Malware Analysis Report

2025-08-10 19:54

Sample ID 250703-gnekgsvnt2
Target 1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121
SHA256 1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121

Threat Level: Known bad

The file 1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121 was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:56

Reported

2025-07-03 05:59

Platform

win10v2004-20250610-en

Max time kernel

145s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe

"C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/2636-0-0x0000000002200000-0x0000000002201000-memory.dmp

memory/2636-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 f00c97ff6b429e518b3b1eaa5c072d4c
SHA1 951dfbb4f8b4ce25ccef61bbabf450c4a11bdc36
SHA256 3bc026023f0d9b85e3f3c1c6304e24ab83076136d5ccdcdf857f3f7d901b60d8
SHA512 676b2b57d517f22f7f982696b8324f27583c8dc13a3028819c230827021b54f64e2cc7ac24793f12b78c1c0a8bc210bdb11a7c8b570844a1f70903e9a04c45ee

memory/3132-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3001560346-2020497773-4190896137-1000\desktop.ini.exe

MD5 b11b458e9a9655ff0cd8435b6ac0fa8d
SHA1 6a7fc501f077753131cc0ebc02aabf0614296bcf
SHA256 c4f6dbe6d7c041de106fe7d0516ab691446252b1d78566dfb7f587aed8117871
SHA512 cbcb96eada1432e0884db65283258eb99b68a7a87e2c4bd21d00066630d4bd6831250ad48df06728d7df4412911b92240ab7d78f62686a03755152d3f4f1c7ea

C:\$Recycle.Bin\S-1-5-21-3001560346-2020497773-4190896137-1000\desktop.ini.exe

MD5 0425c89be72661ac4fec218da2744e7f
SHA1 34d3941d7563c4dc6f8883e18bb6cc9b4a2eb6ce
SHA256 e1249ef47412f799cba91e05bc1273ee37b0a136cbef279ea88f534f0de9030b
SHA512 820b83cf2df49a580d1ee09c1f909252a1b0eea9e0cda2d82a31b51463d56a1cacfaf12fba11e606aeef7eea426bbee90ad3b4ebd81d67773198cbb242abccc8

F:\AutoRun.exe

MD5 f52056a9c6848d2c7e3d5b6fd257de56
SHA1 19f30ea8bc3d5b2abb9663e80d60e767d3916bee
SHA256 1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121
SHA512 0c6741ce04df021c6708c8362ae98678ba9ebff099fc601a5f31a6b7d61ec40ff84b25673283ebeb6d85e4fe6be3afca91b63cef10f4b4382591b80816fb1101

memory/2636-47-0x0000000002200000-0x0000000002201000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7a93752ee523a53b2aaa7ceb20e1dd64
SHA1 93fb30b127058d277e96daae7fc6ee950ede0ac1
SHA256 74a08dad9ff88f55b273bba356662df4f797931d982e6d595800c3b5f86d8a7a
SHA512 f5a720e52e4931d12bbbba1e9b114cb62840588aa6d7dbdd715545c05d52c3a6eb661bd40aa9ced4f7b50ae77a9caa268511dfa1b0ced69fd88cee7d55d0fcd0

memory/3132-51-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 085823592d8257ebd06cda0028a89932
SHA1 b4c41ad5ab01cac0c3743c53cf0f3186b3429c89
SHA256 e01e4583fabfcd7f958d1a5bb4f66bbca850be086b2abe1a9ea1c05a05c1b5f0
SHA512 128bab57ce73e3928d3c71ad73de36e0a3bd4d3f050a056af47065119e9ed789b12a36d6d5e54644cb1a28ad82b0f48519abc98b64dacd766456c540d2017367

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 56c67c4aaaf9964166b2018771f3d2fa
SHA1 32201b52b428a252f4d638e7f8f6287ac8f2856b
SHA256 0344e106783f2a362d82e282c8d4972f2b5ac1077d040b56b78635a809803672
SHA512 82fa6e686a8a665d22e341e4c7e667ca8c1aa63a32a5e9ab77ffc173cd87e306222809dde9825c226e6803b832461795428c160f8bb3f12a2425642edee31786

