Malware Analysis Report

2025-08-10 19:52

Sample ID 250703-gmdlsstzhy
Target 0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc
SHA256 0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc

Threat Level: Known bad

The file 0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:54

Reported

2025-07-03 05:57

Platform

win10v2004-20250610-en

Max time kernel

145s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe

"C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/5564-0-0x0000000002300000-0x0000000002301000-memory.dmp

memory/5564-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 3c7cf9f3bb85ac4eb465e276fc11fbf4
SHA1 71d759688a7548b12ee2c59288394e2986192f97
SHA256 1752d6f61c1f3d4ee64fd934a2601140b7124c1f1f916b0c5e3a21524c98f24c
SHA512 37e84d30fb671ef96a5c29dd00ead410eaaca93f961891d10cfb91d2041c06407da286822cabb4dbab86d8a561050c33a4fa2e79f8deb04dbb95fe3ddc277369

memory/6108-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-155457276-1657131288-1088518942-1000\desktop.ini.exe

MD5 1dc457ea4fbb4d30b687d9471cad3578
SHA1 dd952b81b32953c70212018c3e830b8ac2fe7654
SHA256 7c9f470daab5c17b00a141e1129a3b4ad205fadc4e20d7eaaad6c4a9f69a41ef
SHA512 348a14fe8511019ef082e02e28d8e3b95eb207e742b9e5c7b1be2ad7054902bd26cae22f652726028b0616b23b3798a808b92010ab3382dacee2c2f4fb029642

C:\$Recycle.Bin\S-1-5-21-155457276-1657131288-1088518942-1000\desktop.ini.exe

MD5 59ef69ef9ced7d40d30651ced9bd8157
SHA1 ac0e1f34089ff8ae1c238ebe8a21ba2063e89440
SHA256 f3feb23d1b720f5cc11bb6485873a9345ab22d7ec82d5a1788273db891511848
SHA512 b010b4a31ba7938401656bfd9b345ce2a4fad3cd73e31632dc5a96d1b6aeb061d033ac84adb5363f11a1cd7c3e09e3d820a354488f2ec4a6584281c43f38d31a

F:\AutoRun.exe

MD5 e467ce5489229fd836c254805e7ebc06
SHA1 2824ad737058f1df35b1b20db998f90972f58534
SHA256 0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc
SHA512 a8533736fc3893708874e146eca6f1924d775e71685927ff1f80691a1f216f18cf5c457a2d5205e332090d30e6735ae3b3f3aa98a5e9a4ef8f739a84f94452cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5564-50-0x0000000002300000-0x0000000002301000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fc3fe4bbe0ad5b7a8fd90ad0bdd640c1
SHA1 af4fbafcbab886794a20ba441a96b0db39124729
SHA256 e5f681608cef67fda9d38d9edbaa7c92099f0588d50fe7878efff99e947f1b21
SHA512 5aa9c359cc22eca19e1a169ad9c627964ac003ff0e4e8f4b4412054617acaad160cf2c1590318d62d5520b5b72398298fa9bbb9fb9b399f6a104c4cea80807fb

memory/6108-54-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a011f730fcaa6e6647ff1d89efab8682
SHA1 f20acd68229afe764528aee41b1cad9901752e1f
SHA256 fb08de1800610af3e9907da7c58043cb6d42f23a1dd8d3868963855093761c88
SHA512 799e6dfeb7de2d4277ef9c34c55f8e6ea61e018645ac1f8eb4a4bebe1f042aab180762a3816443fbf1b5e6820ec3630a3c5a11f9b3d528925fc3d1c07764ed0a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e20bd8c03e618028946c38fa33b96acd
SHA1 f97b050f5f5c1f6f606738fa344fbf9e3f81dc78
SHA256 5df25a8cca66ed2dd056831046e90d177ee1ac8801e3a665786f7c79bfd034ef
SHA512 e489b6fdaf69998e8fdefa136498171cd2db4d53785e31924af63aa1ab3e07f53ac95eeebc927ba90e8ad0b21e1c08d63412b8920a800cecb2ec827c0f344f26

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e2e310a42cc96db26bcce28637a7f0d3
SHA1 30b7e7655fedb491bf00f0837a7e19634fd6ef23
SHA256 e4c3cfc37b670102ae1312cfcb0c64b8e02f12e8ba9c372b20383a7c66d098ed
SHA512 648d213414716b4db20a003f15a5a91c0e12519dc732185c7a912206a2bc0d7de3ae5fca76866454c010475f8f2bf6119496e94dfca9f030920c1464b4151e03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6244f2b1c61167328247a3e48f308cd1
SHA1 4d236733cca0011fd7faa81f8cf8c99b38cb6faa
SHA256 3b30bc784c50709e5699fbd54365710adb9c0fbeae6ef9d61a72dea159395d47
SHA512 62cdfdb758386d3fcaa5e59df91e960c01811af8ee5e158fc5030665819ccc71efa9c12127d8be0905c84c32e61a36ef9d6507969e1a502016845eecef9f2936

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d81ada2513b7a6b015debc6b1251086d
SHA1 0943c61ac7a99f4139d765aa1723fb36bd7d1a5b
SHA256 ad09f1d85e6f2d06a546fa20c7ae2c30c37a3393d293621e66221b11ed7e54cd
SHA512 909dfc39764292709141c3e884d3af6305316ad7f612f4e32803fa0ab731d02a211eb468adcfc856bb925d84f5d5264ae9bf7d6e2a8586423c17ad33ce2da6c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3c395ec67868d7b7b489e00a3a09d69b
SHA1 ff29d09c9dcb904aae962ca12add177de9aeb8fd
SHA256 a94640542df6341eb4ba0c1f3991c6acbfdd5d6a525b87730b37e925312fb2b0
SHA512 21afdc610f3b6c7e01f7a86537e34b5ef8338215fb9d97866cd2c728d3ab90c51a561f04b09f93b0d140212e12f5cdcd15b4635a7a4c1c8fe1b861cfad1c84d6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fa01b235d4d5b06c18e4a26af009c27a
SHA1 b9ae122436083c2ecb5cb7cba7c8337667b7b3ae
SHA256 a59e1a98bdd4ea8a35b7ea7ebe03c6def6427a97caa85784bbe9d62b91bf0a20
SHA512 26bb5c751a6558f4b9ccdc6e5aa7b213a282cb883e916d8522279ae5abe1375f65b69664efe5f6283b7358e2dca4f3384cfc5c09141786ef60d6280e6950283e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7f33971a9e356a2e57cb86af1998b45a
SHA1 f56ac7d3766055885455bc74cd2b3af28d630fe2
SHA256 1dde1c5bcb1c2f73e34d1fbb03087e6cb29f07858e5d5524da3511dd74200f24
SHA512 bda6c0c689a68b3e0cdb6bf49457a481517265ab834528895d1d1d8fe0249701133aec779e23e11c96cea31c28157a9fb92a11eb4f0d73fd9dc9218827167673

