Malware Analysis Report

2025-08-10 19:52

Sample ID 250703-gl6wysfl8v
Target e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da
SHA256 e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da

Threat Level: Known bad

The file e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:54

Reported

2025-07-03 05:57

Platform

win10v2004-20250502-en

Max time kernel

145s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe

"C:\Users\Admin\AppData\Local\Temp\e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/4208-0-0x0000000000590000-0x0000000000591000-memory.dmp

memory/4208-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d2a480c6b868400f6820f95246df35d3
SHA1 fe4df3542d779584c17e5ab5cc74e239059a6976
SHA256 ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03
SHA512 c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf

memory/5616-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.exe

MD5 db90fb5ae3d56777806ddb2735e169ae
SHA1 ba66077d95840ab03f25ceb1f85f315daacff373
SHA256 5c881c890f7b7a095b22d0f4f2a721e4c72572e7477962fd360a0544e09b0064
SHA512 54b0ac6c4b226b70016e43b173928f7282e9004fa49457e0a195d95eb864c2f77b95d2d28e99f788ef18a33763dfd4ddb4bcc0f2073ec6cbabceb59f2035be76

C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.exe

MD5 3f12fafd46ef929e255bbe4c53a39afd
SHA1 856d804dbcdcd5965a7147335a6b03564684495d
SHA256 1fb34daf65424a736622f49f0b659657477bc9a7ab4b4cecf6f87ddd554d9867
SHA512 822cbe777f6bf0ab40c7627ed5454037400ad7f9875b1eb6c183d80d65c011b51ec4af3f02f726f1aaea4070c644d92357f0b09dac63a4a4b97381b48e834750

F:\AutoRun.exe

MD5 8bb0690b730511d5dcd2c33d18755f13
SHA1 2be945fd527e31b6bc6dd5f06f94ab4d68185c94
SHA256 e55c6262e8f49181bf533fc914a5b24f5beaf93815f619fd063bab57a3af02da
SHA512 06e0c2d744004da0124ad275ed5c47a52edbea4ddcecb2e58af55e9532193a5c3c5bd785adf126b0d530b283ab5dd7caafca92023685bfa354551cb08d1f9916

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 638ad1b8db37dacd47b326fdbb41debe
SHA1 c89d35b61a44f9be01422b8be43f0330ad043c28
SHA256 70be6126273d1e14c2778d5f86c777830d5be0f1bce11f9ba63bf937dce2d443
SHA512 0fca33acd9a2c6cc8942109712ed8c242248f3e2efa43ae14731448eab0beb984e80ea57ed6ce23ea7aec7a6fedd44738c4900e32a2c6c91dfd59f35959b5cd6

memory/4208-48-0x0000000000590000-0x0000000000591000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f7e098312b5c787cc34a1428b81e385b
SHA1 639baf51d8d60bd2b7a74fd2024faf6fd7bfc9e0
SHA256 ce97b29067e1b0f5affdf1f85238d0bc43f6509838afd63a39aca47dc8fbb3a6
SHA512 21b3bdf1f1857760cdbf2f3faf18da5530976966239e849db5440d30170be9148b5df2ce1dfccbc2f70f2318661823dbb5e0eb9f81ee275c4ebd61979f707f8e