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 40cd1e0eb4a381f8594d0fc8d253cda7
SHA1 35038eb8453bc540506737ce5a9b9b75a409331c
SHA256 e7bd0752c474a270d7abbf6a78ae44b658ddf0ea2839a478221a35da90282299
SHA512 b748dde43cd2a7121573bc898ef4de33d2abce5b24e507e2faa5a7d4f6dbd616b3f9a42ec0cca2660c585da98e69f56fe9b0f0358f94ba086ceb1534f25d9dcd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 85deee4a4cdeffaa602be9f09f036bb7
SHA1 971680b913eb43e1d43a325098a0ce7b7951f9a1
SHA256 c06d3ae9b3b7001d639dfa07914c13b9da095b5050ab378e929dacb5dfe87ed9
SHA512 664ae8b74ece0f151ce6735e9f4ad80f1cae5b7822dda72e9b510f0b48ef72e318129889df7f1a7137a8aef1fb4f350b26d708091c29bdab6c8848274baaab9c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 93de22720330a9281342dd32775a3492
SHA1 3023c23f4bca718e78b65d2519c27a7067f3a402
SHA256 460f25f6533d8d3657f777eb7afa7058d8efa02a0bb5ce1163f82abd62552ef1
SHA512 e7e86f3b0cefe430466264f7798163003f6e85bbbdfca39454e86296d3e2a05f86e8ce67314be9d8398a4d5b757b40fb35cb57b70e859877f384dcee55a46fa2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e8e7440c3cb929cfacc3025ccc3fe4b8
SHA1 b8ec9ae8ee1e43abaf86e5e0bb1cd921a277d44f
SHA256 8e1d25395cbd83a3373191f1983b6e06d9effc95ae037455017fcc16e216082f
SHA512 73882e42418f6d8e76a4e62cd62af2aee79d6756ec1fecdafd762d95ee3754c5351e28523dcfe01e298b847f89e346fd128c31410cb83a05457b059bd3a460e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f02c90b8b478a7187a26fa0cd2e24970
SHA1 586ff03147140a069ef040c76d482a8e7eefb6cf
SHA256 7c1d91ea96abbdbd139a1406eec87e267489148c1f0899461397a12f6f62f5cd
SHA512 a965b1bf5134e9ca94435ea1581f808d1ed4a1855ee3658fa5ece90a8b31205e268f4fb925dcd3a38278912c9ca7eb5803d9ca15455d63c2f1ebd6baa9977e78

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a462a4c9095a0736d81afa9b829035f9
SHA1 8da80c1ae611d26d27698fc8fc9e0660482e09af
SHA256 a7066e9fe80d930650e20bf142340482cc0b046f3440885ab208bc9adc843116
SHA512 e4c23f6763fee7eb0dc26dfb3b8f342f8d8fcad483ea8d700fce86ac60acc98ce30158a24eb7c73470cff667a1a4368ac9ef434805da7743c234b17ae6b3aa29

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7695b2b5fbe3be2802190e0aa9bd3264
SHA1 541b97eead6855fc790805b7948d331e6b45d2b6
SHA256 62d6abfa4283eb1adbc3fcea8a4da7afe8577cbc771bed04a8701132bf7f7993
SHA512 495801fda5e33b1c975e60de898fad64f636fc01204bdafde9fd2fc6c55d2de776410ea145559c454a254bec7ea1490de3c39f4b413c45f207056e2b16042b46

