Malware Analysis Report

2025-08-10 19:52

Sample ID 250703-gmtysatzhz
Target 875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5
SHA256 875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5

Threat Level: Known bad

The file 875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5 was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:55

Reported

2025-07-03 05:58

Platform

win10v2004-20250619-en

Max time kernel

145s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe

"C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/4588-0-0x0000000002320000-0x0000000002321000-memory.dmp

memory/4588-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 3c7cf9f3bb85ac4eb465e276fc11fbf4
SHA1 71d759688a7548b12ee2c59288394e2986192f97
SHA256 1752d6f61c1f3d4ee64fd934a2601140b7124c1f1f916b0c5e3a21524c98f24c
SHA512 37e84d30fb671ef96a5c29dd00ead410eaaca93f961891d10cfb91d2041c06407da286822cabb4dbab86d8a561050c33a4fa2e79f8deb04dbb95fe3ddc277369

memory/2216-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4097847965-469305640-2969917343-1000\desktop.ini.exe

MD5 516a261eb7ce9801a124c03b4b9697d1
SHA1 3fb03efe41975c914d88ce88ccfc3ce8f35b101c
SHA256 b7175d561f9c731e2aec5d68e0fb8d5025887e996a5414393226d833c9bb5218
SHA512 6c9c1772286110be427eb83c9b8128600bb53ed7b6edc6512063e9dcdcb900d994266ef6db3780bac340ebaf139945806d3b6f102363e989ee75e43273b527fc

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-4097847965-469305640-2969917343-1000\desktop.ini.exe

MD5 5e2e6f6f3b5ea84e762221946aa7e532
SHA1 095475ab0a38ec53d42ecdd9589ed6671bcfafa7
SHA256 ae48bd1c0c8ed9507e103924dc9115291da02fec7eab71ee044b753001581ac2
SHA512 af0fd580a0a699b22ecb7a68cbb50c2fffb40bd06badfec1603196b0dd2e8a49ee50fde2d30520c2b229a96a707f7a9f26eec39de50a37bae04720342f9c09fc

F:\AutoRun.exe

MD5 bcc3bce0f2f2f108d913c7ebd542d4b2
SHA1 1e4f4e1cb4ae5538017734de6701aea66b54a4b1
SHA256 875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5
SHA512 25e2bf1dce1e78a8e2d5bfa90480c2bd287cd609f81d667243354ef4c0976183b4093bf69f350722b67f26c929e78101c297c617ae2b070d37d6874a38c30ec8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 368f411b6705c658ed51456a06d3ed3d
SHA1 947d35039c0eb4907558b1c6f185684fe450fc31
SHA256 fe14c4baf366f269c64ba40e08eb3d5988a778469d64b9a39be9a44f77300943
SHA512 40c9359125807b6ff51d2b99b28054dc33ae159a1b0bdbdee907bdbf4fe30e19a6892ae5b042e7a4ba3d76fd847e1876dc1b53dbeff49f191a948514420deb99

memory/4588-50-0x0000000002320000-0x0000000002321000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a316a1ad738ad30d60f0b9b042b3862
SHA1 4dd25583f224739abda1c5e4dbe6e7e50fd83e9a
SHA256 121f4d8179bd6758117250f7b3a48df3c8d96623474bda52674408c496e54c36
SHA512 6f0edd70b334f0ac4192c84cdbd9f2fc9e209ec9a45a3b0067b6ec9f0d445d5f280aa87c32a2141f1e396e711a022e5a3b29195e38166b80743e1a6e49f1a310

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1951f312c350cab75b66c234ef0cf3bf
SHA1 ba0e21c89cb4eedfef02205e453227246d58b210
SHA256 646dbed115a2e0f7f8506f4f9c06a255089844c37fe40bd9d75483de7dc2203f
SHA512 efea09630bddc433e8eb4ad48120e2110ab0a775c6c521ac4e39e80f460d1a9dd2eba7cd722d570cf21899dc2dc2ec314dd0466838b252c1bde0c0386d9770c2

memory/2216-55-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4f571e0cdc38867b4c047ee00e169263
SHA1 8ba2238ddf2308f1fb61ce9d23b7be1caff1f7e1
SHA256 51ff7689fcf30fe871e2b273838b0a58a2200fcc9617bbc934bafc3926f8c118
SHA512 4fb49bf174c2276737713c654105262e18c2437879618ee1e3e95c1a5470827e2dd59b4ed66380d1dba632ffd75891282965e86cd688d1d007e939dbe9df687b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 57c72e55bffd94a418b81ee7ca05bc2b
SHA1 1a30c045af6665d492a2a11691c43c781832cb48
SHA256 5490d4bd26b0479df25236eee4e67148f55d1ef89dbf8577f78f7b6395b37047
SHA512 0b3a9e982dae6098f292fc0888c4092a8ef3378989dbf8de1de9644562bf4135532defd8a21f7f64bed478f05f9aaab06fb726ebb533813a61b7c90251cb6b30

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9301db8b5fc8540645b5f32868bc55f0
SHA1 14f83379fb22f23c515efde393e43ddcc1c43cb3
SHA256 2613452d6604523de55e4314daccb1fdceffc144dfa395eb2501753ed9947e6c
SHA512 e62be20ffbc34b82b7f8a05d05981cae1377c4257866737d415f596312d18c9b1b686cbde185bd62d49a9bccb8d48fba8d0a4fc9c27e6f54e94452ff01aa15e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 33c7f99ecdc8945897a2f12bf2bbce46
SHA1 6a5db3d00690dd1e67a9af4fdfdc6e2ac938e25b
SHA256 749c325fb7de0341f97e9c79286aa71b77ebbab9ea885d00967c0b78949b6f58
SHA512 a776f81e1e62443082c437f96641433436e077ce3b533d37be3b197637b015961336a33848a809b00c5c11170f4b12e50e15d485755b1e905ca74b1cd03f77c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc5cceb9bb2eec90ad7be2f9eb21fa35
SHA1 a01b2c7d28b2aa32e8b5ec36f786493d16cb110a
SHA256 e45b10b706eba0bd4fd18421fa4dac1a1667c6712802581f71fd23f1d1bdf6f0
SHA512 e20a0c9b7f1aaa053427f551c5afe55daf2f4bbb163db0ebf0596aa3b2ed090129837e81be682029fa8a348977183a276a86392cd0061f03662d73f071113417

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8657376aa0faa4dcbab048d113df4586
SHA1 83ba94dce45a8c0897cccf7b10723a065fcf26bf
SHA256 3b4be1443a8aef5e0383c2935691240a73df5db0b6ded20caf912208c59014d3
SHA512 0d3604d28aeb9e02261dba0db4e89b073fe2f9ad46b2add4dee1812c08028a11e6171ab03b504ec4e217c6d8faa6fcd99fe323986f371f3b9e539e10db7ce27b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 01167dea1b2867c80a96e23a2129f805
SHA1 0b1c4c36f86aaf6e8014a89fe19327030201e8c9
SHA256 3c22a6e72121aba0e6415592cab97ce1496bc9065a5c5f1ad91e2009ffe6fb70
SHA512 288971aa1ada53d4640faf0367c3f9dbdc4fada478f584c674aaa12cb9bcd5a421e43de0b217e8b4f8ba17c2f65763a82805631175d96f8be2e6fadeb6743f18