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 45c077726e5b37540325a009905588e5
SHA1 8fc44b88dd8985c2014f12f535bf39fa688fa195
SHA256 46f126b9c67a789df2b4707fb994f737225d88ac849324b91b4d3a42af25f54d
SHA512 563c66310bcc1969994ed681359bbde2c7b15445884dbc9e6b60a3bff8a6fb64d812f70cf3dd8c7288385e282736a526ffdfbc6e872f2b3aa27f4e6e14e497d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a8bf4e72f0862bcbe56ecc438ba08bfb
SHA1 e7483c03b545e312ef37f404699b41c2aec7229b
SHA256 b7b2ce50e3217b7ce1b4a97169e11711410f08af78d3805bdb6f1952473c97cc
SHA512 a4c565cc096fcdcc251cdd956ab054ee78c1a49533b231cb4f0e2eeefb7ac4caa7711506ec532e4523333023b4e76e2e0a9a0601531b3bebf7559c0d2435cb02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8946530251f82d1389a77ea0f304c8de
SHA1 91a6496924325c37dbf5f9c29c86a50e3cf921fc
SHA256 5c364d22abc4dfe0c246d89787b9496c258de232a6097fd33bfa065a8364ac80
SHA512 03ec2af7e9ee6102aa7d39a9462ec0052fb6ab048d914d6ef7aae4e1456491d09d823a888b1cd277968a620643ac77f0430c2006666b7a5b6e78afdd9037aab8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6639b98c30a5c9c75f2644e7844a9f31
SHA1 b89aa8dc80d01fcaa552d2af1e53d0ec44aa6d88
SHA256 4acc0a4ed9fe0a7d94a98d7ed6ebd7c5db384b9045388acb4668302169052926
SHA512 696e4cd1d1d12b4c1028a2e6fd6de123e018d8dd711372ca3cc2fd4edf8fe5ecfef598f4f4ec8144de8ef293ef33753f0bfb3d3e0a7ef2a4be4153618bd3463f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 22a9de336e95f92642c0474ba866ac5f
SHA1 d72253f6a22aaba62fbf2c843f5a6af5af652fa7
SHA256 a879d32843844a90f3bc56d0839c246c5fc2ae3a9e8baada4a08fe1feb7be165
SHA512 05ef25ca11b8db246d6bfe1ffcdfefb4ef60c546fa3c544c4eca6511bc6db3d80e9489ae675b316d51b76dab547e97300ebb4bf3aecbf510bb0c5763829dc0d1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 95058664a86ce236a770e5b7e5094a54
SHA1 77fda41f640c85ab20d379a63871a30034ad68ae
SHA256 eb9029daa186221c0b70f53484b5f9dfa606c6bd2e3f5cb4d3e95e0390481491
SHA512 405bd1bd677e681e8b3be525ed20671f71d32ef5d06442ed3def8d6fee6b443801ca4428be8ae01c4c8d3d852d5014ef3a57b7b3f5dc473228294b244f637433

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 71f4444aa398a1264c82b949e1856216
SHA1 d967c9dd0b27d58788d22e236c38616491e6c885
SHA256 c033784524387814c06ef6b255e8c827a2a5d2b39d50bbb3eccb4631fa469ecf
SHA512 5c506561d2af92b4f8810283410a2c2b1831aa8e21e96a55c943e5810826d7020c0e84da7bb21336683b81e70b934b72033b43fd70a98117aa28bbedf08e3a08