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2c293a62711fdc9c8700fdb324cdcdf6
SHA1 4f7d3b7d981335cc49390a31f61b3b671f256fc3
SHA256 e22cd3ce8be0e3f7b34a6cff57209f5f48d2ef7aaec3acf5ac20d303fb271d67
SHA512 1c5831d3c5a9c97be5da97bb8f649d92c16258f1ba1508d251373f34b9f38b02aa7d727fdf3502ee448a84c49208bce3fcd21ccf843c67aff2c7513d5600a9a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 31a411df7669fce1370c2868582b7539
SHA1 eebef489d3a575e4ffd85a0190c3d4babbc9c37f
SHA256 d3708f751d18891b03866b5030eb478c80ca9f4c48bd5350843f60af1e0cc29c
SHA512 c7d71ba69897dfddcc664e21c1cb5a2e4d16265442914c1b36ae04adb87abe0e3784cec6b8793ce34ad9be51c06d9e05f2c44c5934c79d4e82761a6a747937ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2e630d87bcfb2561772346593d56b7b4
SHA1 06d2b59f073193dae3769b6a1304628dc0c156d4
SHA256 5c99a55d52c88e5c7f1129f3ca9624ff208d486fc95d3d857205cabe95d4ee8a
SHA512 af300c24148e8cfeabb3ea8df6918394b12a2e05603ec2e4abf318210a9ea119f6e3bbed989f596acbf04acd6a7b585e7012f3cee7bc6e4d82b5ab2cf430851b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c7840f4f5b7b182d69f2b20548564558
SHA1 5530f4182bbedf265ff37867a8d29ad0e3c6afec
SHA256 345c5ec392d2e2347a43ee426e1bb52982c565372f881e2917d86c1bf80f467d
SHA512 9234249651b8c472a0a4da510e5e4b6728762bc91ac1d0e618659c45dab80af50866d6c0f2d1d382df6c52d242feed067584157093cb76147a3497f684c3bc6d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c56ebb549fd9dbaaf88c401cbf21d351
SHA1 f8c6e1703e8668eb0583d34f700c32a8e705ba4c
SHA256 5cdedfa8840be3103b898d50843c7e6a716c9b50821142bc4d4a4a1943655453
SHA512 7e73f4f1d90bb4545737d16a0ed24e200dbf3febc1db91f8b3e98a0bc2acfa259eae8b50d72efbf40fcafc1bbb915a9860411e7e8cd261ec3eb0b4db7dd7f670

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 edb11ffa01caef559cd0e602773aa9dc
SHA1 05c34679e21d988822b008f724f3189fd051e200
SHA256 7212b5be2bebe7def0830b030ade37281fd94cde18ad082bee4fb4e1ab74b0d0
SHA512 5c6aa369a6569de7fa98a8d6f6b0d4698260889e80408acd6f8cc19a3441e1bacc2b4ea7eadd4b1610484f66822cd57ff63de3e95e68ce7ab16a1fdd9da8b49f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4ab4ff5f6ade504ed265ce231f46ccfc
SHA1 23bcebdf374ac61ed9e6ef92fbdab865dad38b6d
SHA256 7701c421ca6a2521ea24b997a31fc9445d8dec00d109dfd8c27bc706bc8fae30
SHA512 c8cf880744246f76f85fb6733b9689b9583cb0695219ac455ebb2f35cac6b6d539f4d7bb7db1ac9bb0ecb77715975a1f059e2e7aa5050f6c78862a85ebdd234b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9cc3235f8b57c9163f50c0811e200001
SHA1 77612cc940db295cf3e5f829562a34003b4bcba2
SHA256 bcabbdbddf7b85e5f1a6c0e38d20ccfef5acd384e91382ed3d6c74dcd618e875
SHA512 b68119ae0cd7f83f53cb5c59c972d7eec5fc7b3f9981f0f3b9413e8e6caf5ec30bdebeca8d662a12604fae7c9c46324d27cabdc37f5fa0a777e98374573db5ae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ef92c4bf144b5842aed735381a0c2acd
SHA1 e3b14f34925484e4367f15ad9546dac750216b90
SHA256 092334a990d2c1ababc0eba74b41d28fe0a161c87a2539a590b386b8c0c07572
SHA512 1657b1c3d018de6ee1a25f4a7f677fe66b94392fd050f47846ac851a6e42b13ff0c9fbc8fe3c349a3c9ce4f3b688d706b6d975a772ac9cfb9b46fc2e107b1394