memory/5616-52-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7f9804303e4db42b06bd48748d0e55ed
SHA1 b0a853125b89b6cf8d213616ae13ca280cc7c9db
SHA256 16fd5c9679a3b9074867013c2490a6b9e24680ba6e0ccdf1aae251d2045f7d76
SHA512 d63837224be3b94429bbbb378af063f601cde1a8ae8ce82f2e2c8f77bff74685b894cd276f24d86f8a966208d8dd85c247247e81fe627585ba0e2f70ebeb408f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c0dfecc2487585f33b784e37bb5c92c7
SHA1 d4643b4555e633420220f6e8f66b8e05c69032ef
SHA256 fe0b912b0706313f554f88607696793f1de5dcbe0ffaab71e88c5d79c817b269
SHA512 1cfc22be729a2591315d8ef36a4413dc8c0f452d51cbf5525a4ca894ae46af930d3f61c201b22d68b157cb1da15dbf68b35794d97e48dcbe2016573c26c0ef7d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 16cdfed4d8814d50e17248b91c1df734
SHA1 05dc0415c123a9d52f0cac4279fe55ec7dce2ec9
SHA256 3c80e54da47be455f22fb0acdeed8e19c77af701305b846a0ca2a49133a4fd84
SHA512 4d3bd06e68f45176830590775c17702792e4422035e9fe817ea6a70a88e5f9acb000312c8e1155a03f34546d8ef37ea4c9bbfb90f7a3c7f8287fb59826c1929f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9a6197ebc531081b624db73be8c196dd
SHA1 283771e636818cf00c90780d9c19db8a8acd76c3
SHA256 5d68015b61e0fe0b360e9cf5255468af7e012d1d96020910f123d2f2b22f797c
SHA512 9b4cbefda38c2eecc7e8efbb9f8c67ed51d09615d307554b3d73bc3141aea788638648f61c28b0579202b8c8a907323fce0dcdbce5587ac84ddee6833e6a5b47

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b22225de8f3b22d4b9c19b061ffafada
SHA1 6eb684503292de4c1c87ae338e9003bc2f4a77a6
SHA256 3b7155c7837632709af0ddf32529db82c195814bac0b2ef5e916bf3b25e1b9de
SHA512 5a3d6f69814eff54e2b5e5f5387c5b9553636eac827df0f38862ce5c8ff389599f583f5b0e510c45cc308a4ef66345f47a4ef07c52be9946a4a3fe5ceadcbf59

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d2e2c70407b6e2f57ca66e77d5109e95
SHA1 9bef8393c35b329044ed117819cd6c1f42081985
SHA256 41302f3517508e1ef7e8322f54b6c5dddc635e5bb17efef1cdf5f5339c2ae161
SHA512 999e5cc1a5675cd472465676ab157e8cb58735fb455a2fbbd649216a3202483eccd287f4aaf8823e45766b47f8d2656442d91249a283dc50ae8246e4678c1094

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1c37023ce41b20bc61f77174f0d9fe7c
SHA1 75cd7e2244f02cf8997328795d48e03c2a72b27d
SHA256 cba53a84c56b6202bee50420e16f970507aa96e645a28f2b8213f3c5ba8cc7e2
SHA512 d30ef49913a1841058662acacac19b26118a379ebd67ddae398a87e3b73efccf26d8564e80bcfbb8f88d07bb35347a37b60cf628bd3412c9b12b834b7a7886ca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ee31d17acb2f4867fd6133a06db42f6b
SHA1 96fbd41e0af43310408f7b82da5280de82b5f0e3
SHA256 1eef1f77e253a2c4c185b3d9c229d560f83d6bee96f3149783b61528a3d353f2
SHA512 9707c8f19125763fdaa148b5d7497643076c1ae25a94e1cfafd8062a49c9db37b032c8f11eff247587238571c29bce4bd0f74d4667321042b5fdfec039b03d0d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bee54f5ea9fc43b9648b20c618cd33ad
SHA1 fa6c4f239403046406d7d9fc1a99a7bc258fadd3
SHA256 9ddcd9c08de490aacbb1a569acdb5f012cb315a85c43b8414eb10834cc53a9a0
SHA512 0f5228fedbd70228f2c2f94c72e5400ebea67440e8bb59d1e8f3465653ccfc9e11846efb419e47180542160cea6c0dd5fed46d1d8bcf573ef282992a36408484

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c0f98a0dfaec3170b64339d4afd76ea1
SHA1 38eebe5eadba7b33a39ef3339035310d97515a4f
SHA256 287b2ccefcb20a592a8183965959984300e80eea3e824709c379b9e6647adddf
SHA512 d9711499bb038ad63b0fb62ec12f0f5823ad6afeffca5cffe5ab57321dfe6991bba7534e3b69ee2a90d1cf707cc50550bf0fa30463e0c6e072406d9ea6fbdb67

