c
SHA1 71f7d7283380c1b2bc0402818c5e43ee45945040
SHA256 b64596776a2f85c17fa6e9ffbc1ad61d1c3d2f9b705bac22bdebe9a323d79675
SHA512 bce932b47250c2f44d4655c72522265bd65e84b4e4b49df9bcf0b80b07709314af11ffe49408aa0a026065a0ad4d1fc942dc4f74e36921470b7397e5d94df9e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 36e2ab0181ab5b3da51a8c4c2261cc8c
SHA1 60d6429af7bad9ea30c651e6d29e5eb1d6ab3604
SHA256 63ac1bbce2b9153afa578d1579481ecf7f322f83fcb01def3891db24e8c183e6
SHA512 114c7799d40677aeb85288e9ba6c920d0f8522ba65e9d146af3238ff9d416fd8a03dc67870bbbf389cb5ed7693a7af7e4b9c373ffe53990a8847f06ce1827fa2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 546fb7029818a82d683f247a3a8a5605
SHA1 944b71da9be7b979ae145a624e295488d657586c
SHA256 24e5d2e8c48177bf564d22e89d34349a760f066280028bd95ff321a4e0676c1b
SHA512 41561cab8e8d5999ee4ab8f760dc7c921414bc06905d447909fa8ebce05b44925cd10b13889039abd79c812b23e82e04c3e54df704a99bcfeb4ce31a893babf5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ede136d631b17f006f730eb286a194d
SHA1 7a054370f882fc0ed79f6eddc2faed5c59b6eb21
SHA256 017c0fa61d554dd9996feadeb6e20e9033fe38c74039d1b6b666e4c62ad3e6e0
SHA512 7d63048004c657cc81556fcc8584b283a3299ea1e1c989a54e0ee1f4b5c431271ae0ac14985eff566ec76b01bf2028366398cf1645eedc4d6f38af7cafb32a24

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fbb90c2393c043b9e345838ea0327bf6
SHA1 95d70c4a47da7d8d3ce04f3c2effefe0bf492f59
SHA256 3598e8d1e96f95d114daa74c7e42044c44fa4d81e13db5e0245fef1d57116515
SHA512 9171d148c600c633763b70633d073fb3f7b4979144959e29e9cfe9e9f589e5158d5f031387e3a0646cd374d0894d602cab76281af44228a6806f8a4cd3f55b55

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 315875109118adb705681b30bae81a87
SHA1 2666d1664d7e1a4423050b81b8871edf8f9aa8c2
SHA256 e9abe1453a3f63964ad0a9d0bf1fe93f42d71dd811ed438fec283c7552ea53db
SHA512 5183688c928a61e5931fc612bf2b1652b9dfdbf4622c4138ec3827dc80a5495c286ac787747bda95c3c45d2def85445f875764ece966bc349ec8b07bf681f07d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 124b503adf27ebf96dbc54e018deadbb
SHA1 bc0cbe45436e82fd3625db3ab3e987b0dccf551a
SHA256 06fcedab8ef8e58b085ce8cbd9ab2d6095031d9ebb8d83b67ac0fbfdd44baccc
SHA512 854e2f07cd34e37f113951ee0834afd61372a0d3c0f240dc0bd054c0ad09706faadae1b5de2c9fbdd77c321b6b31212f7642654b5cfc54634f0b831be88784a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ad245be01f5bc8c803f3ef957dfb2295
SHA1 d4a95918b75ef7a8cd06ed2301358cfaa309f5c0
SHA256 0764a8b659df2ffd5f6c542e13f0b9866688ed7e3209f55b4d28714c5fc3ccd0
SHA512 92ee610d432bcf7cf72b221acdf273d4eb828a6b78445b7465056d62793f3df281290adce92b83a0479c79f77cc0f8d6357364c983be3945fc9e5aa3cdc74bdb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c316bd8cd8558f46c24c46cbc827e4b2
SHA1 c86c7a934dde2b2de64daeee9d1ae12f1c820f7f
SHA256 6e9f14e9d8ac2ffd3b9cc7ba9bcb19e75fd575333ca293515ace52b8a778deb7
SHA512 6776da8105b77afe438e15b54f88448d67ef297418ddb9d13873cb2f75b6480944604ac844a5b5b433d3aa69955ecc83c3d93d1f79de758c2cf9570b3985598a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1411d2d511d9ef18faf4778847e8d960
SHA1 af8117db2088fe3b7fe1ba2f024fdf776b96b150
SHA256 17c50af75f92b0b13916d0e37606efba240ab543db7305a26342bdaed8dc8155
SHA512 9d6f04916d5d526109ab3accb1175e1cf500fdb8b22b6204e05868b8571557eb70d577228c5efb18de230ba4ec03b4a0fd2738fd27776935e7c09149a19e793d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a4f53ab84979bda354de2f8ea174dda4
SHA1 811523b8572ae7288a3508d61a6bd472b7332108
SHA256 515d05f80db33ecb8b60f90373e4c70fdb46243f8841296e4646035bebfd50d7
SHA512 f64df8f5a3bd911e1cbe84646590bca4344307d65cfaa46ac6a74dbc58aaf732b19da454829b3542e5e4d0cde40b1ed0a03da19400597ef2d4a8c980d0487537

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 58b6bd07e1589e0c9eb49eb15977b91a
SHA1 350d3204ecbb323ae0dcf8286ad43ab4e8ffb1bd
SHA256 631be87323c368e28a826efdb2f37d4fd9832792970e345c9747231117a68aca
SHA512 cc9554258bfb98bcb48a7c6e7cd67422242e1a3b4395cb9c9383167c9453ff5be7309d6e7e8ac94692d95dd434a976014c4b582f5a77725b33d670ab658864ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eedbed254e1d98a2243a9830760ad3cc
SHA1 7fa55638ed0ad9cef6e268f84f4d74f44976947f
SHA256 4e2bea293f1645153904de0babb66671c4a7cef205f1f935cfe8c6c3327f95f6
SHA512 af04ce3f39941e0156ca7e8b4fd8e4d1d3130f9395cdd4b19e62cda1b6cb43634d3dac603d389e67a03b1820e61397387ff694bad0cf166d194357e7fcf74994