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 87aa39f11c075567bf086579c2f9a284
SHA1 85596bdec5e5f078a37254c6bd6e5b53d45d5796
SHA256 1fe9c90d531843a595555878293fa8634f715f16d87338c53753967037e96de4
SHA512 dc7e10cb1875c91b089d367b55b001f4d23af0ef50a39b35c6b5d88f1a64ca2c75e452c6b3658daebc3c00a7e4336c5b97ed7d72f7d5cf8b65b2f0cc32a38c36

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 50c0b8494b7d685db1218472867d67f3
SHA1 cf20908d1d9054f2b9ddeea272b4d31bd52cb47d
SHA256 eb5a71edb477c12ecf3a27fcbe5fcbae6f2238b18db0cc80b455d33bfb001657
SHA512 dc7379495d1c040bd9885826da0f82d1da23e28041399439970c6bf7d6c0bd257feda6cebd507ccb25a3cbd20101023249d0618e48174cf2b8ddd74ea37a473e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 99ed2eabec285430879793e5f43481e8
SHA1 8af79b0c37e759f0321b2c7d7383f98c62916002
SHA256 fe9b9be2071641ff57fbe73802cdb1aa0c2486d1e268796eac6979352b852aa6
SHA512 cd903557f4d83b3df0f21008849ae910da8af687ace367713734a0aceaa160fc9ac337448a08f77acd28c3dcc46a55e3d16d98406b423c9d4e1c896b7cd8077b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 704c34138c05098180c6671be5d17ef9
SHA1 0cf4c1d5d1837c057b60307417a3b2a2b08c93dc
SHA256 c7f1bb94f130be09538d0d16661c65f1ae96f8361cb07e733cb892092cf72d9d
SHA512 f5fe4e442c7b8b112f11a3d4524f3c8dad1ee997a8de5dc677a3e922ce0eb83ff35503766a2fc5fc11f6b09861ced89889948bbe3443002357dc39a18e815863

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 adf7c225018b6d4bc265e2a2ac82675a
SHA1 3a9a5ddb0feb91469c06b19d8caf3df6bf8c59ac
SHA256 80f821a06d23e31df34f801e4da49cf7208d216e269d46b51036d45201768295
SHA512 25317d8596f9e0a1bbe8adf89f8aba936ff7260737e8432983390e0e01eb0a759da8a9a65b5409a858b5833ac6f8ca7f1578c3f9d5dc08979faccf185d87077a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 27c5133ccfdd5e3e5ac5cad6bce871ce
SHA1 fbcba39de99eb04d91c27543e5ebd593b97dc7f8
SHA256 aff07a901d799103684e3a49ead1c490382285cb5d975643a7460795dad9794a
SHA512 7fbba38e9f969d6559008492d3999720597ee5156d10eb05f9118cf4c6db13a2ab75d3ec634074d82c98e13507b41581c3d5fcc32b7444ee2238b2f2114641fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e2adf8d2550ec7b03f7483c96ae30654
SHA1 3d042b9429d82091886930f2aba6898e7ba9ea1c
SHA256 592ea262e5fdeec5516be12eef3d9b5d87ea591ce01901c45b7d07efe0ef2989
SHA512 d95b574ecd032e5b3cc941a4d13b44bca3665f90f45247a3c51792706fcee11ba786b0b61f156675ea1e7d5fca9bcdd31ebb0eee92d9d24f0f7db20dca86b266

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9eaf42e13bd1e1be13dcce1ba662097f
SHA1 566b00e71e0d1c7e8a54fb1e68a00026b678c40a
SHA256 4d64e5b73284c026eb310926f7a82cc083d00a96d2641a53f48d29332d48364c
SHA512 cc07cfcd647f847edf0eb6d4311aa899aac43af201cf8f420771e2e9cd4793b39e5ab79460981755607aad4f82f1504ab7fba19256fbb9caf48cb474411bd79e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 878ffef6f26eca84d4c692926b7f5a67
SHA1 ecfc42719e70bd6ce9def683148bbb1370082876
SHA256 6e80042a34522ffcc6d3bd0d1f0617b3f9deda4ac9e5ec94e8e3d7545552248e
SHA512 e5461ee063f94e67748a8a14bba72b83c297a7d7e78c2692459fd72af5624046b6bc7ca2d0fd44edcc5f00db5c3436da39a5ebcfa108fed0466a0975e7922d19

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 598021c8e797264c692cf0f645016262
SHA1 a31c176cb073e4424689415c17d74ad3e2f90e07
SHA256 b756a823a2437f0288d4e7cf892f17212d4440ea4e576f49cfa9f3c39d3bdb65
SHA512 c6fca1b3fa071754d00baf9bafe8e65dfef03b3818191f2462e5a25e238c9a8f7044a3f5b66d65cdfea2cb12008c04a46f11b1b5b8bc4ddc11836569dba00248

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8ad155798f11eb367d213a6530d63197
SHA1 4e8cfe11305a3c78bb86b93f3b6b8f696b811a47
SHA256 d70486c29989875a5e3fcd97c8748b139d0535723f36374fced435a2e765f6c1
SHA512 50ac443ef79d9b9c11c8ea4fdf92ec9df6531134b13970a75e001a7d08598dda0f651e5d94f3b359f576bf1693020164e4a4deff2256b4399043859fd7d111d4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dbc9db30142bd944dfe014979ddcc63b
SHA1 5776ac0cb7e1cd57f017a2085c4d260949183e7a
SHA256 38861f80b229154a853b114317937247f8fe20d68cf0b19058d497d8177e4f80
SHA512 10568038e6ec3c98bcb2450947809a31ddecb8aff547a6c4049cc4ca3085b82e9b8d2ace5fee82212d39c57c035720a066e7830f8a878db9b4b20b51c8dfdf5c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c8d7c41800fc35ab4f35b8aee313e9bb
SHA1 00156c1a807daca46514447a6f1a1c5414fd6a03
SHA256 27981c0b6af5b2bbc91c53d336690691bc969b58be4099ce3f5bfecd86a5d977
SHA512 1c32550ca2209ccaabcbdd9db709255a5a5e804e0b1c85406094c7545e327380440b2cf685ba1d31314588da1d21cd638b1abf04f845c1122e6110185bc3e55e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e19be3388abb5e7243974f0eea1585e
SHA1 6f0ee1c98bd387b0d46ff7a13e3ea2273e319248
SHA256 344efa084955e30f83bb22d289e693e9885083ee0cb609672ce73a475c76c9fd
SHA512 8e26f923dfd734cfa3137724ca8ca1419ecc33aadb82f42541c2be6c5354a0efd07833cc451a625ea939e705696228f5d3131668f26d4b22b55010d99765fdb6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0e3862a9698ff6630b39bd10391fb780
SHA1 7ec58c364655204bfad973d74d6564b4c5dd944b
SHA256 16db9e29e66961fd192997902191416ddc060f8d6b183f5c1419a4e5c1b50895
SHA512 d3dfaf2ba7dd4e3c2e95b003579d83c78cf52f0b7d26525c8155b9eb47bca67802aed5cf128402af8a3ada2de440829b7ffaa94b483cc715d15d293795473f13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f0a211a3abe3e3d4855115c95bb28946
SHA1 4cb3bdb7b08be64e7c8205363136088569df7aca
SHA256 55ab24c39de2e12fa01b9d2dfc5a05a96ec27333b9651a12159f539924e1f15d
SHA512 19f00927be904d1436c4fd5fa7643b5d00a37ff65963573fae85070a900de7db3cdd856fae30fc1e4961172d142ab0ee654644d4caee30427cfa5ed64bb1e2ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fe7cd5325a851da61c16ec385db022aa
SHA1 ff724c9033d1694e252c85157af503eb868df9a8
SHA256 9413de45b230347ae924074275b093f8ca3f3db91cf123068ff33164a2a45b26
SHA512 20f231f13b79be42c395086683ced34a424f0acf1f63e663c354a4a40516c2d2a9a720903576a20101f3e18d1471dbafbe129cfe1159f34e0e8e5a4802cb6b5f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b7f73a3e30a82563ea0646ecb7cfb469
SHA1 03db5cb61b122c5e53e9746dfafc1ecfbea438a4
SHA256 55c10ec3e44185d3387d9ddc8f1365f296425e620fdab245b0fee0e9b7bda009
SHA512 0f8845f628b335317d3daf1b694c3120d8a4057ddf519640022e7120fb64e5c95d00f2726ee2f2013f2914a021014d8e197c75b1716790a8f21acc7b5d622669