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 330b6ab5fe2c2eac69343b88f570996b
SHA1 3cdb20a94b355d124533e77654494f6bdebb4aed
SHA256 86fc9c7638d34874d08662748fe5419e0141a57c6a23d66ac8eb7f11d510ccf2
SHA512 eb9a3f3639faf13d1a2bf2f6f56e65986253b210fe51d31f49d20c53eeb3be77b94fc480215ddf436be0cdfbad2e9a4c06bdfd62382812e9bc2c03cf0b570b5c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 200950cb98c4a58dffda12824b09d13b
SHA1 5d3be96d3fca31e27d8afc1a2260f5c1cc19c062
SHA256 74e62a3d2214cc255c8e033069cb4437201bdb6adc1fbcedfb3fd5411686a17c
SHA512 47f5c57f102c67ef8d64378629f73f93dc63a0e6589b9fb6f6421a3682bed842c24997ab9890e564926868856c4a0596db662dba99b883737c471b2260508b43

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1ce9c64b4099dce0b8e5c095eccb525d
SHA1 9037259542676721192fa00bcd29c8792ec1647f
SHA256 d788e185490cfef3e5acf1ba0aa7376735ee6106637e59ce2c29d34a6b846333
SHA512 3c50b6a9b345814c48222766d37ae778171d68482c1072b735749104b137ae8fbb65109efdc8d9f9e1cbb8142d922bee75d24547cd57e981b248e1fdc7e45a1f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 629bc5eea2dc6f58e5a12c3dd7330da8
SHA1 efaa0c804c00850aec08b0942db57ad18c7e473c
SHA256 ea8df57d4ae1cac796d0f33b07ce22e20c3a40cdc353f738033bf31359174b16
SHA512 649f6d80f06e31734ba8890c9a417adcc4d6c25fe1a303d5d49806a2e4ad0953b85bfef69cf9a52c2e2c233f38468c9ba3f503ac5f4ac8dc2c1194d5306295ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1062b44a26473ccbba35b321ab284c34
SHA1 d264370e91db804531523c07a5bb35222483346d
SHA256 522c89af40c7fcb26e802fc5c866e48895817e2c2350a38c20ef864d36ce9fb6
SHA512 edaf374c15459937d5e5333c2e824c07476d04a813a3e99afb2da4de5733dac2573800a7f325ffc2b1faa4e0bc1dbde4007147ebe12081560e0af42e52f35230

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 94b1c8f48c2a095a17956938d47a3427
SHA1 94dd571a8120eb1188f6fce36b79f1e06b688beb
SHA256 803def76f814a417dcb7dee726b80c1fd211ad9da974e5b1664e04de895e9bab
SHA512 2762face67a5d599fa878565f1494cfd7a4ee662e48dcd6f704cd71890d4dd1e25e09cfa0127e1ac03c09642234ac4eb6ebb9cfe96bc791e8cf3c06b8711764a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78e0af0de8e093b34a680730495ad2b9
SHA1 4005c47cf6483bd768dd228b51c1576e98957855
SHA256 ec1ecad548dd7769f32f1e62bafa22ca5ff95d8dadf6ab1541ddcd36bd8d4ef6
SHA512 9362a7afe8f271c8c16b770df666ef02ccfb308a4b9fe35e7b4ff54432ad4e6545fee4858b94104b34578a8cb00505261f5b2b5d8b4295dfa173efc8c722e2dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8a0c34a8c95408cdeb56e64742cfe58a
SHA1 6f352759d866a9a5121d119df2fbb9db129ea002
SHA256 ec0eb1c6d4779b25a482dc8d48257b7535e69b73d9ec038521c5ab9f216d9083
SHA512 2fa04c0f77f433c9768eb79266d6473a1db977f71e8b37ddf620e19b2effd4f69c440553e2a703a598ee157234cf59d63c664801177a7d5765ce44c3e972f5be

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 816f0502104be96fd792fda7f3981f82
SHA1 2d8eef9dd220ccd7e3b46cc83222d1c8c7e75a02
SHA256 8474a302f1f4839ebdc6425fd735709811a344cc2b7b2ff83b07fa7da2c561a0
SHA512 661ecb95ea18f7d5098c33f209abca95a9203f04892fe34a9430bf6f8abd5a1c8283ba27646d723e4270128223fcd2830e611e7146525cb29cfbbd93ee08c434