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0096d5d329523f660ac8f9c25c2bc1f8
SHA1 817d39bfb28e09a50388fbb680e2e4d5087914fc
SHA256 70f22a01d461abe9cb6212dc7e36c934498ff45c0e6c851d2afb53eef528e2a5
SHA512 1bf4e7a56b0d93f3bf523ff4fd88231f1285693373d0a845b036f876551ca993bb06716278834ebed2e3c83488888bc6f7e1b793bc3a0486f2b30ca339b161e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 24d6de647cdce231642767f5d1ac1edd
SHA1 bab1ac28c577293ed59a65a24b494b2c701a1363
SHA256 aa7f929bfd89c510e1c44695fd3788b1cad9ce4d2fecdc3acc32794cc1ca839c
SHA512 b643b305f3e915b7449129ee135483cea66155c93e06aeca1a0ba17d5a4f672f5efaba29cadcb9db018b35dbcb514fcf963ff8b7042e4b39230d7840a179d5e9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d9588227f80830e26aac9827d0f0d72
SHA1 e55e962c370e9c61c9db56c6e820ccbb8687c0e5
SHA256 ed906539e0c656c92c6236dcbf6f5e7906472f0fdf0f42ba4d2c42ae9a7c476d
SHA512 4a604938b94e59f474aec278d61d316941819ec88a15cf40682457a71da89c9734575744f3d58ade710d001572ee3dcc08497a130153f0368054a9b1d0a6a8dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1ddc89521cc78fb2681ac97ec587e4b8
SHA1 342c7b16e32601d7c5074534785fafe017078111
SHA256 d42ea78f246ba28dd6f004ebd72804174f1db9a83042d2ada67233585a21c801
SHA512 c2505fcd6a56b6135c64268b77feb56eac7e8f1147d9a4237a2bc51da51ee531777e6e4826da21cbd40873d0cd48b15f79cbc28646a3bfe47a7a958d9181e39a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 905f84ec98a11fc972f45a282fe4336f
SHA1 d44c6fed7292599cc50bcde5f28a58bed1102a60
SHA256 39ccf1abf9c3977c1db19f3c007dbd0e46f9552895d995d3d9cfce93ff133b83
SHA512 0bb47e3ecaf81253aa35f653efb9b131d1542f67601b181a565e89dcf079524985418c4eacbace682802afe145b54b47f4d5565b533dfd9b52b63f5f72d236a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b2d1f95b4acd2f6d6b056ac4ce60acbf
SHA1 39e185efcb9a53183a0a6dc1371e48a8f6e9af1d
SHA256 cf4ab7b2109418e4019698a392b28390b408c01e7cb6e191fa0b87027a15eaaf
SHA512 d3a87cca1f42b02a5f997e5d127cfd09e1b6863032bfafdc536ce59623718030d0d109d081786cb7b33f58072e0892df165dde11c3ff3a01e2736c38b853c1ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 41195e76c5b6fef773877698b41d2579
SHA1 02de65e39480089bc17da15a2e82a93852326a95
SHA256 dfbd93a86603d8d2573c445cc14064dbf8a15ecf4485b1b8765d345b6f71a078
SHA512 f4620db0d6a61d0e956b1bd0843b9e5c1e277ff41fb646f8e538aca71e8ba9ac68431892963b3e5445dee1194300353593a2db1c708010ef2129c2efe2a49ae6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f108fb170b0d0b96bd1e6884668fe0f8
SHA1 46c43a10d9ed929c156ab2607ba7127c0b23f3d6
SHA256 ef064cbd20b1cacabfd705cfec9d23f5dcd96bc1f86e8691435f4fcc459a88a9
SHA512 37c8c3cc992208704e125adf474bc62c6fc10d6d76acda2b8a3da8729ea45f7c6820a52c18fb9614a2adc8246ad4cd69be4af0623fef219f0784f701e40452d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 86bc29d628e1a49434f2732b73941cfe
SHA1 09505ec8240e12cb31dc195f32de4a59dfae7469
SHA256 694ff4b48010359ea5f48db551e095f57cfabb1caee9a25a70f7219b66b99f5e
SHA512 6b9e3daa98d8034a8af255cc53b744c8e0546615e47536db49b1bfbd9e8c4202a18a759a9310e36c1287863746721c74a7f9bc483224214cbcef74fe6036a35d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 823dd2f45fed2f8e4dd4e31f8334eb0f
SHA1 54e3e8274356db0a7b7b764a1d91b24a0ad71a9e
SHA256 8bac1e6659d026a7e8f17b780ca49dbdc497053b65c70e2c3c6d9c868acd9a03
SHA512 514a1f92c9b35e0f8fb963eafaecf88ac9e388c747915e7966ef28a1fdb665931fa8f9d558412614c9d31fb5a3960a60f40fb50778db9766e96d68bac98308b8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 157ef175020680e2b03e8319ab233e5a
SHA1 a3629c9fed613f3177d098f7e155be5a1301b749
SHA256 d4f792bdb7bf8a454baada9cf98e6911a04225148a7f0d0d250f8d64ebcee7f0
SHA512 3532a9b960d3c7caf7e57109f950f086af0cc12ac3a763dcc1b4eb510732e70b21731b7f615ca562e6c60ac57ef163795ad57c93b0156c72180474a59322811a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 754357c2349a3b6f975d36565a67d6d5
SHA1 d59db4459e6fe8cb0cfc19cc17d196a6771a405b
SHA256 d9261749a08266c4f237e1ceeed906209709fa21491a6a8e5d7ad8529a20feb9
SHA512 c3fdb2a655104ed0d9b6fb4ed8cc9eeb8e1aa41106043081458893f36cb335e6e8a23ff03f1657e240db2460b7cfe2c0ebf50830632f528c5ad00f4cda48d89d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88af01dff2fd9198aace3a4d2bb90da9
SHA1 3d409d48d761235a40ea6d9fbeb3d764c97e1b16
SHA256 4068bb6747feaf22dc330e002a4c2cff78f7a1bfe0ba5007c09f2239c76c6d91
SHA512 8c359da8e2cd2737b625c3ac98bd7f83a38e34c6f75802708ce68172ace5f81550ed3e994632ff8667e9700d49e34b7b35dad6397d70f5326a9e6b02dd7b9c46

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 75c3bac9ace3b337b74528e88822ab7e
SHA1 ae6d8fd369f2e3d9a672799e1975626dd61757d2
SHA256 9d94092f328aa8b1747ba74abb30fa07b883ad5a69fc198c2e0acc47e9900d12
SHA512 bffdb5b65830ad45ebd5774a8e12ad6f9cb45191c001f07f6e64f41a2b067ca6fe1d55fdf540a8e8caa408721447bc7fd6dd43f34fb9f364a6a467cbdd26d958

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec8046735f80999185675716680bc694
SHA1 a67b1bdee4655d8f5c3009bbb85f49398c0c83b1
SHA256 f5e9bede17ddda2dd0b170c859607cb05ff8d6fc15e23c7af2672c6186b0f1e2
SHA512 7d00350e31f73b93ae7af25057a9cdda1f45888ecfb5b7adae31f2ffb48db73fc82d927d053ca83ba81f30be524e71fd69b34c58650c126907da2512a9236951

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 28b938855c0bfffd7e1d3998f96181a5
SHA1 d3833942095a4abcca73a08dc0bd15a29f7f781a
SHA256 de7006510595b93d323093192de9f616a49f47ac4a0e90c49ba15f077a5e36fb
SHA512 edf3984cbc1b48c3c50adc4befc49a9fb1c76a3370dd1d1cb3ae789cc7a278c944414ccc1a90f5565d0dbd0bbf93e0fdbabfc01957b26daee578bde020bae1f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ddcfbe52a3cc41a327df5c33a653ef6c
SHA1 4e046d7757f83d4d1b0a9ffbc78ace9eee3da9ee
SHA256 b333afeb944c5fd8ab6d1e96fb4e5cfeb8dd21ba0e954cd74d206a59f14e7be9
SHA512 7c80dbabdabca5a5539f7b3d384471cbf7ba480deac81459234a374c0d4b1c1c4ee7056ff5fdd890196732dad0c19745f6fbea0c261919f6c823316c0365a866

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db0c7bad1f85d0cc448fef920d7e70c5
SHA1 4ea0b7ab94acbdf6136568feb7a8571d01e30a45
SHA256 eb1bbb53e5c5a27c26c7b89bdfcafff795d73544df7edea66c946cb772adaf63
SHA512 582ea12a0b817e91bfba85bd23d464539e651c8fa2f5f8ae0af0e66973bb2da0b34f9230ba633473ed4f851161a5ff873029b1910a3a3225f0fe3354b8a6f609