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 91eeeb96a313fd5ad8c589b8360b1650
SHA1 4cac66c077d04debd5c97eeeaf3a73bfb72fff24
SHA256 ea1a71da07c4d34ca0872595b2aa11392855b92167bb22a53fa6a974408d5a8f
SHA512 fd43699a9c8acc46629a9d5723bb054672d70f37284b1284fd917dcb9c758210b536e97b4067d18403ee74f869a4f507e439a9747e1dabb774cbdf33181d121e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 730a79780b0e281116d437fd92831946
SHA1 e7d9b7dc2dd2debb4f24d0bb18c9368516d6b4cb
SHA256 55a42f2a083ecf8596c5a8adef9d1434d74aeb7dff06267a16aa211b1a37bb8e
SHA512 d4343552865c1ebe719d5f394a27f8f4d7716cba106bdb58b49e90f057e5a4660c983c639e2c753348720009755a66a67c3c3e68cc7e750b75f156937d0e3803

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ff7b3b77d0d097ea591a6f05ab3eacd5
SHA1 399f9973ced8fcdc278a78a2973fed5e7c8021c5
SHA256 500c31bb6454e79547b60ba5e071b9baf015cc9b6fafda4f0c54a9770e6e56a7
SHA512 8602717939385fb6ccb1de01562d2adb36ef4792b7d4b4390193e81dd791bf7fedb1c8873125eb9fa398b294a0d4940624ec3c2e4b8a6e4cde10f17b105d3941

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0369201ea429cc5253953d32f15375c5
SHA1 e0a95e243c1c20898f4ba54b7a5bd436f3a9dd6a
SHA256 8276dcb895fdc42a30b414f13b0ad00f4f03ecfec8c68706eda32c72df9dc397
SHA512 e4dfff692ee576404c0f3d847b5850210028ddfc0e3f3510db85fceada607e85b3125f0386d1c2b9756e0b4d8cf46454e5a10b12ac835164ed9555c598f936f2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 61cb58b6b5a78265967eae991569476c
SHA1 230d67453dd7591e01ec87eaebbc90e0b066fa09
SHA256 d5ef3113e58856cdb72c911c385ffaa767f347b53acafe725c6c6c93d93023fa
SHA512 2b6e06481eaa19ce2c13cc740daf974985a328ae09cd65a9e0d355768225ca5348024330050398f13f112d9c0705acf4afbed1e1eeb18dfd3ca6206669750265

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a9a858d26ac43561b2992a84f536e38b
SHA1 e56090ded47fdc8ae081c473fc4652b52d4be01d
SHA256 ab23383842453aac7f7fdced36503f4f6209cf19ecb1cf30ad46c27c50216172
SHA512 f0cf708897662c114c56642bfda3a4c3038d2b6f07223e8d6d5c6f132f899a06b8e35367a2ec5a35d549a27709a603a70cede4cf9d9cb29e4cd0efcc5c0526a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9676ccec7c20d6ade5f15c3e2eb25daa
SHA1 7479ff28b6843fa3142c84568f7fd5c4a83f8f84
SHA256 dffb4c9abbfa815d2aba615d6b6ad40c2760f027753f404117b2241e6193fa56
SHA512 4ad73c80f9b9b1bc296a432e38a8c1def768b79d4ff17569518e59eb3e40ca165e55f560a777d131e00829a8552e90d9b979510b2899c492f7df9f72527195ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 13baa8ae38de58339ecb8cc77080efe7
SHA1 7c1d0005b42e60e5d85a1107af50f8f36eb7484c
SHA256 78dd672b36b872744f39877d00cff653276299a95cfee840ab7e48e00a4b9269
SHA512 5eaa3a9abb6e28296a4e4a5d617a6ce87e5c49ef7a5395a0c672feb3dd7fb6945fe1da9cf938f5f908069a47c1acb0a9d9cbffc045ff3daf1362744d476602a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 97eabc6ab15276e9823dbba86fc51240
SHA1 83e82a096598b663c7013f5bada0a81656551556
SHA256 f3ed93677840ac0029b7247760b2dda7e1f803df3d936f0cbd9797f7fee85040
SHA512 1e38eb167da47f27c04d41ea5d397c6fad4e05ce8387a0c4ea2ffd8854f820651eafcdb3d3238c5447b29f84fd66193af2d69058dec9dd28c14d64974aaccbc0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1c8595486e20cb699eeec32a96785734
SHA1 a859c5cd73c8bd11bf20a9d1d86e4c855cbd93a2
SHA256 de465a59d239f1bc03a86ad446c8cfe87f735a168a1b761d1c7428ed5a219246
SHA512 e5280d3ab4451a6914d8152476e9d31930c09ad978280ab2e5cd6814fe5be378368f539fab6d5b6ce1a8959a26b9e98d89f6321049256dd2075cd0cba63a65d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5d3d897d7eb49ee305233f6a5d45d543
SHA1 359c9bd81f9caacd5c91d72fcdba7edf35f84bab
SHA256 96543d1e47d7a98d21a05723fa02db5a9992afc9677e8b5183ec37806aa52d13
SHA512 c2434598cf600b0305c731c62fb79e0b19fed78b6a17a91e5eee6ec9c9bff5a0105d4a6c2cdd322cc9ab8dc1952bec26336aeccd46a5ae1093cd185070fd84e7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1d704f0a4557d39783bbb8860ec6ea2
SHA1 727a4cff418e5fb443e60a6db806cba67bd4ecab
SHA256 ea1bcb88957ef4d0031fb32ba75ae5ed5dc8d343c52decfa64d7498149f05773
SHA512 cb04cd2ccd70b5117eda2e7273126447334c1770b0c2b311b26a34839e6bec1f22ec9291250be043c4b97cc10350f6bd521860d08362ec78f2f07a360ecf4b07