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 34ee05ea3be5c80ecfc520e91e79da4b
SHA1 4d8513bfe39dad58fe0ef859f89276dafa40a774
SHA256 38e00e4320f5c3089a87a8be84eee64b26190233b54f6a9ae46338773923fa4c
SHA512 6ec5c7d99d47853b8c1542004dec14b4fad302c9dad297da35f7850b11c2067c47aac9cf32a69d8cda61d07a0eb06bd6a3593d7327384bb9c1fe7742b4246bcc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 47de7485be7df259da966be254c143c7
SHA1 a84c6b88961c621679a90e73542076b21057c6c7
SHA256 cca739b552a4814856b412c5d33debbfd876de8a46f3db74f42fd0103e3b580a
SHA512 3a66c29966e89df57eacec853c60e85cbb8812f37947c1752992d2d999caeb691cf5a1cdc6aede7f2b9324d3c87ca54b044a1fa6e2d1c4d7fa705ffa0ed0cb03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 22262d885cf3bcb33fcaee12533a41a3
SHA1 49c6b6788939a12e5d1ade1647ab88be75ebc261
SHA256 5bbf058140b9a704330df25eb8cf7251c58a0ac16292f15791be8aec7a16992f
SHA512 fba970a0645ecce1f78cd0923bb841a2fb6c420099535c3c5b9933aafa3b0723023743da72815f959992cb7a5349a30e5a5f406515ca521342a773005e6e654d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1101f26a34ed15827235128a62b75000
SHA1 5c829736fa0ba042c155f0be27d0646fe60cba3e
SHA256 1ce193435af594729076fc637aa9c69d12dac6616d9c1efa6c6527f275774a1b
SHA512 d259d6f06060e053f1b87b77ad55f746203bff33557f22267b1c969b724f850a31cbd68bfbd8eefd1315ee4370c1823d42c95c8c00a280c23343264e421fd10d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a19ad2503e11e2f4221626d39fd472a
SHA1 a0b30afdee7c59afabd3dea1cfd7a400c8809617
SHA256 b95cd0c9b186864830d84c68264f73582613523ea06ad3f157186046cbfe5e63
SHA512 a339ea695e5cfbf03e3efc18899a66808d017a98bc3ef84aed2aa0e1d56f182f9053368824db691185ca2942a762ee718b33ce9ede00e4230923545168f2545f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c3e6714bdf5bdc38b33cc06c9884115c
SHA1 666a5635340cc5424ad6dcf5a7cd54092e9bb974
SHA256 e7b46dcb5632a57aa57041230bd3fb93a6d6d2fb72476bc525e7a1aa9ddb6494
SHA512 9523ebef401e1ed218e95296027c1945ea66460a04834ce977504d1058eb961b13f167eb640bc705e7b578853cc480559bcf0202084f60b99c8c53d53d638fb3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 71a7bd68ef33a7e93b5ed9bfbcbf55a7
SHA1 77bd255e9d0da3187ca8ced1efc54e0c1e648190
SHA256 a3248337d15ba9cf86bc1de5c8381b2a4de6a992c70b9c5bd07405cb4a2dfac5
SHA512 b7c837b254518eb3e3dbc11dcb82ed54a3bec05df69acb2a16b58bde4e7cb3b3eaa2398b7754808c9021650c51658830706c8827be8a92771108729b98cde790

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 924ab61f66acefc38efc78854152cfa0
SHA1 6896c6e2c550ed1b1d2c929f8b94ece112dde421
SHA256 ff192bba0a4e79637e449ec2757223028b1de76c090d03903cbd32c4e16c539c
SHA512 168f928daa56a8d049f65e09cde47dc91479007578a50b19269403f05e0f78a61517631c007e0cd172a64a8d6036a5b7674654241e020ab65db0955462aefbfd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 42189a9b16ae7290dff3452de71cf921
SHA1 38b318ebbfd9f7eabe4bef6374620eeac54dee36
SHA256 89210a7ed66d69fc5197cab8ceea919c47b872d691afe4d245d30ed0981d9799
SHA512 69ac1292c5d097ecbc5b4944e12e351dfb8cae9e7191285c71572179b831d353f196f1d0cd666d92806bd7a63a2461f644419d6b8c041a397b9003788f103092

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 af95a9b861ef12ae5a3144de5852843d
SHA1 0b851089a1d27818e67eca9a03e9af680d0c0f3b
SHA256 ab18ee16df0d8d3b19e8b3c8b999d9e2159a88977958fdd8c77e2781b388b26f
SHA512 c0cfecc0fd5458f1bc6f436c0a59a13d810472a985658aec9a5d4b0ffac0a7229046ca648a4ab61b45407acd79e0ffdcfd63651123749ac69cb7b8dbb23b8c84

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ac5d4fd0ab0269b8d602a9b2de85ba70
SHA1 17028902fb82481b94efac8edbf13eaf8134f25e
SHA256 144adb61ecd98ede100b49bc5e04e74dbaec74aa18848d531c7b8619ae7048a5
SHA512 923f03122336de58bcd627732f5446aea07b3339c55b136575a8228dd61a5bff5c934c7c1fbe5f8eaa594948b5abf23e551dfbe1bd1ad12c1a1415b30c3030b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da9df8f2f80dbde3683dd381b0781fd6
SHA1 6b190a06fa47abaa4cb24e33fe63e07ec6480fb2
SHA256 a48106b2b38601df06b27c6be68ebc2465b025b9af1f683535a832278c690642
SHA512 81759a8397754d41f0179803c15ac864d04f01be8bd9cbf2dfb46e9fab8b1b1cb9de176f6d519cbd03c621665d9c49fb9bc72ae5c70185347a72b473e328f498