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8988a4734fa990085a600b4096a68645
SHA1 6d0c22b5a3f4087a782f1a088385582023fcb1d5
SHA256 aea342053ea1fed7f1eccbff4ca1608526a3bb8a540bf48ae518ab17d46a6f57
SHA512 4d92f918375d48e6090f1f424f56096a1dc598b78b1e27113b606fab92ff3564ae3dffd9057d736c817be669fa6ce1abb4942073614efd5ea7401b919dd5b8a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e1b6c64ca4708ad41714b43b31998ab3
SHA1 586168efd2d5302bf2b32b3c5935025618e8be2c
SHA256 ad693dfc52e9aba808e64f26210f89ae09c349255ec0c577ab0b432b4befe2e6
SHA512 7cef2672b0f5d81fb53bc5660ae057fa04248bf7911ae77aa02eb90a044668d7535eefdc6b196b6154cdd5730231f5f1d3456be3e8f265b7a443a77a5441aec0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fa67f913c0ca1bbb6c21923695fa9e5d
SHA1 7d6c27e4c0e22584cc7039a833f01c5d6dfdb304
SHA256 06e120de02954fedea84a251d051c63d693cd6ee5257183d6e72ee5267894872
SHA512 6b017e53c983ac15ad8d368c043bba8381c1459c9c2b73789ed0a697011a30c4469e145cffb9d7ffcf6d77e73476e16c8618f0a0fcf6f82a515bb851ea502190

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a31108029929de68b103cfd71487885b
SHA1 ab7948c66b17ae25207bb20fb59e5ae6dae1c566
SHA256 d31e3e944866438ba04ebe44671929bd363355ae5addcb6f71bd51823257ad5a
SHA512 46737e8f096d122fae658b9f607ab258489fa9aa40e0e486f8842ee83281ce0a9c0f83c6a067b2cebfa25193a11f6ee46fe6d5f51cc684de5de8c45c5d4e2648

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b4b3fb9fd17d332fdd6814a726e3f9e
SHA1 62477154f02b12438062d179401435ed15eaeb4d
SHA256 2ff1fb0f8bd5f99f5945cd8e5276668e77ab7829b1dd89ad806c3dda0f89d07d
SHA512 78c7546144ff24924090ffe54867aed608373c0fe7123b7bb3708894c254e9f9e95247217b85ecc095f6542d55cee836a14bbf7212031703b6f34e84c82e2383

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db249e773e326313e01a98b0430d695d
SHA1 d5e7ec0d2a23ee0bc6517029c1540cdd2be9607e
SHA256 355af25d0666359b190feb2fcf9a811ab337f0c47f940fa8e798c5c5dcc47e2a
SHA512 5c55dca7bd1a2a7d108a1d3e99b38f1e4481b90241a6f6d04341fdded3306b7d3a7af118ba56db941ebe33ce553050d2fa8d69e898aa44dd872ae8c581e3067b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1fb6b3d04083d3ad2024594810973143
SHA1 a39a14ef1c53e8f2747f02b9270782481d0757dc
SHA256 1ab07df2976e08f86932e308d0eaf4335c2670a37c16cbc4cc50894a2245b200
SHA512 f669992da4fa281e69493c22b016253b9d26bee6df8c0d622c42e85851ee2308e3ece2854436bfe010a69baf0b5432d376a15b4b1144a408307c2ec550055f6f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 39fa853533b5b39b0722075034ccce5c
SHA1 f8f0933e085a24f37bdf6cf11ea436bed483a9be
SHA256 31fe66408f4ee8bcdb6fd38befd24a6a65def9c67779f53c4eab62c7a4c5873c
SHA512 f07601bec543cc32424aadda8905be79ce49ec713f90fe4bb00122352501f7b331219a91e99af28ad2c755a81bcf3da5f4fdfca23d9456ab79ecf332908c6ffa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 000367bde9cb3324c9627153fdc393b0
SHA1 fff723092c0b4c85396bb32bc98db36b19477c8a
SHA256 7b7e15002915f4ef96fffd1160d6a61029fb6377ba93e8c7ce4c0a1585958788
SHA512 9e4e7324e64df913198b7fe1e0a5365ae7b1036c8ccede502d29db92d225c795513e60cdd109c187f913683e5afff4af86230c0c137694aa25cb65b2353a233a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 796e63dbafdf48ceb0a70acf62732a28
SHA1 ba840d276fffb3c5ebd7e8c396a41a9388004b8d
SHA256 71076ef19b2c5712114761eb45fdbe89a10d15d2a488d48d8fbab534a5a0dfe2
SHA512 b290972f5a552f882c934c4da4af2526c9ffef6679be5f9b434fcc345ce7ee9123d106f4180988339db7ec9f321794a0e1208f593bcfc798a98b7daae5655c75

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e8bb8faf8d296a496b5d99b1a69fe08
SHA1 4fb23c37b99de5ff2a6d20d4fe025c0136dc155d
SHA256 b5780a04ef4c7ceafa0a39fb34e8240c47ab765e684deb05c4536ba61fad9670
SHA512 3a6c257d929dc359c1adf614c2bd86c5449b3b5aa5b86fa6561e38024a94398b950ebf5562cb0abee11fda36d083498d25f19f3bd1569af53dba03017ed0a845

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 596205bef3d4a43a8624c52300b39fbf
SHA1 e3b052883397d3b42ba2f3634145c01944c33ce1
SHA256 2e9b43a3b5db777c2097552262ed962f90370451f58b5d4c4fae0d12a1ee0735
SHA512 6f83315a6c45b8aa981ef3a80659b7dec41bbba9b609db32a6e8bb79e5f8c5c6af2c35963f2cadf2c96aae21edc392dfdcf3a160abadb9114dc3f8d1ff7e9ab5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 595133f2e640abbac52f20c9881848e2
SHA1 f60c5b5c8e2a144e5823ae5e74f8d90104c12f2f
SHA256 2971f105fadfa7bd9b9f1300878c5f632fefb78348a3f29bb707dc47cbf8022f
SHA512 95e9e1d7235ce63e2e3e646ccc4a2b30c3dc0923dbdfdb2fb82b10776acba41176ff7b2beaf4299be9e9a86763521f063a49bb3c4c5bd6e33749741e6eedcb59