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 552cea03c9e87213a11ebe4ae238a2be
SHA1 eeb7e1fca37ea514c82e853b0170bae6ec98c249
SHA256 22a5b31d5850dab1b6abde996f1da7cdd895d7f6d7b38f82c31c0060a716f748
SHA512 ee54f998d48f915c1fa7570faeeb2f2cdb29b9b6e957f79d68bd2f7815f2daba93a7597bfde4304d5b314b364c717560be8ac8a993c11cabe28e79dfb69325c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f7f71f5b43839ca2917795ac220fa1de
SHA1 537c4866552229570bb481c381f907014d26021c
SHA256 7a7d4c4bd753dde0b61a8ee650475e920e7bea9e7a29e37f372b8d80a8203e10
SHA512 9db164bb5b577c3fb0756be707f75fe247be6000be83b0920f98b153a951f97d66173a3b792ba9a8e5f004d8de60374a75793de6bbea51aafa5ac06f91cf8fa0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 64b172a151b932c72d006d74c49ead08
SHA1 e423dc9e3a881ec3c8c3f115591123c569c06059
SHA256 c4953a666f8e801934e6424de734bcac501972dcf68abeef109a876f6c3f8aa9
SHA512 6e28e624455211e14d7bee8be0416b16f51c985987170e2262537662105a7cf8f724607a4d6a1cc724fe5ac1424412be0ded0237a7f8fea51b90cb518ee666e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da34a15f14eea0ec3ada077866b6f1a8
SHA1 124fc427f8af4d8101a779b312b06a6c981ca6dc
SHA256 0eb84d6ad1e705a6de4f6d89791ed6a66a65c1a6281428881719dbef1169032d
SHA512 7c29d54fad1fc0acc983e3f633e3a6f0d4b0c9e04862a5d3737adc8d035926d76ddcce817b141ec23ae320cfae62691446f1541edbcda1c3d94d280b53c11d95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fcf890c6ecf3f65fc9b02a908971b965
SHA1 e9f4a206e2a88705ae22a88dd6f75fe8e1670664
SHA256 2d4ae08da5727685761610df9bcb238b638aea80c8145467403e05f732363467
SHA512 b6e74e0175e13811d31910e85109130a79bdac304a2f88dca00835f4e158a66eb11e62745c79a7a475a8dfb09adda4931341777cd85899cc7b439e890580df78

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ae36fd9530855eb07e2c3532b8e09e58
SHA1 51a87a0bd7bfe02ae5b94a125e76eb32565dba8d
SHA256 165d6937a8abce4ee5a092a2f0947cdf1a9383065afd5fdc93721c732fc0f93a
SHA512 27e46ac4e80907ad15c09633043cfdc71005fe6ea7b8a5c2654693517b8a9f6180e781c6c4ed33ed026a21112dcd381eee6843766d9faa88bcc3318b62e66c32

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1dbe3722c030368ab01c6b5ed4730c62
SHA1 28bd1f7112b799ca56be41e0d24daee884eab5b1
SHA256 0a7dfcf86aad8faa8f5e67efe448c31563bfd2c60e8bfd962c3312c75ad503b6
SHA512 f513e6762ddb4d17cb7b758b402d2781c079cdb16ea710d12636aa9a50c19f94476b977cc0db945baedf1344e685968608b2d6bbb91cc679f577c00e73266832

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 deb55f7e02167a321eefb57fba015e3d
SHA1 779caae759d8325c7231c5068bf5d1b3321e206d
SHA256 de86d4f199d0c95b797c1dea1123fc62648d38ca082ccfe7444bc39ed21d0995
SHA512 2f5accd2ae046aab6160a7424819ba7d630d2063e82ddd782ee8a3e9b6174b50b81cd1096519c213396300fc9c5138523ca069e1a4f4ade93c210186c7260c92

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 130accea7b029a2a9effd8887e2c0d54
SHA1 29292145bc118d5b0a1ea98beb76ee66783a11d7
SHA256 eec0fa37d36a662ffd9a8274d85e61f4b3314901c1b2883814bb59927f0d106d
SHA512 e0b0bbdc56d700fc70dfdaa2f696cb6c13bf9153ed4e974205bda79a4dc50a803b6e24b3b9f124909b26a889256837b159f2f649afcf2b8060dcd988d235ccf7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 72ea0fe77f7e7cbbe6973002411731d4
SHA1 773ef70ded5bf425d1ce812569d2c17db352940e
SHA256 b137c8f4f55bae1cdd0be8824afeb475f24a919e173e3d0ba15bfd7f1f517602
SHA512 7d78447968aaf25f43d480027ff86e14a08b108d6f26ac427dae67da4b417f68256d2307d9881915466ae149dd3364fb19dbee0cb0e0bb9c422c7c46869c1df7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7fb1bc07017076515d8f29256c255acb
SHA1 0817447885a061e46b5d516cfa81504998091817
SHA256 c427ce630ba8d9f60f47165833b473ebdef21deafe16438ceb02f73d37def6a4
SHA512 8800da5c4c238b32f31aff8d0716257d10bb4904cfb51c19fd14d293857d8782e909e5107919ce8484766a0eb29269398af2162ef2c18157038f7f97cecca2c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9255dfde52e0e2cb789346ebef506fde
SHA1 f4c2a635e06c3dc498f2d86860139cca4aae7b25
SHA256 836e2876221fedaf3fa6e25d81a21ab19deed929a73bdc4029010bce358109b9
SHA512 6c4effbde536da5d4ee2cb509982d20999940a6e5f7b26426eddc0757ec711663b6c5b7365cea03a37cb4d6ba44145dc75a8e47982ca886228a7fc4db3e50066

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e3a2fc698d26d9c587f1d494a766f487
SHA1 e2165541d1913ca792a8a1bd9610bc9196d0a850
SHA256 66233f045dff751a3dd980da7c287d0401bc8bafdf4ed2976892cddd251ce844
SHA512 a976ddef30c83e1cd8448fe6ee07b2e7a9fbdea649033b3e655fc38a422ce30800df29e860d9d7a26e96859b0d4e761feacc6209e5829fa23ea6aa8c72de9691

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:55

Reported

2025-07-03 05:58

Platform

win11-20250502-en

Max time kernel

145s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe

"C:\Users\Admin\AppData\Local\Temp\875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Files

memory/1608-0-0x0000000002400000-0x0000000002401000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 3c7cf9f3bb85ac4eb465e276fc11fbf4
SHA1 71d759688a7548b12ee2c59288394e2986192f97
SHA256 1752d6f61c1f3d4ee64fd934a2601140b7124c1f1f916b0c5e3a21524c98f24c
SHA512 37e84d30fb671ef96a5c29dd00ead410eaaca93f961891d10cfb91d2041c06407da286822cabb4dbab86d8a561050c33a4fa2e79f8deb04dbb95fe3ddc277369

memory/2876-5-0x00000000021E0000-0x00000000021E1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3518521428-3897247806-4080064211-1000\desktop.ini.exe