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 83b9fae508e97f9acce76f37b276afab
SHA1 6c5d4484d492b01ac283d1c24cfde4193a8df76d
SHA256 42cdaf84b02e600fdf40719b6e32085d1197ab53bb7199daebd407ecab5fd4f2
SHA512 ac4699f4a35647407b35331c69ce65d227e80e51b739fc3664441e644d82a962e5bbb202a452f9f7ad0f2871cbb5d86b8081558a411044770234dcdf73f15828

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 473bceccb516827f4a39aa483a4598a0
SHA1 91848128cfa986987328568c624ea13ef3d01898
SHA256 5eae1170731300ff09cc0e3091c719459f72fac3e812a97a1421b6c2227eb1a7
SHA512 79de3922b71e5fa9d13668777ae5cf279113e5727819cbc870354a73d05fdc3de23043420bae334aebeb74685846d34656980dae42bdbdaacc60f3f4d9b289ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e05838948e5bdd8f32dec0b8952ff3bd
SHA1 12484d9b2b00e337f98a31c273bbb632f910117e
SHA256 1d7fc69547547b19d9bd0aa87967b0b21e7033681cf93ec272573eec6016bd64
SHA512 c170c33518fde4310c92a80aa0aee8b2de4549cf20e4283732ad4ac161b3536e4237aa2ee768a4204694eeeb79fb2bf2788fb4ee0f81dd5e0ad89ee965373207

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aebb3169a1bb851c6dc2bc25e8498897
SHA1 015a7d37b8acba79526db175920eebba32badd70
SHA256 b8dd7687a5dfe9cece4df09096148e28a9a8c9008be05cd3dc4b8ef9fed55226
SHA512 377232a7afb250231b4f15dfd777e57e773c913feafe17f9d7062fa25cbbf72564e16e67a7887bae258a65d9b43bd02676c5bc0754474fb2a3477643debe05bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f73148a1b55ab53844cabd1c68d5a4f1
SHA1 89d6ef02bf82c6faff9d51140c2296c54a0b175e
SHA256 fc721d58185fb27ca922d31251f6f25eb16e668a9b2e0401d5bbaec544cf1389
SHA512 62daed53afc6ff5e90c02e1849acee82c8b5dc26e082441bd36688130b403431b1f386ce55872f8d4ffa0dd4d1d6021af9061c2f7d6f457d2a74c71d33972d35

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f9ac7dce8c3077f0dfc5ddb52ba1a61
SHA1 51e35f5e592eeb22c9a59997329d19281623e403
SHA256 e8626676e27797184cd305c330b3e470d93f5db85a130ee686478e736e2f8710
SHA512 d0a6080f4abd2c11bda1407ff3a02cb12f326290eba660119ebabcd71cd6b05a375abe36907d69e6aab7fe5010b5e7b17d90759b63b4120f3dca1ff7390926bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0d0ad65795211e1492a79443fa59326d
SHA1 b189973fbbe24cb0939542fdfcfe6a72c840f27c
SHA256 0ac55e5630560183c477f88aaf9dbe073c436f8de5cf7479dc5276a10d23e680
SHA512 7c287482256bdb055eecbe22f2bacb7c5acbbdd96d1c0ca96d714a027cf5d0e42a4ccdf556c344e6dec1684ecd74da8d42566bf4905356e6b3a25e7710d12d99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c7c5b278be096471f504f58d8613f77
SHA1 d4342588a87d9a1834fae29922c82539db0a8201
SHA256 29cd4232ffbb78bfdd43677cdcc98324ac7bb363cc3dea77c806136b5de24444
SHA512 a8b6a5e280d21a9a1f98f938fdc327fb04855ba798448f94242571915b0f6347e98a6e4e7a84d29b586a7a1518f9ca802433670fcdc714282db3339b2aae050a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c022586947a8a9fe161720e5458e23d5
SHA1 48a1a5f4116a9a9f681dfeefa4075058511579a7
SHA256 ae73431b8e28de97c647ab9017d23ca7781b794606770a37e8a4787ab7288973
SHA512 2cda977f7b549b2d02e603a14d8808afd1acbd1de8267e137f408a3e91176c20c81b9c693b6d133206c47ad984f68fcbc12a983ec5bd7fafc5f74250b2d80782