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 07c2bc88d5f1f1f1034c1880861dda4f
SHA1 d037148a5f2c47aff3efcd83c4cffad08ab47125
SHA256 0d050d14fb46a386488aeccd4cebe4dceeadfe83c404ff270a0f6a03e74c5820
SHA512 a4a9dec5610640912b506846467d022390998a637f00f060158ac6bf56673ebd52f4e8148b57a4a34e81df31c2ad31c61dc83fb3dda4d55e15ec3ce5be44bc0d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 039dad4345b31657e5fe492e1bfeb164
SHA1 f1bbb104eef13b5f08f3de91bf77a8b882055650
SHA256 b9e56d3b1694f2fe9a3c136fe5d1b8f76576bdc0d4008fb48fa84ca278c9ef7e
SHA512 fb5c7ef90640535b48f7df3fbec1650129bb634680522ec0c35bd2f412e1359523977a788d3d3ea212434e3bbb1f03135e77bdcd75397346ebd3ee240dbfd33f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 63cca794f8897559d3c070433ec05029
SHA1 0e44eaf4b555281d0adc1ed9083e5488103bdd11
SHA256 1b82623ecb5dccfe6d65b93c65b4db1d191cf5a11bf2c34d9c35e04d877039dc
SHA512 d6f93b3b8315d310c9e47188706c983957f7e61da36358305d179b03f6be46e3153f531897f5847845cea2e7d2e39263f1d42a23c4c7847ea6b96e5194af5a54

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ff45e3dc82c23324bd258a9ec34b175
SHA1 e4bee2262d946ee3f254a2758a5462f1f282bb53
SHA256 6921018d6cad49ce0c4f61bb9306cdb30c5309bdf5600da1e53eba328b290c10
SHA512 bcaaeae8dbfb9fc9e03dcf9fcffdc1982525a9c89fc53bdcae24c45121a5a453e4e0f9c74bf30d33c030f9cdd5e60c6a64849db95218bfcebed1d1ace5e51958

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d7f3147d4da83d696925c9474b015251
SHA1 6aaa603d6524780eedde4caede45815bc8e0cc39
SHA256 49b6528f808ed695051ae3d8a8af820eb0f165d730d6515338d628a32ebba774
SHA512 1b3b641e1ec7698df2e771f1d04a589f8f443b45eaca5311bccb5ded08afaae5e4eaa82426febd9697ba243227870b435939003a6f2790c3870a9573a8483464

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:54

Reported

2025-07-03 05:57

Platform

win11-20250619-en

Max time kernel

145s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe

"C:\Users\Admin\AppData\Local\Temp\0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Files

memory/3432-0-0x0000000002430000-0x0000000002431000-memory.dmp

memory/3432-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 3c7cf9f3bb85ac4eb465e276fc11fbf4
SHA1 71d759688a7548b12ee2c59288394e2986192f97
SHA256 1752d6f61c1f3d4ee64fd934a2601140b7124c1f1f916b0c5e3a21524c98f24c
SHA512 37e84d30fb671ef96a5c29dd00ead410eaaca93f961891d10cfb91d2041c06407da286822cabb4dbab86d8a561050c33a4fa2e79f8deb04dbb95fe3ddc277369

memory/5888-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3972667009-3658015838-2693993929-1000\desktop.ini.exe

MD5 94d324bdf6d2757c7fa2ea0bae0a8034
SHA1 d111f192c6f968caec6d195aae7387cad349917f
SHA256 922c7f749b5db93cdd21ed46a61a16cab13d87a003c3c6ce79701ae00d5b4c8a
SHA512 7abc60b1e9b53c869ae1bb58ed3b6956d6abf13f5730505b8515605d999d2c2711d932173fe1a52fd5e41f3f804216f70d3230019dc82b89719a8cb613fd3601

C:\$Recycle.Bin\S-1-5-21-3972667009-3658015838-2693993929-1000\desktop.ini.exe

MD5 06400b4eec5b7d8e522086dcc19b5dd4
SHA1 c7bafc712faf7508191e64aa2f1e7d44ed24b981
SHA256 005025ecce44077efcf175d9e53be3f7c7638a083d439a3e1e49f3c0b87feaff
SHA512 80207b8ba2b6537a6d0c8f53c6d6442bfa05e3cc572a423ca27d3a9bf335fc6eb49e6f7f7aaee6426e64bc9aa2771bfa8150859f5002c5c405f8048159cf2f30

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

F:\AutoRun.exe

MD5 e467ce5489229fd836c254805e7ebc06
SHA1 2824ad737058f1df35b1b20db998f90972f58534
SHA256 0ec3ad121fa08f7fe4d62a8044956ebadc0f677347e2042ba0877082d4893ccc
SHA512 a8533736fc3893708874e146eca6f1924d775e71685927ff1f80691a1f216f18cf5c457a2d5205e332090d30e6735ae3b3f3aa98a5e9a4ef8f739a84f94452cd

memory/3432-48-0x0000000002430000-0x0000000002431000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 82f2590136371d5b60c0e6ca2f0567a8
SHA1 2879268853404d7023c18a340bced3598c94e6d3
SHA256 7f4c51ca23d63b91436d478d09f6206f68ca242e60bb2a25d8a6b9478e336ef1
SHA512 261e55c585738ef47ed8669a5cb7d9c18c63e3da758800aca65cd11bbc1267da6c5eed72ff6d6f5e25e6cccb09160e6b531cb327c9174636cc073378f41f326a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b14bc70fb2205731a03e77e7c19b67f3
SHA1 1f21f0c4c192f71aee008b5d13925020274827c7
SHA256 bf4a1da0cc688c89782eae6b7780d1c3a6549ab908199d0660991eee06b78bc7
SHA512 7ef741c951518a9e86e348b4289eeddcc171afb3e77fc5e7786610b43266b7163276b1c8ebb93fae910fb32092b8b595a6776c95fe2a973e040516e523dcc663