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd0882c2f7884606b017515ccf8905df
SHA1 eede19183dd6ea8f85d974b8a65aa3a233d3ff82
SHA256 d024b490c6d4af7428321ca02c4b642881212a33afb4667e0ce89a82b58cd79e
SHA512 e0fd7d905d667b72c31594fd2c82a8badab8018c0308471ea2a8a00bdc4d3a14daee45c431a6bebab4d27afc44d172654695f2c3fbf86b4057bebbb07dfbc6b1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 79d0237a658c3e471275b42501918a8d
SHA1 2837858d47002c1dc12a7dfb9da5eb9f23a5b413
SHA256 b9996ddaa9fd050814e51d1be5fb760ed188328e2614b977ad751a65c7b21098
SHA512 8a82368adf6a85bc2de5d989ef67a14c249c2f765cd80397a9e7938e20aa8f77c6d327baea93dfffe6ad5cfe7786eef76c6decc996ee5e6e6874d237dda534f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 106e6803e43d07f332c5437b99f8204d
SHA1 3b6f9241c57b59d2b3133dd14be09952ae55b63b
SHA256 5c41b29feaf6e11ab5ae65e3902a96c0f2bd6df5cdba034cb0144c809d6c2dc5
SHA512 824c852c657d2fb0649ba8b7ceca2ab5a79ff18cfbf02ef39a20dd3600f3bcc1085c1d0824f2f45527c4f367bd8346a9f9699db84c39377f1dfd06500e299922

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1105929ab64ff8305f908e5020960522
SHA1 e4d9b762130dce6b46e5b2290342dac2519c6951
SHA256 07ba9e4170f3765c4e990373d3eb0762d5e133f334adf415a8b82b29d3d5d3bb
SHA512 07c8de34e4979e14a975b6e63e356684a84142e74967e295a36c0e6d1e45d0949b99efdc6eaaab953863e29735830e91e4fb8aa282a3518d883e4d11b45b25f6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8143b95a084e36fbd64138ce050d6d13
SHA1 6e04603fac427d0fa43e2eee48202ce5b6f24ea7
SHA256 27c379316ef9e9f2daf021dc6aea0ded209bc97520faf49bb4732f30fb4b0ed8
SHA512 94f363a940fb1e67cd5cfb6938c581a1d3835711ef01a023a8b1d47512c9b38d9942bf489c8ae395b41a1b5d1fd9011b056f294653ce5e0d787bbb3a4c96f096

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3d15ac75256559aa60b1dae77aaf618f
SHA1 9d00391ae7db8fcd7db98a116a61a36f3e97e30c
SHA256 ce8e29ab83c5b2de85619ed3db5d980b5059b8eb915a1139dd93bad293eeda76
SHA512 552736f59680b8e13939810ec73df6801d8c53aab57e8ec3e76e753d5fa1dfbc1a32a0e90913a93da4c4f3a5f33f35fd7628894381619bcdf5707b1ca9f69ddb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5adb42074d8abaf424af8191656892b
SHA1 c633cc302f1f4de9ca6d6df107db3b686007656d
SHA256 abbcb856f93494dc962ad4231ff367c8c7e9ee8feb65265c2726c3133d9ba725
SHA512 55cac13f191122a7478efabb5c1ddd5c911ef9cdad1681ad37aaeb2ec7bf22273c55a992357b0ae9b15742f1e820dda4ef30efa534acc85c25d221ffb24e9dbf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 59b61c59341bdb572e79e2f3d0248aa4
SHA1 0116bacc0a67df3639254f205f409b341abd9c8e
SHA256 9e406c183b3ef70dc0f63ee5ebd2c7c100482455d8e04202429567d763d7fc51
SHA512 5a1ea22a2c1dd5720846550b1177eb0600f238891c58789137e6f52bdc78bc09d8bae35f8faeb7bb13b6ecbfd4967924e39029d867ad665acefe29c0544d8616