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e0cfa5e6495fff6fd2a337d3b6cb1a25
SHA1 a27714bd8dc8958c9c08d023521d9d634cb00859
SHA256 f584739265574673d7c7b7be1feea4af73dbdbb61f3301f72ab747bef94e8f3c
SHA512 e00332e29c564c48b97a069beb26274495bee51c4bc7b2947753fa88e24e903f2b60cfd26789f601202740a5152ea1e057d5b46d5b11757497bdf40aa973bbf8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 35aaaba233c5b3464db3917ac63838c3
SHA1 b9082d8b5e3b3c8647f0b112ff10929dbc011e01
SHA256 4c634cfd6a2e53bf606bfb57245a39cd43d264e0ee038b887595130960595f4e
SHA512 2f6b23ad2afdcfcea2157aa16a493447bef2535c8edb8570276ef22bf7c665aa1123ed29153e44486604c9320ba263c4927ee5e637ec9988e1e7a015a220095d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3c09673790ec1ef0f2b8a80d08b638d7
SHA1 e79d7a16dd99fc8bd6bd30cb942e3a64fa359ab1
SHA256 e7c88362cfe25c73afce44c1d11b520495cdf4835b19f335e42532bbd39e53f3
SHA512 0a309f72db2c8257a8a639dd44ea38c54da894879d7795a9d6cafc45937c0603f523343ad55e7a843a791102050fe80f36af52f78f05707fdb9309eafbcd95b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6ea7bc0cb395153eedd0e9f46ab9e7b2
SHA1 8d4f7b1e4cedf0793474e00235f5c49d5d8e23f0
SHA256 023c902d6a2fd896fbd6f0f4ca722735726f2c2fb8a01ef46d91e87965416088
SHA512 4e9e4eefa26c0a658b476038ef67a5c59c8b89a41e50af4d4cdb89faf64bc172741804786ad3cc9141d7798d200136c84fbb9808f130b91615a2cc5e2be1f17b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ee1070a57ee546b2c87394dc94114bd7
SHA1 bcddb7eb8822334e5f4134aa86eba994a314ca20
SHA256 ba14c25d7632c6f2000ab244e90839376fe24f7ee70ceb5bf10baba8fb1bb120
SHA512 ef1bc264a19093081cf122d11bae2342454d1e42bb575db2d42a925935903b8ed64e6a8ab3c7bc3828ca64cead12383a303bbd3d1509c1ba399287c413989692

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 398e04c41dadbff6813054b08c1d9c05
SHA1 095ee21d07d07e79d1d215f678a85764438cf7ad
SHA256 340d18f9e8194c3792f19bf7a68a262c7eb1f1ca4c79d762579ac4187e569b24
SHA512 89d14537043c1413c9403724de3f1e67017c75df64846c9a2b815e837050f2d74c8f1bbc8686affc36309db07852947102089a12fcb69c74fdeacf6f9df61518

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 84aa168868b9bc49d9f153d0efaefce7
SHA1 a0ff29d5835b4a13251462d05b9bed2160655c76
SHA256 317158f5a9c4dd52d5b4dd43af53e94a31fd4cb3faa33de57163070b9553aea8
SHA512 085a3ee0c6d68a8e31444e8c45bf01a2d11ddc8aced4f67e04e0d53f85c0e1390d787660ec82af50c28432f4bf18b426130168e321edc5fc904e690dc35b9fb5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cfb62a54f886d966982ac0243a66e26b
SHA1 d525e6c3904f6db9ace5b0da5f76f3267916029e
SHA256 b8d812674043694ecedcee8cf5bd77f45f5dc3b5a77bc71b9452dcc26eb04594
SHA512 5cd10548f1b871d0e9fbde3141c761a864b1caa7e517c5bcd9086853f537a966bb0611526234d0d52aa83207badafa2b6f92b434d9af19c2f9fde575731cd1b1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d1044527e9e111b9c4635edc791e6b42
SHA1 08898ea9ac6d487410efe81af79e031e498be27c
SHA256 f111f085221b56a9f8a2b82179db28ebeee48cd5f6bc4792f90f1a479c465d62
SHA512 7961c57c991b35dff2ef1b95ccd2e1dd3665e0b3b190915f4bebb153bc65d5efa40e4aaa446304359bc6069f6a0d1c71d5ded242535fa0090573063c6f67b88f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 50969fed711d61911fa3a84d96d568e6
SHA1 c7792f5aa96d8881c5e58d1d1dcd417ad5fb2f61
SHA256 b0c06ed921827bc4d9d1533665ed8118a2be1f1b5d7ed7d2705e0b68953f610f
SHA512 279d5a52b209b963ff17a515acc9a82f90ef3e3b2e5155da015c0b9281e4d600d03255143f8f20bba375b4d20e6c81e3a653dc237be3e77cd39642a49a7bcc39

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a2e6f906b706d30315a0eec6bf14b98c
SHA1 09dd941b9450ef47e8276a9cac9347c6488c201a
SHA256 c6319afa244e4883aa0e8aae3b2ea9f8463a2314d1e49d444dccd2c9eb93fc77
SHA512 258544eb1c47ec656c1db79effccdede16cf3b1a6e341994d833a1a7d398754eedfa49ca50da2dd5b4ec28e379907e14126b4e15a8b28c18d2c3cc2808c9dcef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0be816e2e0c9d9ac97855e3d3938f998
SHA1 ddf5945028b469626df424db6dcaa0a79d5106a5
SHA256 3453f5376b0cc6337477a2034216de154c95af89b0ea2acf1634cc6e87d11c3f
SHA512 3850fcf53e200317386518f129972a573db00e4bc5e834703cbbdea48ce2e3a8561a2955c8f68fe0b003d836c4760bcd1ca2cc8635fa72ca2598eb61efde9af7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e50179f8342e3f51d05f5acf727e237
SHA1 13c4d67ead27d9912bd4d75784c8954cc7cdc6cb
SHA256 979163106ba9c12a06850b22eb9eb368fa9c66df29e719e802aed74ae31f11b8
SHA512 ed48d1ed86ab9d5a04371089d6b0a328936f250e359c5e6318f8587f7da3b5fa7bfa6cf127e042ff98ab4d79556e7288ee2dcedef51cfe9d72e0afbe49762d0f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f283f1a8ace725ee61fb80e7c0d7e853
SHA1 7e95d888bad5dfb3c1b3b8875c46104e3dd1e62c
SHA256 2cca8f951ad4e34f29a456ad9c2eacefebf3c0cb229797f0409f74211aad0beb
SHA512 6f6ee5dfc02d347bddfe0d322164fdf2e7df1b2e8b8e3d2a425beac126245614ec91d0f6fdbeebd24787f3624380ab8b375ea87f7361ba1ee3e2af499d2b9c65