memory/5888-53-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5bf223ba98e718c7bda45218cedf6ce9
SHA1 bf0584d6c27e6b4e76fea96630acacc208d83365
SHA256 21230f2c7f7c73f70800323bdfaa0ea293dedcadab4dc5bb23c67b3351fe2c6a
SHA512 b1794be92f82180a656a55df2a0b081cd51ffc88e7857245276854845cca77bcfb45ec8ae84579b30ee87a0f234b4cbd4ef5996a23ef5f91d5bc0bd37d4867eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2181c8739d3b131541c7889429c11d8b
SHA1 5a1a6f78d7e0b29a5a41006bd3ad9c41a65dae86
SHA256 d33f0adcd998779b1993be4e19d8eb683a0867a9523cda5c406ba5d1a2da0c21
SHA512 e70107f0db62129b6c5702397eda9c50f8d2e5eb62273daba162171429d44553986814de9ed3c6bb0892cb7094182ed5d80f31814ba14a328aad7959722e95ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88b120e6e1509f95c25f096e2bfc9919
SHA1 a5ca6e6bb55b8eca139551c6ada7d94a70dc6d07
SHA256 e1f697c1788cfb6318bea9060205f4fb9abdcbd577d3601ae27253e07afd941a
SHA512 9fe8b0cb19b166fafadd7a4c62dff2d6e2a596ec2ac64b514027e00783d5ab6c785fcf6fd973ecc791c029d61a642654e73528714475c89e61daf727c9804542

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9c22cc09f31ff7a8a2db812d9a10f747
SHA1 ce853e7e1bdc47c02d67353a082a5cbdb59fadff
SHA256 66d211031876d20ad5416f465e49637ec352a3cfac2a30963ad97234064c2368
SHA512 6e0c578984641e3f7404041d36a953feb9b218857786306864eb67eaead6d8062090eefe2467adf86be528b2ca7879c4cc7441f5f3c4aa8d8984aaa672621cb5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7951219ea81a3e4c4529a1e2a37ffeef
SHA1 ec4069726609af1afca67d174cbb98a5bd94489c
SHA256 dda6daff8ca60395ad1fad034b957f869ee80fd3c370abe6522897caf0509873
SHA512 6a0df5ba5ef7498722bcdb3ef09af74586a78e4aa7f05e2008029652c40126fac79f3e3f99c3ff9765d10e5af79386f705d9038cf92cbbc3b20ba98fa5b47601

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 200dd76365db83ed35174a2ddf96f6bb
SHA1 e9a4b211e5266166555a6ae13b6ea48b08455f22
SHA256 c8910f298df2fd74ce38b6b5d21f81a95e626b259e264e179d3c5b03250b8b00
SHA512 9b70f5a2d94ace48f6c706042d70f3cc305cb26f09241563d28f7138b28fb5bc59c6b021344f34a5aff441de754bf1365c7fac8d9e1f1966a559110f0a549483

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d9a2f0e857d705d140a0629b8d77ab00
SHA1 e1bb1a2cb9e2a074aac8f81d36e3ba566b9b9496
SHA256 5eb50aeffdb2b5369f2cade4c9117a0a55dc6217dc995b7b34beb5f0f5225064
SHA512 2215e8f04af3a710a24a6289b564e545d4fb55a1f40963ecba85619a56412da39164cac00553fc45d55c58b3476857cf944f17f0de6b829d3f8e8893140b7701

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a7a35a09e71bcb68134e2c0813f9e033
SHA1 465c625abf1b6cd94aa7a20e031ef11e978a6ae0
SHA256 e967aa872061ffc8e6988eee2eaa08fb567e89b47bf93becf9c9301b28bcf26e
SHA512 ca84214148547bf446db27b13591d74b399a4f5e8633255952f85f0f71fbe8f4422e7128a30e5d8c6ccec2e6e0a42d35c6acb5183fe5437016bf888db47a3b31

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4642566f3ecde2f04cdcc1df8f0bfb0b
SHA1 a72b3abfca2a7babfcf4ce439b5102c360c4b98f
SHA256 775f46d0a1e78fa95a9fc7093023731516b289a17c2baa5feeae1419dbd513ea
SHA512 79fe29972c46e87dfaae44ab3306493f45e6a4f425e64341d50da4b1f55d56497fc82ef37f46b1bbae86719ae252a67300a5aef213bc799b0a48be87a2ec663d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 08d7c5d79610f748e5ca38fb1c140ad0
SHA1 dd280226f40264e9d33e013e3a9f9b82955e6ced
SHA256 e271c808a378ab3074abe06a5a043785cbe9f42515413b1156d898c93f2aa1ea
SHA512 1c4299244371173875546c271740fead1ef0de894785e09a60c8991a8f0f80ec936172ed5c49dc5c9903a626dead00b7542b040913ce229806448f99cf02214d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a92a58c2312c4cf5562b8af4a07eaa03
SHA1 95276210d34dc18688f1c856aaddb4a638c4a1b4
SHA256 d071035f284d0369f02363a16e92a7baf1cca0b05d0945c5d9bbcecc7c9b1987
SHA512 23f815872488455e451f9d7d6ae3ff0bf71a933f33c7a24a5497b5ba49610881a82b92c28afe59b96e24dd744b058d08011e5471807ecfa645f6db21c7afe9c5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aaeaaa0abc3a999257512ba49eea5f3e
SHA1 b003b7ec7d562072bb585f2dd2edc57c4bd5a7b4
SHA256 51b5d617b0bdfdb96a70cbfc78c1a391d5f872ea7a7c4144f01f43b7ecf52552
SHA512 5a94ff99446510a6f93611774e1497e9db0fe14ae20fefc741481b29b19bcf285ac5191040203cc76ce0839144f5235e8f5caab37c8968db59fa1bc5ce73edb8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 70e074dc2e299a13bb8144936725afad
SHA1 654e93930149b26ba194310499d8801e4d14e33f
SHA256 38a3df05ae8dd6d9d7a59d35752dc8123100b48c4ea77c9edce13e054d95f300
SHA512 bb8dc497299b7bbdc4d6bd04e150283c53cac6cacfe1f2d93894abbbb3b7d75badd76a70f342b5a69897012e912c3f7e9eaf95c074f521b1fffb9b6c04a44fe9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bb097858e08c51d2ac971831f3b46ba6
SHA1 955692189b3562e099085ecd4aa43429e849c975
SHA256 8da7b43464463196b2ba78b8ef3d47bf681d58304a4b5edb244e90f09e01fc6e
SHA512 8afd89b14b25cd7ceba7bea67051d706ba88e19312a2c7307347bf5164719b60c435f5d5c9dabdd383516fda1b7a10acfca0a57cc66c1ce95285b73d1724ac35