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f35bfe56960771a535bda508807b8b4e
SHA1 ce17c4bbade11c1647e89058df40d07748d9d75d
SHA256 f0c2e226b1ab79f629ba203a44eb1f2bc00663c27d8ed0d8ff78f8bee8ea9ce3
SHA512 6995c5ac4c221a8f71a73ff900f5c56b9b6cfa127be28138d092d5a767c03c9a59f9e1e2eab7444170bc02402c584a9620b8a9a6cc250c7cd1546342f98d09e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab042815c2616791a2d31f221a75acd3
SHA1 9259b9f1591bea6f2909f9cc3faed7cecf5a4725
SHA256 57dce1b55f86ee87a88835ca21c8d915ef0a94ea5738711f84fafb2568e5f731
SHA512 1cabfe1d3eaa0375fd5ccc4277282423ca6503e21435a74850d8cc4fa5c57928540867a43cca0c9bea715b21a43faf4c00cac89d3c324c100616f4e3d6efa600

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4ca49c9681e13156eea8eb9bc5c4fb18
SHA1 cf87ce12c20abec8e87e909e025ac500f51b51d3
SHA256 803226dd7deb25c420d44a9fe7beb3ca423a0a704610bc6fbd3d31fc9279fda4
SHA512 8e075776a5abdc95b6c09864a7ce72f4d0699d16a963f60430395751b336e5a2929bf85381c5a360a8b688b54b6f64fa627f9c65489a27a49d9a2457d92a9a32

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a30d9ae2fce38a44762ef3bd37febc72
SHA1 20a7911ac84af14d6e3e6eefb906016a2dadcfff
SHA256 e6b66dd441a4679b7348276d74748ec7f9d2ebdbe10a774acb580cd390e67b65
SHA512 1d3d78bf81cb8765e89552a6bcaedfe6807e8cda1f7f443ca026c5c719312d69478773b6038f0b292ee18563e28bb24fd929e4f7ae57743f230af03e2413e6da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4a0f6d7cf174213492e25fc18570b3f3
SHA1 b81d7d86efdfd38b0beba8423896fee6aa087db7
SHA256 4e20a9d5e8d62bec99d638d25312625a487fc9e9d39d76d75cc53fb2419f4f23
SHA512 649a06f919ec2d6928dac96e7872a76630e836c2378a5d8b340f5ffc45788f3eecb7680bed81710c9f81bc199fa7ab4c611b5cb63d75abed4dc5e7a3decffc57

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 874e0740b579d692ce3a1fb28e0e3311
SHA1 5bd8e7729ce173fc2d9f2cd3725d618858d81762
SHA256 b2dea2241dc64315fbe8c7e84db9632da5d2664bd55f8f6c103cf5efc00d488a
SHA512 c02fa04760c883311c44f78e209d7c571ae0d1281623102d4d88bc74aef03284873236d0e1fb4b86f1e78922a5cb3aec013fbc65715d5936d0d82bdc576f53c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 27f3866119d71ea347ac8d77b70aa4c9
SHA1 486aefe3d79fbc28101be2ff98f813a5b6a692ec
SHA256 bf225a4cb8be7e9c4a23d54705258e36ce502e763bc59a1a6a28f9558d911d0a
SHA512 ae60fb5f1b123b2c12e2cf25a9baf14075b734be2c0612ba87859a54b1cf081782f7aef38cc1d9c12e8b47422852a3e6b3cd4a219687f1aedf2e0e94fd276cbd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5785940df1edc388332131c9901f537b
SHA1 5c6eae24a4fe1b9f5314965950d543b442548abf
SHA256 b6716f00da5367246c176b740a7b3dd5419234393d54480f3597bb5735a52ba8
SHA512 d65386c80e9e3254b2e0e6ec36fe94d2a6a38e0b203cabca47b81622bf4c1cc13c97f1c01bb22156e45fb04234227ce46c418cd089be3afe7f54e8362344942f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3b11d52a485a9ab6a1c4a777e6875a50
SHA1 55a564142f745005571801da9b76021a8914a387
SHA256 1ccecd8c0af473d069501380b315e0ede61ef9b633ddb56fc4de550f8c8c532a
SHA512 f0f4c1240c7ad332ff19cf58ce993a2a0522faf898dc6ee940ffceba28d8acd2977ae86df6fc88dd5ac8c471d2d5cb83f8141678aedb8ae0bb19f0162b02296c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0b7fcea7904af00719c527824b33382f
SHA1 4b968fa0af1cfc493c4eba20943cd5a70e0d90f5
SHA256 ff930d9ded20f000c3de2e0aa6d07130b0a3357da4f49175c443cb6d66e0c098
SHA512 636046a7ace6614d565044784c7a5aa3c34509d3e7b625f00d56273a85b3770c22c9d7ae3637771e4c0ec35a7c9fa116c8c4eb2be8ebcef4e04440c1ede9a4b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 43c4d93371099cd8b6f1544ea3aeeae8
SHA1 7655c422ff53a06d569c4c2987109f6777607404
SHA256 9d3cd553b3213de8b3e9b43d5a92fafcb7a6266fbcf19371c7196d4c828ba301
SHA512 76cd88ef700c88495fe6f1e7a7cf8b8e316e5b0179416424a448b8cd44720e1c3e828a6c01a299703da43e1736135abee0e81e13212b703a9b72ed2559beb420