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f3ceb5b137222f744efd7811569f8453
SHA1 7f59bdf14988b16eee9085601ceb956054c18bde
SHA256 895a46fcd52ed412e60bd474af42facf2a9a1ac710f6a4da9d12fd46ed38680b
SHA512 d89164a3311eb7d50bba622bf36c052040af1567d004b7eb39ee2f611842a185747d36b59b0035a8a57dedb5b2b4ab07786ef64859265934bee2fdc1181e7d1a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 793ceedd2049c568629ada18964da26a
SHA1 f2f42e8b101ba82d5fb8033c6287365246715922
SHA256 75cf30cc3e921c900e81bb65b6d405d9333340277a14809c8b20a8be9673b244
SHA512 87a1deae2513d0774f4027d58621fc996722d305eb40deea6c3ffeaad64d089667f33916fb46bae836496c9fac6403895099ca868ef5a1b241b8759f80cda8d1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9c38d7f267cbc4e31975c73633be3d40
SHA1 3e0e11e2bff1cf4dee644718d1bd967249f6fcd5
SHA256 3630399fbafa615f6c1221ae8f8b078ac6c29a8e6bc6c8c47c01ef3167a72e9e
SHA512 3ef5eba06e3688cfd45079dc77509ff93a18316d0543f02e6d4d15c087d79401e497c9a871331c1742fedb4971f66f5030f6a4c01dd91906e3a5eb27fc651031

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2b0fdc4777f169ba5ddfa9dea1d8acec
SHA1 cf679927093382f1068bc13aad05939b690f2984
SHA256 d30d740e755be03d4f067a8554b97eb9b50524d9e8109312996e5301b7faa8d2
SHA512 f5d9e8356b71b1ded9f4a972553a8e91bb1938a184211dbda79f0d67ba9e1b11987ceeea72b1506ac8a2104712092c4e7d871ac30d019be522e9d790dc2e9e8f

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:29

Platform

win11-20250610-en

Max time kernel

145s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe

"C:\Users\Admin\AppData\Local\Temp\a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Files

memory/2000-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

memory/2000-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 3c7cf9f3bb85ac4eb465e276fc11fbf4
SHA1 71d759688a7548b12ee2c59288394e2986192f97
SHA256 1752d6f61c1f3d4ee64fd934a2601140b7124c1f1f916b0c5e3a21524c98f24c
SHA512 37e84d30fb671ef96a5c29dd00ead410eaaca93f961891d10cfb91d2041c06407da286822cabb4dbab86d8a561050c33a4fa2e79f8deb04dbb95fe3ddc277369

memory/5808-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-903960561-1545645218-4290906778-1000\desktop.ini.exe

MD5 1c4a01b5bfe3ce236ac4616820d734f7
SHA1 288a0e21fd15d63aae83c6a98979653f287388e9
SHA256 8e3bd7240b1e22599e3d19754c7cde6a130eca16bca42f520b9e19da6c99bea9
SHA512 f78fc678344b3da7e3e4a25f44d34cc185632c686b536b41751c15c607092af0b011d3d0c3cc845e3e795a3d5cb700f97dcfdaebf0bf5c6b96437da64f126482

F:\$RECYCLE.BIN\S-1-5-21-903960561-1545645218-4290906778-1000\desktop.ini.exe

MD5 1c01889b2e55b0b4a615f8c9f9c245e4
SHA1 07e77cbf5a7c3a81724ab6d7fc443112b8b2f2a7
SHA256 531cb689572780747e411f61bf1b8f2a26e814cabce51f43c3cc77646d253fb4
SHA512 854c5f17ef59575999f377be96358cecaa953d5f72d4e97dec0fd5bf4d7935aff1ce279b4ed3d17b2453d4c229925f110a92a6547e03ff2555dd2548898edfb8

F:\AutoRun.exe

MD5 eafbe162e08d83059547aca5b50c3143
SHA1 502409915c2d68f34a66d7d10388e69ce10ecfcf
SHA256 a73f476e62636c6202edb3629fe884ddffbd48b693df906115a61bcc27756943
SHA512 1b5351450276dcc863049a7439ab1602a3de35ae57eaf41d1d9567294f90bb25595124633a109243f2859b966fd1b23e45c485a08108055dc02e9a23ac490b76

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6c94142c9b5efe1344a649aeec916114
SHA1 ebf39ab605d1f8a1d1ed79457967d60cc4b15f8c
SHA256 9b9214a6aff13a9abdcb13cc908f4b1d6d832f4b0b238763cdcf9b3bd8656e93
SHA512 6a0fd189173dde707faa9808817a84be5a9308323cba5fb1e88a6931c7167f7cf227b0ce1e917d24784b6fb39fc091a952a7c0cf97f8a79f721e4be6d3acda63

memory/2000-50-0x00000000007D0000-0x00000000007D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5237dd3622a27a3bb7d8767e2e4a3e6
SHA1 dbbbbd74d432e885ed2cb95287760f22e3b3ff5b
SHA256 75ee10a7c3b37cb89d8ba6f3ffa06ea686e5d330d26b6d2dd680dd8393e52e5e
SHA512 ee3d5746a85f20a5c2d5934641c8e97c09ed46dc1f8983c9becc7a83f57d361ca3dc3b44de953c93c4fddc373b135ea40f66b3865bb352bf5a8f5aec7484154b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 03759b02f4c8dfc49723737c92541cd2
SHA1 6928947ccde6c795c8356bca5db9d2ab220706f2
SHA256 3fad5255c6eea5458d70639df981030a5057b022e17c68f432f694bb2db37332
SHA512 327b949d1f7367d44375747182d5c8a07d323800ada66ee4b0c4871d9418964110fb5816ae73f240a36f23e54e9a1c5c7dc6a02ca8220c8e4b5f1163a3c66f70