MD5 c25c55a4c6aeeace3c552fd06f776900
SHA1 ffd6fbef881f1cf3f0df4e29168bf449a053ebc2
SHA256 c18a074e736385fa4c67684bf37f44d1ec3e11b66bee7731937d735b25c9d4e2
SHA512 f84d28b6c67df6d82e501ac049804b9cb51eacb3ba2e06da0e086ca6f0d423e6f1d5e0c2ec95e8218372cac81b62355b819429fb17a3fc8b31ff57a2067261f7

C:\$Recycle.Bin\S-1-5-21-3518521428-3897247806-4080064211-1000\desktop.ini.exe

MD5 5485c527f18e89a2f27e7e706b24f2c8
SHA1 0b1a30ec91f0341e04409362e773790920af0d8d
SHA256 b323a00a149d3dcb557fef29263fb38709c61ef89ca4e11477e3ebad00dfae71
SHA512 f3babffc2b6037f3b148d56b42c5fd6b75443906b9e248a6eec494734788a5db908de1bbfb40812faeac9daa61fdf0134d6c69cefed52281a915621e03015ea3

F:\AutoRun.exe

MD5 bcc3bce0f2f2f108d913c7ebd542d4b2
SHA1 1e4f4e1cb4ae5538017734de6701aea66b54a4b1
SHA256 875e744f0aec208add3cf41f52c4dfa27b720a514516ce15137cc67bb903a6e5
SHA512 25e2bf1dce1e78a8e2d5bfa90480c2bd287cd609f81d667243354ef4c0976183b4093bf69f350722b67f26c929e78101c297c617ae2b070d37d6874a38c30ec8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 85de177cf9d87b3af2d713f5ac42f8c3
SHA1 36dac57f2316731ebd07b2701a46a667820f18f9
SHA256 9195d25ddcf2f5be64f29b1aaae854f789014dd0b5bd77e084782a394b1bd337
SHA512 bfcc686ae7468bbb4f852fbe131d036cae10326e735a19cb29fff56127624c4b3f99514fe5a8ec121a3991bd248da994575c6c3d373d055d93da0489db796f9a

memory/1608-47-0x0000000002400000-0x0000000002401000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5c0039970e1a8579a60c766830b52524
SHA1 4d1fc2dfeca990804a08183463f702aedf9ebce5
SHA256 652e81c0ddb56d3a75d8f281a9e2491d071c1db326827d74f28a6221778ac2d2
SHA512 a510641e0b7a9a52e404eb342ac43d1165648f860bab27440238655c796fea41805893f9b371456ae6a4bd0197289c9659a9df56840cde60786a38288e948486

memory/2876-51-0x00000000021E0000-0x00000000021E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53700916ecb893b7c47cf85ea6870306
SHA1 12d12b559014d92071854fec755c142d2e725e01
SHA256 52d0bba562083feb284a9c54675fbd4a1022371ba734caceb029290674db30d9
SHA512 ce79175e0b22ce8e2d6cf8734b06d9921821b3ec9aa066bb8f108738ea1e8c6c03b035f1d9b73495a8b0c9e835c8bd854731e958d5ed4da377ef7d230a712f47

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 25c9675ff00c0c8981f5d26ef16617f7
SHA1 946d2916a1f3501cc9f6cbdfd363ecab73cab7fc
SHA256 8f2496089caa80f045423b355cc86a300041590f5ac258e7b0329d20270070da
SHA512 8be0cf4dcad8e211d5ed73aaf84d1ac607601e364503b9eed66ad89fbe56e13e2e179caba33dd1b998f7b0116c2fc49ce795ea3f4351ee0286eaebb5c70d5247

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cb30ed08d78d5961e89fe3af8bcd1e34
SHA1 7a7e7aae19b53ec7d9a54298870ab9037774982e
SHA256 65590557c2810ae561f7e24dc78b7f8f92f4192c3e01242dea149374b056115e
SHA512 08fa648371375a49920506741aba8d3096a8b3c0e3aca30639dac0948f97653af8971735247269ecec6cae39750df89ee2922485713f9ed15c56a4f78bda46dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6ee07a313c8ad0da85fafe2e89cc2a52
SHA1 0c6d75f3e7bc05eb9a8f8d68f23306a684605d3d
SHA256 f14310a4f669857fa97aff0016b6719c5e514f82ab7c2740af60d06718e878ed
SHA512 4e3bf55784b0c6a137f4d35576e4eb94a9ee1e38fc9570ba62e96eb211405043cbc59697aa7e0b851ea7dad72895463ed6d7974d65ed8f4548e18c3a6123ee30

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8cea86317eb58d6dbde8d21ca890b91f
SHA1 bfc981472b02e947471a5877154a111890f47b10
SHA256 2a323364d43085a89e1b47d2077a7eda2f421e6bacf0f8f18d8bee31879a89fb
SHA512 5aea90d5376311fdeb762763ef3c8e235656898621b2e21cda84fa47e0a7ea95dae2666fd49b1afde3e0d021cc5f8549831fa19390252efbd08fbbf4ed0a4460

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e7448ea2a7e7b9921891af672efff76
SHA1 af242e359279f7753467554c4b25a099d21bca2d
SHA256 17ca6da3b374493d4fea1a813d326f2769b709399a06784727cbff9e1a0815ba
SHA512 b4cd7468ec767b98aa36b797d9295d9ffa9deb47572d12c1d893bcf09bfa11a192a42f615c008f38ec5a5857a5898aa1a7e50ad100a0c7f46657d63d66459cbc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 236f0b8dda8de5636de2f44ee5349d38
SHA1 3a44ae23b522125e64806e616274d897c83f26f9
SHA256 93fea7c0a804529c5892da9edd90647c33cc6a9259ab58cf9ddbb3be007fa5dc
SHA512 5eee60f379ceb0df9e082c637d494e22b5a29cb4d52e0e0cbb8dc28b24df92bebb9c88b994e29683d418c9f69baf929a41bcb31dec4b24498007a2d8c254ff59

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fadf959fe1ebc793a922f4cf1278533c
SHA1 c390dc723dcb61bd5e50c3021fe8773e6acceba9
SHA256 b92a0911f9f398e95c85ae2ce4b561b9d62dac9bf7ccce4a88765ce4d9da2e8c
SHA512 df5ee6d7cb5598c1bd48292e9712456b901d07a86c6c060cecf80b08f827da75b8e6b4547a23ef1678e1c2a831f7a7f5c85e6ef3ad550c5da4f2a781f3a98343