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 84ea6ef75694d0ae08fb0b1fec9ce181
SHA1 7ec116928af268f48f19722c4cd69cabaad4b9d4
SHA256 a1e8ad251ae39f072df2c347dd18e8552e8a9e8255cf5751864bf5171db73879
SHA512 25f78496a1fd7b7e668088dc065f4fd029eec1e0e1c1f1f3b20a4baae15d21f5f7ff868790b55be64968838651d159aad4b7a4e95264f7041082c1b25ef94b92

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bf2d2be8c1abdd3ed61f5644a6dbd8ea
SHA1 3ececf39e8bf04273659f595e85c0023d83728b3
SHA256 c35f85efc84f1d3e2ac728ecf885739a0e6278448c6f59c8c71e739926795dd6
SHA512 607be1a86aaf1cb3f860664525299cd7f8d994c562be904fae88e8ba6612e2a63d617f68d864198c7a31c35913684bf347906c26b4ae54a06d51ee5e73067b3c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6ab5239d2e8dfa73f258292065982cc5
SHA1 bb1a98a6df84ee3dc2ddc2ad5578e688be5eccdb
SHA256 257a68bb326e47a160667e8d17827f8b42bd654a68abcd73f34a0cf420a903ca
SHA512 347763f72bf173f60f1586e9234d59ed00528c1d52560deb178f93b5b24be9ed42c64b226bda5025df0b7bd9d73d9d25264a68c6920ee2bd623a7bae5e7d3237

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 258ea9ecee8fac2f3fcf9e20bb0bb696
SHA1 881cbce7279cb4fae6ac5ad02c7caa73a35095ab
SHA256 cc9933fa2916600e5e6f55e73fbd980f7bf7928ce866a497658d7ccfcbf11ae1
SHA512 5bab4aed6a4bb76f76c7e0f855b05831e4f1d79cba6dd2eeae7920148ce8230e644ba7c4f6bc78ff10ef332847ce9716dd0fb32d74faa93df6f97b3fdb563c30

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2761fca6ccb07a898ac2f11f54320571
SHA1 04766450b8a3bf836cd9ad75746c21cbc3f5f59b
SHA256 10f229057b2c0cdf4e33f9090e939b5aa4278aa7974c6bacdc7705aeafc26b93
SHA512 efa529c65204818ba4a361c62da5f8769302bfc3f3e36ad1fa4960e4c5c84c233b783bfc0d418ccfb3a187b473c673a76bcd16f85912de2ae6661d6033091ea1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7c19b06e25da618ce97011877ece7b54
SHA1 163aa50115da28ec2d888dbeb36d511bac703321
SHA256 e936a61a11bc95d8b13e3b4be618613a1b84e47815178f602a567ecd57aabc7f
SHA512 0c2f4a8d7c23e580af6e65852e79fa11b9628c895e07ac9a3e3014091fe4d789db598f63f8ee75985bd3743ca9edb8f49c47b98c599a912459a3e80ca188c975

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db22996293f6e4d99601b654e8ca39e7
SHA1 604253c09135828c0c84709969f559167266a9cf
SHA256 3641a0325f3b85a7612f5050e119b6739f754a0cbdf434721597af63024d63c1
SHA512 58a39725f14d77570274e4f7c781ddca22a77d1e9e6c1dc66261bec45cfbff09d8dc113e0ec35671f77e5882c02b164700d4600159568f101e334a3c1b80470b