memory/5808-55-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 14bca4c41bb48c34c74d031cc42ba99a
SHA1 18db706f3b28b6f23082b23d39d5599eb5286509
SHA256 496629e8600786a1ff01e9a4a08af1bc6251f82aace8251e75c4c1ce2d4a00d9
SHA512 6aa73cad295b0c51b6d2eb2b6747e57622fc28991b474de282025577c4a1e32c25920cc1772e50a16ceb8da5999a8e1a2a231acf5c01a341b782971247a20ce7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 468490d3669bba5841c1c19c1142a018
SHA1 1af4f5fad15d7cfc9a337626bdc95432c8a88f16
SHA256 57e79738759683339ff6b7a221bb8b8718043904383c4a9f091def4d4c798b85
SHA512 3acbd782f588716101996bcf751e71caa3087cf47ecb16a0446252e2907886cb061cc4d3fa33e2b020c942e7d84e3edfb204b3a23205dcaf1ac05c31c162b1ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fc582c6a5f94e574cbeed096e0f9f7e1
SHA1 3d220937167de196a413d7082b1ef3750bf93659
SHA256 5921ef6707c94433181c1cf9ee0eb0d46a2250ae6a29f6c08dc2b02da149f6e3
SHA512 174e3751f442838d232a23dd1e6b2bd79d556cc50ea20a22dcc53a8e74c72a33377ec3cf30921c449aa9d82cc5ed3a5561bb61c50488bba29420e49de0553fc7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5479d585506a91cf95480d06a5acebc7
SHA1 e79c7f7a6b2033f30f27f08ad9a09310b86b2eb1
SHA256 1712a6f8b24ff35d193659b9679680517959dd46ff388ed1338ad10a0503cd74
SHA512 293692849ee21430fdfab5d20ae420c0fb6b58cba775a0764a30f46b0b181bd17a6c5cb2fa012c235f4eb2b6dfa632e166d5ccd1c6556a72e338b2e927eecd13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 06dc77fbbf20d524de9fecff366c4df6
SHA1 fd9afc69a8d78fac74f0a968fb248ebd93495ea4
SHA256 08f2edb59c25b96ccc8a7b2725b4ca08038789a05fc51e4848ca9c07fe49812c
SHA512 30d56ca065ca321c7fd96d6f5605e20c32770b3b51482187219e3b2e08aa588e3596b78d32c40b4cbc4cb7856371380012ff9c6cca98e43993b78929d673e299

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 24b5a380f75753b1499230031c6dacd7
SHA1 63802034513357f2acb954c06fe33fe05239bc8b
SHA256 a0a39c1ed1a6b9193db1d172a282d0e53aad6131e7c0525c5877a60b6bacbf44
SHA512 0d62c08666c953a869e53b3c97425c4a4f714b6e297e0d002e7b1b664e6b60b2938b3e9f98c4ef84ec82a381b7c3767d2fc73af9ae76695119a979c494c807cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1b4beab6075708e0d246a89acdf0bb3a
SHA1 c50d9c4714f2618084425c4bb173d766285fecbc
SHA256 5a4b2c742c03f94548d50db1e0e0d721c816dfc34e97cc2aed552dc3c3e4b301
SHA512 347772a8029c0ef7c7697d59ceaf54a7cf53304d943099c0e2c4cd4cb558be2aa2941499369e96a2669314b1bd96d70fba053493ca8290aaeb510b112207af69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2236458deb9f89ffd859d11975c40c8d
SHA1 e30c39500220b362b8bb65c45a1e5452ab3b2af6
SHA256 6f201c2b24b0ad895cff3f052a9029e7735c5e9d55dc40cb332377424d55595c
SHA512 bd50cf37a7d941319aea8a90492efe7f56193936833b751fa1bd0c1cffe9169e50072c4a1587d5f97e42a6b7983b9d885818af881d9dd1c8ad7b6acf35c073c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4523af0f10fa2c7bc5554097bedadb4e
SHA1 e106303dc55a4c8c3360bf21e62196ea7cca5456
SHA256 2ad7aaef5d0b3611c30f85935a8f36d0d600c7e7c41ae9627c416cf6d270d3bb
SHA512 bb84aa27de50cda550d4a4942dc9839ee83869a6a9536dfd9f2093945e3ed63a493037a4a086dab9ef9141894e048e09d62108a72d2e88eca7ae4bd848b5ea3f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c40826edeafaa180ed2e509e88edd49a
SHA1 5816ea40d2ad3332be9cb4f77e34c24417c00c1d
SHA256 09e8c8c423793720bf02e2debb7d580e55e24231bd49afd1039e1b0afca373a6
SHA512 3d3b10caeadda9fadb2d498526db77aa640ccbc91ccb0451307322f2c5d352c6e7074a94fb6727fccb971cdd14c6ff4588416013f9c61459c73315e424c0b35c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 97c02d1a7d291482e2a9cd061642928b
SHA1 f10b9e3b63557937170e92e5c5279e7d711fc6ef
SHA256 96a2a3add9f9303342ef9c8faeb2fb9dd5ab37ec948949ededbf93c0a1992f4e
SHA512 77d5693984cdd4636124d12827e42072126e4c2ca2539c5844f60087b094e60b00591cc2f4b95ea5a01b964e7e9b8f5a264ad9d6c62791474893f6282032747e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1418583589fd08961df0b2d6fd95bcd6
SHA1 6430a84e268aa8c1f095fe718fcbbcfb9a1a676d
SHA256 ab4cd48106061f2b2b61b21a37005c22cfe6c61f3d975f99551f80b7a4c936f8
SHA512 4e6aa35c3bbfc044170838fa4212a494f42c62dad3548a1da7826948f1c83e507c128498219b7a44df77d7cf967720b295864225eaabb97303f69fe4f4739805

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 016059fb5b3ae275df5f38c08e372f57
SHA1 de5777206a1e8b38dd1e40afd3d3cbfee8dbde2a
SHA256 5fd5d754ea46e20870fb1080a3c1affaa46c73cd5e5204106cbc7a09d0e6eea3
SHA512 b4db130e64b4139fc6ea787c6c20cd329b14a8dfc4e9dc1cfc79048755a712458c52da5d0f090a77d3798203b8f5b8bc1a5d42b675a9645545f843b2df5caecb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2759dcfef8ec363b348a51e67134219c
SHA1 820f0912f1016c2411fca1401581761f6da42043
SHA256 3708c16774f50e21e88656db6a19b865db81c208ec400e57493a3c6d01e025c2
SHA512 5482db05215ae99d6766298343d7981cb3127859d14cfad270bf4b48174697e37f482e1edeb6ae363d31ba4d905e59ac1668531883e840dc9acaefdbd84b29d9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e3c53988bba2d88d53e7eec212f6ea38
SHA1 e2b09cbc8121b0c72746a55f04adbbe6573ed557
SHA256 0250e82facb78a62a25a4300d54632c78ed96709d519d384617881db91359d43
SHA512 4036340d3c751418f36a9188b62182cabc7a9987cbea70311661585bd87b34ae8965b1de16fbb8b95bc48a9d6b831fcb27f4859f43dac9bdd86b3bd7cfdd03be