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 807415dc21abad16f84a808232d3e165
SHA1 c039f57f05fcbccab411100731c40014ae7177ab
SHA256 c0df452d0e8a2478de1ddad776e210caf61e1f9ada2f030916330be536614aa4
SHA512 003d7757bc2e2c0776fe769856b70eb3996c311478bde0b0c5376d3c9532a48f811a0476bd778b7b99a9ca15d5f0df4681f336cf5977d3f3d13c6624b47bd329

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 49a71d07a9114b653e3f005b826de9c8
SHA1 0580201cbdc14555e87e898c28d6e3d4c6248c51
SHA256 016aa796cfcec2ab2db1d9db261e48b27cedb76f3c3d8e08cdf3b154643584b0
SHA512 fb525ad8bef9cd7186c905b878a7ad35580275f974a0e9c944e095b5775cbae5fc956e10aa367c9f757db911394dc2feea0fb34930d0bb8600125b9641514b72

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7ef0d887cddee96cdad483e5ff815f3b
SHA1 91b5ab6ed10b82aea5fa84a5a556e5279ecab6cf
SHA256 769db9f05378bcef5ae042e349374ac24c58371e90ef79408b33db3ed010c575
SHA512 0fc75ddf37f09341c411e1eaced164a353680bbaf83ae05e092b5fb322a762e057ff92361e49eead3f366bdd74a3b134fb463622de3f616cf5415582688ffc27

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d63b9289a1ded1978aa95aa41d9dae58
SHA1 a66a6e2e36ce1b14ad75dc5965e4123bf4b27dff
SHA256 17c633f13c47ec822d734683b041678e84dd0960402ce0231f0e0ffce40ddcdd
SHA512 27784d2e4fbdc77f02c7f99e7a861cee758bf746658d328ae32748d636496d18a32add65997e8eec21afdfa0afc061655443de470c2f2a1d8b8a9ab9e1a4be4b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f07a17baf7435d0c289ada614a2ef8a9
SHA1 69f6515dccec16ad3e422d06abf8fd18d97ca4d9
SHA256 cf2bd634d84bd7952fd0cdf61eab663233ac2bd43d61ae60eb03195a0494d55d
SHA512 190648b8bc11160075445cd2be64c1109c1ecb26d4d14b8892c74d4af54d84c762898b197e92d54092f7dad0726579bca97c61a9ef5e97a1ac3336e8fdf5dd1e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6574e9c7b57bbf6b46249cb2222d1e0c
SHA1 09b4b01792c131bfae52b455abb1542dec9dc252
SHA256 50b810cfe109b2b9fc5ed7df3db24af595123749ad344201ae0e5dea6929c07c
SHA512 480dc2aca8970c3e947fdd0c613a4ebb4d820428d026b6eae010113237388893b6bde8a213cc15396aaf373a0a3d4ded84f8dad858a02c94e4973fedcda59fc1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 505a68595a61d0a989029ef120dc9e91
SHA1 efee78818d9b57a5702fa3674209c8b275b0da8c
SHA256 5d29702a503b86c8f9e94c227a79557d811e105445f21d1caeedaddd6e18d5fe
SHA512 dab7417634a006e0f49058fea68afa4a5ca8528971eca6e3fa1aeea0d1d27d5033f60b40e9130ee742cbe650c896bd10a892281a030679a2068c0f2585cb6bc5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 750d4686eadbc75cd73020d4b7fe0c37
SHA1 f5185a9d49635cbde85447586d15a3c85433d22e
SHA256 197e1e9966c7863ac402d982418af302db8d7250726213c7e7511a8ac410f2eb
SHA512 3b6bbeca407df22bc258a4ba2d06cdaf990aa7695988d43de970df1268d6e773e64e9529573b216b0037cb18a2f6841ce39ec98b9ec00c6b625f0aca32930606

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e77067fa0eb9579fe64e3ac3b5f6aef8
SHA1 929c534092213ccd63a808dad4bad6414c659177
SHA256 1d5a86e5da899479d35924bab7b336a8fbebb4351b51eae027ff9884c2a2e267
SHA512 0dc92f33ebe78db81fb554ce4ae7179c372adcd94e9d00f7efe651c0dff0b168ce57fe4b25b9ce9fa718b1930f427465cbaa720ec146f7accaf0296dd97e81a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1be619b3c78e6637b98eb1e09a5adf14
SHA1 df91cd2e0239e606a496b938ef60270291daf860
SHA256 b757098ca63f434990d7b0e075f28152e0ff17694c2a88844351b71d8b4e9e90
SHA512 aeb0d938170c58ba676ffc8f9d31f9051c108ffede79ce48f6c076db6e4831fe82430acaf15affe5c418ad02e4f7f9b5a5daddf27807742a3a451c289bd43b32

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 52a16864b46362b20d2b1be60d726f38
SHA1 1656c3112f155602281658b6854242bfcb0df03c
SHA256 0d1c29255fbfd20b9743336a889d247ab35ddb0cc1ebd708910fb4444c49aac9
SHA512 6c84c925acb9c1cdeb5fc4960bdd6d231a33df31753273e857cb77593d82fcf82e905e1a4b36ac4a745304a977e6d5024b64e6563cf2e552ca99995f12dede9c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 68fd8f992c21447359dd686425701b48
SHA1 f1b639694ed6494c37745d1ee7157ffd14cf8eab
SHA256 50f8aff5a809b813fd39941d31548deec3acd00cc6f833ae923b30d5daa67cf7
SHA512 5a1d95bdcf7b21b9e3fae67bbeb5c2135e0e12f5b4ff7acabb55563172f10bb3a5857b3736836c3c1ca62d439a77e2886724790ccd3f5f289c38f140c02db275

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3bde63263dcb2ea0a384d5d47b1fdb54
SHA1 e27a4221591c8b90d46c244d3a297fe588b4d5ca
SHA256 0db2df1eb06ecd0bca6487d9660df4b8a7239de351459dda0ae686a065a2fa7c
SHA512 ac878e9944d5090654419846bc30294de9c0ca601e9742905d5e632297010c6e729597bb0a9528872509cea00338ed6b0fc2cf56f0ce77cd11fa937dba5842bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 379ba659dd8f4636bb8fd2e8803627dd
SHA1 126fcbf945e21d6d3861d0cc3e69b7eb8e1404fb
SHA256 9761ddddb27661cc51f5bbf28bd62365f3e58034497691c3adb203543f5f76a8
SHA512 f2c6a791a1b10cdac12a88a6c0ed576b3a2e3f055e7d5d0f95299b8ec23a41db30645eaaa4918577decabd2ee14a715d7ec33f37f9a31e1df46a31cf745a136a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 99e221eaffff854b58639a07ca1629b3
SHA1 e474e3bdb62e5b5a8948e5f1147c907642c42e11
SHA256 b76fbb74b3d296c8f96e9aaceeb3715ab4cc289429fccdbe7e0962c803ec224b
SHA512 187e99744cb5f7d131152e5c351a75232a4ead0329f9551b2e9383529fccbeb4d234eaf79c8a6df44cdc3d4e6b78c296f9640a2182a0ded15b6aacb8615bdf2a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 76c7e05b4f9e2fb90f36bf4c9ce09026
SHA1 d342e9e05b4771e6751b3fbb09c30ea7c00bf1a9
SHA256 b2a23ae1e8cf7b2ceef7ab060d60c8a3eb2870d5ed34665596ccd1f7fa5994a4
SHA512 1313e0d09b151048d2aa3e9cc9787c296a8252794d3203c3aacfa190dc073326350630cc2cd339c6e4425514765b3bf03703f8ad529045be04a1bb253be06e61