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ca713e9c0373db81bab86a6288b2504
SHA1 4efe6d5477f244998fc5882f649747b7ea6bfa2d
SHA256 7b2b274e21ecd36e3ecb2c55d1a857e3f7446099522df24d6d685fed4cf9dd6c
SHA512 0d53b7ce39b7a5805f9164ed15e20ecda2e471086689b753e90cd155f16cf2a93767a7ce9d4ffe57706d520066e0d93a430d8e636cf42be3065c42221e0d7235

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d98ecfe433d81a08ecf3486fdc28c51a
SHA1 4921ac69839526d4b28cbe8fac32c690bbd65ee2
SHA256 5c8fbcfdf771a49d312999510fd27b611da7337ed6ef4c9e407d6de6eac27fbf
SHA512 cb74dd1e631c62b7924623add09b6daa3ffbeff65de078475b4a6f09e7e0ea3fe7f70b7445af14d7a4aae0cada547978c571a2122ed0ed8e61726edc14f32c47

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a6c26ea1f32b321d4bc2e728b6948d7c
SHA1 bb31715e189b8901f5f1d3083fd2e4b58bd3cd55
SHA256 0a385b57c20658b90c9d7621c3210fd9bd76235dce89657321116474a652ab14
SHA512 7945d6927f0be05011a3837d896c0aa4ecef56aeacb271d03545daba23a80056f1f8f3eb1b2cf18ebc42f6d16aa0c79d5051cb4446b26da7552c72425686863d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d6a699fcbce19e79ee014531739151ae
SHA1 9a7617f90564e485bc11c1461574b5cecfc5a864
SHA256 c1418841ac8ca36aff23af4849d5c6ab7b6caab018a5ef30faef376f0141fd93
SHA512 3b40b4704853322e6cd993be3eec4abffcb7ff29ba34bdc3da13685f5cc871576ab8b8449a3d61b306b4cf3ad5ee38177a6daa2c255500230620f5bba6322d7f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f7e04372ee4315e5bc63cb65a3bb6b18
SHA1 dfd3b79c17f06b15580a43b31a95410642353944
SHA256 0421d50649950a5ca7095f9d65c622bcbefc0b86f6ea4439946cb06da71b6b2d
SHA512 4acb0283a4f097a49267ad99c9e1a5fcb811637125bf28c0297bb8d3b5e8b5a68c67c60880d04cc2894436c95493fd55700bd1434ffd61a8b39d613bfb917151

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 71b6f2e686b6a2eda368110ead063736
SHA1 67731fba83d75745191da1c4a449471fc77cd358
SHA256 6e467641bc0b0561b91c5e7ce47d92c8b317d1d177ebe2d75fa7abadfd4991ea
SHA512 f0943fb0f2b6a8c1d493e9a74f048320262789dc8df766fb130e736935d5377ab7f390f36a32ecf463b357ad572e3898dc241d103514c577b2a7f1ecd32edc41

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4ec67dc9b7c2260715102aa408ce22e7
SHA1 c8d13110ac6d0fa24d52c1a1ed4bb1b88257e50b
SHA256 a013f2fd6dafb2fcdfe32cafa9b26965ba3daae4051bf040b0cf806199ff1a8e
SHA512 8246bda7e0d7b1882b3d2265deb0848d8a7e5b82bad1555dd9718f2acfa8b205d68c0c52e510ecd00d27acc5e3a5e3569830ad57848dd1eabc51df178f185f04

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c9ac179a15b5559a9f2f73664ca66ce9
SHA1 2dac2fd81d40da3f0ae5dd9dcf14ad8cfed55eb6
SHA256 411e0d2c5e17191a79b67088381373b6d5aa3a25d924e1716014dfac715274fa
SHA512 1d6794321e0b198bdec95977b16e4a7c67c3c57eec8b5e1b273c4e04e14ab22151a2e3ee2d63ab080466dc2b58f26b28ca6fb0a5ec5be5a98a0d87d3013b9828

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e1c09698b08df44f6fc37aa33087e1d
SHA1 76f7c57fd6ed4126b1aac89b955c43b91804cfca
SHA256 d52e936fddeddca3fad3c513f02f3d37d6ce0f221c49ae05fbda2a647178dfde
SHA512 f1eac8a2f0dfaf70382d23d9f2ef0da1a8b193ffea1caf5dbd456acf95180d970636ceabb32e1686acfdb070e3736ec30a3aadd1021b682a3dc85845260dbd19

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d9d0b5e60bae2f811ad8646f3789ae9c
SHA1 94c8be4c587ea819737b51c477d83beb59513db9
SHA256 050dcd46ec65391adc4d152c579b5d3e6966a3018be3ebd2becb29e2b88fb1f6
SHA512 c039e51e9b10c5c0413d249520f31d7d575264c8482161ff01c649a87f9b5301b7ee0e1057e427cafcc181917862063877fb48b75e3dc429f08f7a94b5c39587

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3a89850f13aeb27769078d782f3413b0
SHA1 d111a675b5dcff6fb110b293a9fc6409c00cb559
SHA256 286f168e7f6faaedcf1d2bd1efb5ba416c48c7c5e132a7363ded4f1e82e1bd9b
SHA512 1d2e9244b5a68596b52fe1981410f8477a6dc9bc674c245dc6d3cfca5852f95b8a2c36641b8d955326f8bc2aa11b917ae81813b38423e408ad8c1da824de48ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fbfdcaa18bf2220ecb5ef8b9dc57aa16
SHA1 2d88cf4d44b04887be205cca8440a5e24d90e857
SHA256 ae1f3fbbf950d58a3e25f2dd1cb8e4c006a00c201be0a5341c20067b6089ae2e
SHA512 5f290deb71da028ca5740a0e1b40d55881239f7339a68e6c629fafa68d9b6768bc525109cf9a1576a87c7fb6c94ee0d2066276650610bbdb968ac257f29b148f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6b3264ef584903fb07d9133b287b179a
SHA1 fd27f6483cb40dfa2622793170d218f6a882e8bb
SHA256 b31b4b798fa20502f0dee69c4c43c7808b59d53dd7b1e75ad98cad0ba6bb9f01
SHA512 26908c349b3845cd0b6afc3d2b4c3c77f9d647b5291de0d1b0de269f51f8f05434509fd94d7a21103c4df7f0555674afe23fa43d2cb53cfd102a44b2ba772924