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b35cb23324e6fb7d9ee388bc0b2c2d48
SHA1 47b8b1f878ecd34a16283e23ab8be8ebc1123fbd
SHA256 5af90978bd7bee1530191c760781bbf20d8ea26b7b0c6d4c151d8c1ab8e6bf2d
SHA512 20d376ba8b077d898ee03df7b3449de8cebacd73cc134ad6ecefaca85a1fe18550bdf2b114e2e9b3287cc1bf2832ef268e959df2d89cbaf69095c0b6fa83389f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b65bf8e9c4aeaaf73f427b6ad31d6d68
SHA1 5c57d8b95328a053e5956d7a4c99caf05e90d6b2
SHA256 59da4903ae5fb1d36c160da42836f1b17c0797e9507ac3c3fd68fa5bddfe0d3b
SHA512 5e9648f14b23104ff78b6daf53c00382d65de9ae2049a6b5190353951742d1f56e8ac704533f468f7a599a5cf3e12cc1d0c424f8c08096cb9979a331d6957313

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 72b157254f5bfc47edb6733117d159bf
SHA1 88f735823ef1140069638346fad117736f60356f
SHA256 88fcfb3de50c74b7a680a8bc20089fb09a1103feccc38174a6dc04d0b580bd8d
SHA512 ea73b680ff8ff2ffdfaaf0013d86bbc4d6d92731ca7be22729db5072987ea89f6eb4f08c7da451b1a328117e624d6adcfe488de2a4d7c589d29d1e5f42e65663

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1f1254f39718581c06ef72c1ad7af691
SHA1 7fd18a73258c4ce51e36d5dd162cfa8d27dae9d5
SHA256 947da8ac9f83db89292e0ab94109b42e9c37a5e8512ab1e13aadff4570155452
SHA512 f52163447711b8b65505288fa0fb43cd8c205ca42a0abb124427a06432aa9ea7937538717c32de44520d0aad15a974b841be1eb32ab34d2e62ad64b07ad26008

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f13e87efb5e89dbacc66b29ce27e7600
SHA1 2e04615444e88191b5b1798990ca24fa31612f8a
SHA256 3eacbb9ee455132b8e11404316d9d1da274e26a5957280aa1e65d893d7598400
SHA512 15621fd2a620ccfcfee353d1638620b20a1cf82f3175a267a5e9addc59a087a01fa54239c770b340405fb932c4c7bb9d38a54290b3f108484e26c2db0147dc01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dac37b935bc3a1e74f61bef7593388b9
SHA1 1853bfb63780d363f62b2643dc70d5845543f7a7
SHA256 8a546570c051e689f8ecb2567841e5a83638ffee1922ff5b0a74079644ecd138
SHA512 1dbaeafaa319ec5a5577fbca93f9733f67efcf138b4fb39f2ab88139b24c85b0dd3a8f69820cb0dd0b8ea828090735001694e323e765fe4bb4180682d9977cfe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ce365144391db9c3691259c6ece7bbdf
SHA1 29778d751d7ad50fd0b052bdbb77751420463640
SHA256 b399daf57db61c62bedc6daa0d7d68e755d9a96d32bf0373d29beeca03b0db68
SHA512 89a3a40c75f039c618ea4cc7f1cd74bd36993953a51dafe7ce8aa95eea4afb0184e9d89f8cbb497b3aec09e3e3d6f0f24d5c93b8bec0f8c047130aa62da0f321

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e5d4d01e2198dbee991ddce5f2551f03
SHA1 1fd37be762573c490c5a70cb490be63094bec54d
SHA256 a2f51f2e88d6615785a6f63fc183647a7e5d3698658a8683bad486da92be3e8b
SHA512 1d22b3cd2c21b8a3c1cf6c3b1cf4e08a1522f633359af312fa3d788f8bfbb4c7f013bba19a2a972d359b2e37a31ca6573281891d3b9a3519fa481679e675e469

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0b208f6bbf4ac42e6fa5e2734ff69cf4
SHA1 b4d0f8d38626b471435590590be68b6914bf5f35
SHA256 d75fa9c667654ac2f298a348c9c564619e9f1b853686b980d2eb33783372f61e
SHA512 ae2c4aedfbe73b75a33acecaeac2aad690c3979b20b7b41d5d9bfb1e7d414c42df3dfc61ebf6551821b81eca10928f7948a20975177552f03e0a989574642415

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 650944c63e6f7dc02c43d49af7842df8
SHA1 9b0c4bb5a23b656d688d7e1eedcd4bacad660d60
SHA256 8df0c44760e4cd59dda75f2e677b02eca1dae033f23cb1a7e452eec5aa482192
SHA512 d0a02a0662c500f4069c7263427e7a66f8b08136a72900ab08a8096e7593ebb7fc7a04a84eac59e2909e8a1c80a08d045267f6d48e63cd9fe4f99bdba8195e04