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3a319ed65a05741c4b7eaa637f583184
SHA1 a1d450142d49ceea366016cccec3b23d3b632bd2
SHA256 e95823d42123d39291a412f85ef1b1848582a3c5a3259c126aa43ab419afaf0b
SHA512 9d3df750c19c1128c35b44dacea43427a8d448ad10fdce062b6c3f71b5cad39a3bd9d1df8a2e5260da392f93ed8857cf00613c6f33588a50bc49644a94e218cf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d84a3b46f0c73b4fcc81df1b175ec3b2
SHA1 05caa9e0430dedbcc9ed5984ff936f1697490026
SHA256 4fafefc4c3e84573fb46dfa03459d59d93862613624db0e797daa94e42f1b72c
SHA512 e3ecd0f5160d840044a0f1fd476b9a8c5db08b25639cb30be4f25bee3302c3842c01aad4febd76bda081518cbf46ea59c5197b78add137ca4f6a2341ef066dfa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0fb81492695329445d78b9388400540f
SHA1 d9046c5c66ed59de228f061187635f39388f5911
SHA256 456b450135657af7879f67e6fe23981ad3ad72ecfb463068b4de2af929ef3fd6
SHA512 a152b95ae8a9e67b1e6aa06910af80efa115a3461aa9c6a35db63a45515bd5e2e7ae2d27839870bbad0e4e290f03f71fa722f49c129f64e77fcce4fbf97e1f66

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1426aeb2a32e7b325ca18e12617b3a4b
SHA1 21c0e33a460de369b50715dfd886f01b82a52d0d
SHA256 1e085018dd62006be0b34aa5e14cfb95d4190dd0b1b045d53cbf8a9ec728843a
SHA512 a1fd729a5fb39a946336dfc1f236cceb7e4f9975686f139974a9d577ecf10965e3978feaee3c1ada6d0192c826be1a39dec32422027252fadd094963fa202fe4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3a928670a0eafaa719b8577a2e4afdfe
SHA1 b5889583ada08b4fae30b8ee67f5dbe7261f3f2c
SHA256 a34e4e2c53bd98651666b665b7863a3d56338ae0d049c4267f3b4858575b6917
SHA512 9b8cac6f0daf350fbbf5332095368a0f8ede0e0721fcd3344f56d9deba54ff0b4c116b3884d3ab0abaeff0e14cec4dcbe063a02bc19b243b1db2ba5ba6236502

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a7c328daa191839d6fb3b24417d7049
SHA1 3a2579d82d9911244136006984dfd37c9d8d2580
SHA256 5342145ce7fea69afbcd2c410cb98427c7bd3128b3ab4898b8ace5e69f117f28
SHA512 66eedeafadf287683477c89788aff2e2affdef6258574399d6afc905250de347a16f8425a43529dcd5764398687d06ddc6bf03a3417d4b22d165ffb8a15df939

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eba15d7280ffe4e7bf26bf9b37c3852b
SHA1 16b4b354308564e419c7a3af4f0291ee4c01a513
SHA256 47e11e3d0667798a398ffe7997edc7452f54cb6f9cfcb2bb3fa6a8ba05a0c85b
SHA512 acbf9a7876c2b0c77227f6767b7c1e5f83dadcd4dd4e5a91d65bb9372427fc78062c41c8026f33ee0cc49ad5a48d04b90157d846d0c653b323d1f4a6d02a5cc1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f067645d6559389c8560f9597e984fb8
SHA1 1d3da32544c42cfc8bf71d36b9c84df9206b2773
SHA256 ba4024863447900fcd677afc305b29fdcd2119224bedf3b2eb7d443e93ddf6e7
SHA512 6db297ce5852e10c518386d62777220f2f0eb628ac6c0dad8ad726f311279b6d541ad76ed5805060e473610e49dba0c8ac6f8627a5ab2f76b056c03102124d0c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cdea81ffe86da43c78e85462dff47348
SHA1 dbf60546516ee82c13731f23a5dae52a59960d6d
SHA256 dd46e88023c1d5b4e660299fe126a862f05ddf15fa20e2c9ba2ef15d2cc79a96
SHA512 a8df6a354b3b7c106eec677ca11caf1906f0f21951b9bb571e3069537cd538e19f5487ad777ca99045983939a68f06c09ea0a3f97cb9cb253f78f0fce0980757

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d942e6d338d556e2b9d93ca6d0656b98
SHA1 5d22033f4bcff4e331d27348c85259d18bafe447
SHA256 3807f99698dc9171d83fdbefdfb20737b81fb9e1b23a67de59458f00c1618981
SHA512 a46a43201e17a844ee8b1824d9c463b1780a326999580f158824390c0913b315a86008c2396d56edeb293226a701c70df3669214f938f1946ee578516d815cc0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 97d503229f078d9b9672991f67a46d9c
SHA1 787084436208d8bc7590ef5aae996487179e113c
SHA256 e5fbff0b14b89398e35a6b0fa497abca44e5dd55c45eb104ab718ff4d0ef0462
SHA512 bf02a9e5be9a7538e3cb450ab604e271dda28b2637c49c69b3fae34640df3854b60e28ecfe9d02854149257bc17ac0115522b31da54282c0c894735f2d65abff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fff9d1666ff4d39ac42cab5bcfa4a112
SHA1 3cee6fb8e088c5bd1551c0ec9f027fefc06f44e8
SHA256 32edfdb92839f493cb0559076ceacd356fbfad608d8c84868ee4295c2dc41431
SHA512 335ae53a8f812e478ed8c20398ec9f600d803e6ba641a7bc31efe3a8450b8b8c6d1c828e0f0035e299c37ba674bb1ec29698160d90b0abf04fcf6b632920676c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2388fe38a23c213bc2a4807c9254dc30
SHA1 7674ac1298930ccae18a71ecae7335f38ca89836
SHA256 514992b188d2801d151958dffb189204f4673127986354ee8810329444365fdb
SHA512 6ef4e2a6cf6aa8c547e47e62e1cdf6c79f4b30cd94b2b9da6cd6a54d390beeae1a8e1f12aa47eb80ade24c82b8e17fc33060a98cb12d5172c393e5df7f97c8a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 63cb0ff35735a57aafab7b984d367a81
SHA1 8b613937ea978e41bf8fb90793cce121dd634647
SHA256 a74bb72377eb7b77d24ae8922228d4ee56397543c29d62a52dab42d16cdf660b
SHA512 58ed3e40eb734645077da7c858ab6c847f3f3548f4dfe2d64ff097b7ef690b6971f8101b4ea0b7be74335f8eb1875e2269c3bbaed26571e9e220e2228ad920dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b158a9e6f94d7622c6ae244755c37743
SHA1 4ab50eef490a48477f45dec06d1fb3318627d390
SHA256 6568f4a0f46c5402344dadad75cf3436d88b74d5b8accadb76823d0cea06dbc6
SHA512 d7c96ab89241d36a6916950bb6ca64ef6687f95ae87863eeea0016c0b2f5cafdbdf44e51a904afa42129303b8064a49bc11155995b62dceb6ff807b96f95ad1b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3fd6259368e9816bd8bc28952decb712
SHA1 93f043874aaceb00396de2f32ac57c5617d86f2d
SHA256 a49a20d78174f122e27a55d0d58e3752eef38f6288b6ae7fcff12327c2275f1d
SHA512 29010dcb671945d9750219d54fa27249245d10b62254c55e54fffd611473f88ee057a8be7d19d559597f03b35c2477d8ffd6ac7539e12d62b3fc89a8c0a09a5b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d0f8035c13ac487ee0e1bb1962c2e21
SHA1 cc9d34498bb824afa948715b0fb1e93c5514db66
SHA256 aac97c876f19e975c7dc39d2b98313912270fa20c0a8d482ed591670cf95a873
SHA512 46f7706ed4050174ec55ed967de58c7625388de4157ec8b62049e786a27ecaa23e22828b050951e6ea4d2b5c45ee3135366c16406ed83b259f5e8b57e3c06358