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ceb7f533988206456b64ed0d7087153d
SHA1 1b0ee90f47db4a28abfd326ee7e3ac68b91cdace
SHA256 61f03c582f5cc9bea01f8c7717692e721b23eac1c92541cad0021feea9c8faf4
SHA512 c4b683cbf99a4f644e8e9365a89b3d4d63aeba725ac522e123b4712fe51e41f3883759695209938b644808eba0c4efca98d2021318b0d4210bb891da119851c6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 42bbc144d889066210da19d89f8f712a
SHA1 72dc940a16d8164eabdf6c8362c2201fce17d450
SHA256 991d73921a33bec13c80270004ee7dea4e56c68b6c6c4ae6ad44adab045c24cc
SHA512 5fca94e8d751d863d73921848523f81bd7c01be9429f265b37c282c8a203e436f8a9d200c6f7b366a351af637847d1f8d470925be52c4f2b0f93debd6e59b260

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0fafb3e7116852dc97a44262448ca580
SHA1 60bb0c341c4b225978828110b1d9ff3eac6c9d58
SHA256 e14f8d4bc00c699dfa641ad9ac7e8b7b9b700ac035639ac3060b29f21ebe6b5c
SHA512 cce48f35aa1bd5fa51ff003911d11fcb59c4f93925ba3bf6cf7b57c7a45df58ff7582baa02020330481064863b1d51a21028565a9894b4958b9e4abfccf054f8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 914210969ff102347ed5d215142cabd4
SHA1 6b2069ba7e12443333445b50fff203aaddff4f31
SHA256 789ad074a3647841f14d89a32c77a93a620f10373b2ec40d29d5cc31d1a65ee1
SHA512 510f21f06a4d2ba2e4820ad2477809513a06d1a20d23249ff35fd7a8155b094356713e8aa28956e31aa8bb828da94aab41d47bea886572dbcf6abcac56aba494

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 59ba6d5f0379806288e9fc1316fa8c36
SHA1 034edb71cbabd2940ab336a2b8826f5ce9b1462b
SHA256 9f3bdcaba7d6be773dc62d396d465154dc9fbc81b74ebb1c728aa11103188451
SHA512 9fa086cec9d04b2b047e1a0bd915c518a8b0134cb1437b1a30afae3a457f656b0bb50e7e1ccfc3100b82d0fbfc9dd3e2504bea7f43724dff909ea2c10d74dee7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c467d18d0640e3a4813bc68148cf826a
SHA1 d116d8127b0e941320dff3a8859e82280d2679e5
SHA256 621709f1f82b779bad28e22df97cecadeabf80340787f76a4a294cf2c9413e45
SHA512 e192f21fd8f6236d5d31a9efe6ed5f32407ba34a9e4097a3c9fdb8e9feebb382761cc9d6bbf5b73ab6cad2e202566b52a0d383e0ce0a9c8b62cf844f951ce5a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 80995204a6c5e5d0f0042d44ba5d154f
SHA1 1cb6af66c0ffe78d812bc83dbad15f7bacc01701
SHA256 ad5338bad6aeb1fc12f55618b5619c5d5fbf1182bfc589082e2db21933ccef2f
SHA512 2ccfd08e1ae19a7e86cfcb04eb70af14ba3de69f23d09b942fa5d4b07e06f836b8d6b06fc588bfa822ed66d6e13ed820b42c34f84395dc5c19fecf11c748ebb6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7c8a5d380d2d4a7fc55509e397e6d3d5
SHA1 15e04bbf1d3f8df81c246e6360204ccb07f39776
SHA256 59a050d252408b886572ca642aef5afd018343ff445e1313ecfd0be2a75a8d9f
SHA512 66377668a62e29db25c49d7a072bf3f86059a3b7723834b18050713f2d7094ad0bb1f890f2b96e1ac15d627a10e5eece8c7cdb90d108506d507e94ad5c1735b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 df57e50e726753531876940afa4971fe
SHA1 85324f2760d4682a6e3f510b3cb18b6f5248339b
SHA256 4cf265434d4730337df81789e2b1e5c23f2e2d76dbd724e66a88454b7a39aff6
SHA512 0969c608e16e99d320df73cbc3e5e7f1ff3ed0f963deae8f2c91b59c47f8a651229843d4f6a98ae7496ea539c5bcef070b6be997e164d145e2c0ab0bb9f3dd80

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 196c180ccd4271e0e32eb9c1d2165f36
SHA1 b3a7b0dbddba30b57b32668b84aa460e0dc2efc1
SHA256 09ab73369ba526fc8774be30bdece569df986cc41a394a34c3285521f9879269
SHA512 1e8982dbec7f864789c823836baf8d2edc86e2e9cf46d7ee6d93d10cb697da0f7253b88433720119271beb5792cdc57f4268779f4e863fca00280a093f6c9057

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 089821e56dbfc4ed40005f6064fb3c3d
SHA1 c865da5f22f6e84a45a52aee047b8d451a29bd30
SHA256 caf64f39a87360bc095047f5973d9419aea9a22e95fbb9e8721cf33e26cac7e4
SHA512 91a7e392362047a348ed60980b2c5453c3daa8eb1a98f45844a8d1caf766366b431ac514af62af5b942fe6e63b5e3e5a3111cf18bf4896e04fed96602d77c486

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 624d02e8c07369ed5f883afd34e8b09a
SHA1 71e8bc83b1f74f830d307857de2f7515846c639a
SHA256 3b830e1105462338f0d933ef901ec6a6ad4e7c5c9cf2fdfbd0ea3d9853293312
SHA512 1a7ae7c888f470e992849d34110b527bf0ec2cf340c3f91d6be46ef92fc263507e2965bedcd32f76de9af555696ff035f4ce7a0802d99d4904359afff11a0c0a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bb40ed45a746aab6f5d9d95e108b78fb
SHA1 16923a45b20082da94362f5d05bfa6c2d75ab78d
SHA256 1020cbcc3c8faf6f9edaccc2fa44fc1038a65cc6941eed425f07b0980838d04b
SHA512 452ebb9588df4ff5f2e64a334deb8277fe6133780098bf84f40d3e44cae26bcd4241b75d8a997c785e88998bcd9611212d149bcf5b5adbc842abf152160bea51