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1499807f5faf5f15c48d5febdc4179ff
SHA1 832630c0a8d76cf3d4235cfe5be1cfcd85dc600b
SHA256 d6d99bc419a8ba97bf935204a47b185f662b3df6492dfacced647f5f28a757e3
SHA512 b87d0a8cda495bf5223086651292f67702b7b79fd622c8ba81eae28a054d9dfad75a8b3a0d493dcc5cd2e10aef1c228539abb7032762805b5b7ba0cc7f35a11e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2c20a83d5fd7f334ed8fa36f062d3b1a
SHA1 939a33de2aaa98f65f3117568028b2f7f6a715ae
SHA256 0e62432bc86f156531a6e2ebe7889139af5b39557d7dd89a9bc5cedcdb312f07
SHA512 b32bdda17a68179b223ca984d6b28fd5f5c4a27e6b10da8754560aa0d977634673bc62006d520ff2597e9982ae2f2b3fea5772afae34e7befc3ae0d0362037ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd3f20a868cc2e49ce516ddb347a5081
SHA1 5c028358718a47a290e1a0a3b71dc46997dfe845
SHA256 2c390375169c5473a6f31476d044ae628d6993e1b307be6aae3a12077da07427
SHA512 b16d192c866b7e3391ab0efbc077e95c675097ace735632c73e21784b9e82fb748071ac1c83c0f5bab4fdc39260b248edb87e9e38702594c1372645af8b6f4d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 61d8f37600ba19795cf91dc8cd9d0582
SHA1 1965dca07888b95b8acbeb6d1b1448b7ca7b0a16
SHA256 9c5946c477147df720c264b15302f7892bee2f404b103195e120bbec116410f0
SHA512 c1b60acff5a5e42d76db223f2e707a697a84c17092dad649dbf78b994f6dee4d0e718be904c245d9e083e8dfc06e3263b29a08e9c48567cc9b0100eaa00077be

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 05134ea81fcc47dcb11dde8026065fdc
SHA1 8e9699120f47ec654d8de47d803722980642e716
SHA256 805aae84ff92b129968c5dfd0d02f17bee7b9d20885a85e46699410351c0e280
SHA512 99d59d0123dbb5bf4aef2f530b8a7b755a68afcf04bb0353d87cf643a4e6302c5f2a6ecf812511ff6692b097ecaf89ec171cba5f6aeeae3e6a1404138536d12d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc64429e9d695720670670953665d48a
SHA1 c9028fe2baaada72372f0c986afa81c0e1cb1d0a
SHA256 acce70d1d804fa21f64abdaa2b9cd03a6c6ffdeee1ef9f6f75df41c7572eb9a0
SHA512 a5cd6d435230dea97f1fb713bbd301b457eb09857b52d642fc2d1c42a117df090782ac327a63251beb292f4d0bed9e552df7b718afcd23df6bb19543f62cf572

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 baf84898d87218b5df2726e3eef2f0db
SHA1 7b3398166a2447ae4fa7e4288d8c4adc507b25af
SHA256 836070f6943a0a28195867a8764f9d91eee2f383b07cbce3fd56c31ee44e8cd5
SHA512 4763cb54ebf520db6b0db79dabdf2237eacc23e96685726e3b124ae1e208c04a8561b0a74e7e4e07b321c028d6278f7dbea65ccc229e402f53d2d2d853e02db2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ff097807c5feec55e09155077cfd2b8b
SHA1 ae7adb303361c64871ef73a33e2301bff8b64e46
SHA256 80912bc0ab165fd38f88daffb48221b50827379185c33a9d3f92a0910dfd669e
SHA512 aa4daa4981f6b7f541d4a1dc165a2e01eb8272537f0507c27f73af72717451d699aefdc6f0f7a8de3ed04fdf3c5494eef0753837c937eba64c2dbb416902096f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aff456b15d0a78fe6a49b3125f413800
SHA1 0919b9fa63cff90d793bccebf07b76463155702c
SHA256 4fa5bb9257f0d8576c445788f0ea10e36ee187c7452c17f29418f630b3d174be
SHA512 16ac6f5a19387fc3f24843f98a4ecdd345ab762deff63105f63245192e8fe3c44e4c475a99aa6508831308550811c9e004414a48f8dce8256adba3d1b4cb7803

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd0295e7b3f8f6bf40983feb75f89e7a
SHA1 014f1858baefecf577583d81286d51e48f959980
SHA256 bf47498e15e0d5a522f9532aef1f0e53e1d7f2e20e18231de148b25afddefd2c
SHA512 dfaa0638eb911f82f4a286128c93d4adda076a39acc31525f0cbc17ffc60c5c6bd8b0bf288fdf1a675d96247ba28872d8c57762b77f59996db6051d59c595a35

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ed60151a1d68d277b2a7d88f430ac037
SHA1 9ddb6ae0da551becfcb8fb6a7363ffb02fc9750c
SHA256 80163c29656bd016e61a3b277d001fb1aeb02b49231814d4e1dac340428b0ef9
SHA512 de632801fbf3b29c559a3e1c1d2253964bcb2873900d4d2666733744d9caa89f35617454a8c7ecb71cab354e479d35369e96f3bb85f51f3d217bea4f73157c52

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2b8f8e75dd835a95cec2ffe30e482912
SHA1 8d26def3b4eb1bb97360f5a5502802f086feac20
SHA256 ebf5c0de8b4cce0350edefa1189c0bb69ec29981eb80a69e950d55164f10cc11
SHA512 c9499686923a13845f3c56958bc32f93a012da87c75f7652299e7ce5fdf1d289be9b6b3e828af6219dc153404163f3ed195024bd979faccc7b2e36c1ef563f41

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1e0a4f23534e48e71d2315f709916265
SHA1 784074128504f7c065c777b62a805d10bb7e7d37
SHA256 4b4efc9d6e0672c638712b85f644fe6282a755ef9f20808391893c0f33986d41
SHA512 8c757a089c5b3a4b16b3c17d12dc87a18fd593885b73ae827ba55dca2f446b36aa6156d1c3ec61b7da56eb06b2d65f22a581e97ab482bf10ee69bd41e0a9bfd3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dc96269738db1185aebafe920e49d4b6
SHA1 53cfe22a679228d85ccd403c0a38b03aca746c32
SHA256 51215bb0fb0b0a68623efd157b7f9702e108688c82bf746ff95d1ab066486baa
SHA512 d4bffb478a4ffdfea4d60b493c7a44f597902cf6699cbbceecc7787eaa5b9d18f37a2dae33eb3d140c03c9e9ed8223baa0c660c62f9a4d22ff90dfba0f056429