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1b201ccfc594435bec4017280b32af8
SHA1 a4392ea5f5a53541ec247d37c6da50327168340a
SHA256 c20e4ce3adb8d74cdf6f907055bb5c39ff3cac2fea2ac853da90b68501514f03
SHA512 5cb9f1cd4787e3223872e0e4ac483b72946d3c35dea6d66c4ad86aa5c7901a7150552613d00f76d27c513e1882557b12dc574e4c1692e9a69f842be23c3c1019

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c53b0225162ea639508836ddbb575dd
SHA1 3ad77ae9cae318cdc00395ea8c48c9852cc1b93c
SHA256 86e530c3bb948d92c502dd9ec36392e1f2c772750febae330d6be27b74b41e9e
SHA512 9cc42aa7117b6be96da357a3ee423c0c752610d9b32f2af68056b5806b1022c9e74835969e37ce133c240ef24407d60152b57aab53ac83d862ba926ca6b70a36

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8f30a2107820716f586baf4f624fd302
SHA1 798a4be962cc1468c75c83c5c1310fa331e5c888
SHA256 b4e63258b289c23371832fdc41a1965d1db0c053000c7ff4f30b197dc912c9e2
SHA512 9fba623d4b3755f3693170b44bdfe1b55218f02a0866846542c7df4073023379859c60508f1ce6cd38234a7d66d4621255c7bcbecdcab0ed5be10dd5ef01a929

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8f8dada5ce03b209fbae42a104f90a18
SHA1 08ffbee747b56333c2562b47329422effc3f2f17
SHA256 359e25e09f453610524f8e69f452f42f6b10ba2af44c474ae408984e641f9cae
SHA512 78d516a7489d7a4a88b722300e9fa7384a95fd2f55379b3347483abf6af8a5a40895c501195ccd3514c6a591e631ff739d13e530a3302a451683cc4c717a70e9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 09abcfe7a6b5e098671fcb38f6589cff
SHA1 935593625727cc56bae0a78d105b32ee00e872dc
SHA256 d9ceffed20838313f8b9ef2e67fee7f566e7fc227e5c4e8f33e3fe103be483c0
SHA512 ae8af5a0041abb426e0378e89e1d5a819d9e64ed0aba958975bdcf7b968734a615ba3c55e3ccc862287bb2590756ed137324efe3f49d83f405a526255ee21d17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f80e6be64c497e15c5f1afc2aebf89c4
SHA1 1550d17e8e010afca2cf589da476ea681c98d703
SHA256 1d64a0c209c6e64a0527114f7929a88a1dc8037a2e74369674d63d84ccc201c9
SHA512 418fb71dcedf6c7323064eacbdd4e9ee37d67cb495f7aec16bcb849ac23cb28f19bf67c523e15b46c0141a2df93d03d2635282e250086ebf679630e12593e3b5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bb89f6075ca2f78575ee6670b4669496
SHA1 c36521ccc428f5d036c80a43dca2b03fdc19a946
SHA256 334ff0584b9c3466ff38ccef30b9f516e3822a916df3daa5f91753488c44de0e
SHA512 bb2f63f6e74305b864b3fd3f4a9ba3186ca809b3640bacc6b42a71358f106ca5d11e34881470038e7649bbc458d12015903962358f3489c5f8bd1db01d0efc5f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3355683ee6a64829bd6cbe6a79b737ab
SHA1 98f06e0946b941f85af1fbb7ce17a5a4d41314c6
SHA256 7fe9cf6dd61e917343ec12df54354bf1562470cc9ef95185164b8c756142cabf
SHA512 a931b3c4292f2121b42e2eb88c9a46ee4814134e6dd2ea1be6d0197f213882e425a72b195466fc9d15f33850903319901e6e5b7fd71f1244f89abc12ad57cd1c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 857a842fddd3c47f2ae10c8a47210ea8
SHA1 081693f154dc8ab8a2412098890b64dff8cc764e
SHA256 ab77886c385686ecfd19722edaeb30b6ce2ca17109baad72ad0e1cebc8d88874
SHA512 1be97f9d92bba7e40f13c092aaace64f1e2270328c0c9da3d960b93fc6044bfe9bbdbdd314e863af53e95e0e78012d72dc40fa0bdc19e4522a8a9c2e74d5b64a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 392ff04f71514e51ac8c6a7931461a4a
SHA1 1148d10841e79cfd25314d05d7a17565b9a98733
SHA256 4169ca66a12437f8e1d41b70a98d6aafa0b434fdd799266c01f592c82fe93a79
SHA512 62a0a54aa690a3a280ce3e850ab4d11abd700729b7c197098bc7e1a841375b78be61c691b8b36da80f0ed22946e8110baff92cd171771a04199803798b97b306

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 253ba05ac92f3665fdf9644b137133a6
SHA1 b09a46a0295570f1df5d06253d2792021cd22b80
SHA256 55db332e013af6974d405f031727f20b3615490a42bdcf5fe09a2adb59c59c85
SHA512 5b4c224a23c043ff6bb5cdc269ffa918742ab9849cf3a561216785495f66c144c367cdbebca080a5259f7781e3028abf9c442927e8315eb12f19aeb47db006d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b8bfd4ce247589ee2e0315547943a95b
SHA1 fdce173700d630700ca35ff0af0e969059a4f7a5
SHA256 f9133048951ca7b67f939bac54062c7d0046e030a5d500aa0af550ddf3947e77
SHA512 e7a9360d1c688100e370facbda5b77b265366fecaaf0da8622fb75b112005fafb39c6cc54b1b7880c73ed8b15da63a03af27923e60fffc49df1e3e8382f6b32b