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1b59ebbc03bdad3bce1f5e436c94129a
SHA1 e9903e32fa865d6cf2df66da48a07dcd0d2d67b2
SHA256 b28703ec84287d8b199d26bfde6d5802dd82138dec2de0ba3ed91439c5bb7a2f
SHA512 38c6e28c97f644bd88fa56c0d77df7c0b0212aa1f49d8e608344676fb48e36cc273e991a46b4168cea141dca4aa5e241c851e5b5702dea4b8f38ad33101b3bdc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8cbeaa146edbe82afdb54e0a250fe444
SHA1 ec903e79900993d3d254c16a95c54b3c18f8ff62
SHA256 e854716e4bc2bea0838259beed922948273d9de62bd969a9cf0efb04c1608193
SHA512 6c21fe920649e8ba4ccf9bf2e6922050640f71a3eac0e9a174af181d911636ab02f3b4b73f8f17966ed7a9c48f316ccd46fe0d307414818871d1cebfdedccf9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 624a0d813196c2234ff27ec6f34bf2f3
SHA1 d75255ce54861637b3bfa915a209f961b4783735
SHA256 619f5821489a16779c351392a8ceea3a5f0102e4bec482f8cb2f6bd8c3a15ace
SHA512 01be162755bd644f3e1d13c21ae58dfeb65e4059a960a2b147baa18f9881d7613675069839cf0efac050f5969103c6a008b7fa1b25e5ff546ef116acbe899632

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 143f90a94e74593be9a6a5f2f1dd7f46
SHA1 a95717415d42de142cb51777926c7940c376f570
SHA256 36c025bc9d254f86dc46cbbe2687eb115cbadfa21b6f876ea3a95fabc6f8af08
SHA512 d99affb8e06044158c51ecdb5ee98ad7f23701aca27aa7dc2cb54587d9b725f57f5491e3e121fb39043bed458089dd78a25ec8baed6799ed1e10df417f101c20

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6ff4a2851fc7388b9bdc7591d7101c8a
SHA1 b8294bc55901b572372cad14b3447b25b0ca07ae
SHA256 24d213fc2d83e6612b7ecf8907afa12f13d776f64aa038581b65b2480fb4deec
SHA512 1f05fa24ec3e39711bed697b2c3a92924b84caa910f34b34d0f1ec0d3325582c57009f4f82d39d346d644aef7cbfbef82de8c800011201c90e0d0346c2420c9a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 627474fd52b2cbae4942ad234ec3f43a
SHA1 464fe328d5d5eca1ad86fde7cd44dc97554d0143
SHA256 9b38ffee14a5806a677c379ec7e488ad5eb7fca931286f85451376d53ae3169d
SHA512 c7ea4050a32335faacd228659a83e72545ddb3838fcf030799c188374657a972e74ecd81ca1d5f03df83f43035967f726b7f570686ff0467897048f4254b6056

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5b37fd09123a7b425776d532151c9adb
SHA1 987b0a3b39d884eff104daab68da609f41075cbe
SHA256 90e51d3ecf06fc10163cabbbd5beb8cf3a7c366b0db600f7f2899c10750d1e1a
SHA512 9cc87c470fcf22186cb093864f2c42f1c8eb7a1bbf977cab25dcb6065586672d8598c1bbfc949e96228435545595d7fe4f07e87e74885fcedc8fad8b21627b0f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fefec218072cea07d732e6402a1fc6e7
SHA1 4890e1ec311a9bfbc8500de20069e79609bb2773
SHA256 a73d256c9f4ecc3ea3555e1d2bdc566713c13601cc1895e5f360c7df93d469da
SHA512 e520b6023787d703d8ea2406f40a5c4fdf5a11a22ba7f5e542ee2ddc0f7d8036db57e3a40f81c5cf83ed193a8248452a1e184f602b990a06c9df09916f05d5bf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 759784413e712ace9411f9f4659bfd29
SHA1 6e701c55e510a65ff94433494dead7364931a33e
SHA256 aab80c4ab3413c75e5a8ed3f102dbffcff8ea25bf6927013a2fd8db0d419f576
SHA512 de2032900220ba6ba43238f1b493baec6793db20e565ca146c2d33da9d4f3ece2f7463e52fea60f48b7b0b7cfe88a07514009f9ab3d703ebbc56e31b001c6789

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4ebbd3d7ac698c4bcd61f7dc2300d405
SHA1 d89a9a11cda54fb47a2ffbe2ae167e1f71ce5c61
SHA256 cc91506057152fd57df6416a994eec6c2cc02dfa1fcf6635fe91465a068004e4
SHA512 4b75eac8595094a3c2aa433e7ff50769e5a0028a9e4088924135b5283f9ff34c2fa1480de7da2f57f30a47ad5b3e20014c6d18b4ce876b79ec87bc31d476580c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 62545df7c68aaa1139da3b5afc80de90
SHA1 4cd50193fd39f17aa975938148307ba1b3627527
SHA256 9ec9addf1f082b7851de95c33dd6e1878db99607d998b191a57532762c67964d
SHA512 99fb7c00d8cbf2d60a7923fd65e7daa1623c0fe9e9094a617566d17bfec2824bc8ac180f4416a0205b0f3f3eeef5ab0648bf4fd3336f43af328d347fb597a9f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a9209f53621ecc638d5b8fb39eaab8e5
SHA1 6facd082755b26e379e852046e3c56e2229a0f57
SHA256 cf8429a07b50a59daf2c5102fe40d65a9c091f52372505faf7b7177337eb099f
SHA512 e9cc0a182696836c03336c3fc24f28bed743300b347097ca0c8e25856f023ea1461e4edb6d2397eaace26f59815565428029ad3aea44d27f003c158c6541c034

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bf9e77a41d81d708355bffa710baae28
SHA1 e663d61a2da7da767177b64332be81a9eb7fbdd4
SHA256 6c016f8066044ad885fece2d903f6a67d1ccbc9f83d75be08d2bc12c212a7763
SHA512 772f796ee72b9468c1e5de5f2534278dacda1a422190f20de74aece7e52c14cfca051f038f13cc05ea7bb20caf5ffddb841aa477f453660a1b29c0cb83db9cb3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bc6b6c8e3e8fe0b8a4dbc8eb6773edbe
SHA1 5cedadca50171e5ca69294bddee26a4110980919
SHA256 fab7bd683dc0ec9c3ce077e5ca563ab32c203c9329573a51f5d6c218a3de8efa
SHA512 3a8ebf12292f5ea089ed38f2be221f4bb269bfc8d90522badf2b9aece03082e83a7e61be46eb1592ae76d998aa9a8165f6263b6e2f9173140bcb7f926b5bddd2