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5d530b7071bb062d4942613e7b67c120
SHA1 626c5f58903ecf6fbf4680fcf591225706f3673c
SHA256 2a7e60e6c4abf3587d40dcff3f0e2b529727fec20ed2275e874b4c3cb29ce47d
SHA512 c321830cd8127947e10d597f2011921aefcfe812145936617fa090a077d0227aca457ee3b5fe867ff115fcb8e02829a3054078d4acd09889e051ef738d6e6905

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ff36f57a7d8d6a308f1dbb74a248427
SHA1 96cb57576bf94d5fedbc923ad1c2a93fb7a3b078
SHA256 f221f71381dac8fd5b5ce9ef7adc058127cfc7aca3a9155ec8baa72bd3d15d38
SHA512 e4959faddb7e9256721a5f6ced95db0951d5f36525c2ee13789abba18656cefca8e6c081b7a9b9bfc65bf48b033df71ed48a6644e83bb7fe95c37d4cc46e9170

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 30b695d3675262dfbb694ee4814b3dc0
SHA1 26105d9717db1ae425fd1d1b49b5404ecdd2a5a5
SHA256 dc607769da98e15b461dd465cbf0961500be7215022a3a2ef73bd97737e708dc
SHA512 cc56f4096438bdc45eefeb9c3c020ab307236f17b12151b11a1608fc43c8d4cb0f41b53bbe3a6206785f5bfa423a43aaa6f7b33e41d047c6f4288b491cfe69c7

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:56

Reported

2025-07-03 05:59

Platform

win11-20250619-en

Max time kernel

145s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe

"C:\Users\Admin\AppData\Local\Temp\1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Files

memory/2320-0-0x0000000002510000-0x0000000002511000-memory.dmp

memory/2320-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 f00c97ff6b429e518b3b1eaa5c072d4c
SHA1 951dfbb4f8b4ce25ccef61bbabf450c4a11bdc36
SHA256 3bc026023f0d9b85e3f3c1c6304e24ab83076136d5ccdcdf857f3f7d901b60d8
SHA512 676b2b57d517f22f7f982696b8324f27583c8dc13a3028819c230827021b54f64e2cc7ac24793f12b78c1c0a8bc210bdb11a7c8b570844a1f70903e9a04c45ee

memory/4716-6-0x0000000000400000-0x000000000047C000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1418876453-2228697459-2788511057-1000\desktop.ini.exe

MD5 fae220733086f4eefd4b993c9ed9059e
SHA1 ebf4b2ba05c675df36d6e95d06c8ce3335d32573
SHA256 636f7735d33c6d7b57711e47cdd49def83fd7374abbaa7f332c4fdd458572fb4
SHA512 a4e62aa3ef29565b031be90a201814a37562eddfb4245d8a5ddb55b14d6545f3cce84437907e3cf844fe0a95fc484d829fbc67ac47fe751394711c43a6b0e744

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1418876453-2228697459-2788511057-1000\desktop.ini.exe

MD5 d4e9a2c63a2559f7aec7d73aed9e4947
SHA1 de71c7e6fdf8f193ed9b176848d8c60efc84054f
SHA256 7659188e84dc79e930e04076ec9454b21dfe8a6b7d04bea2e06290116c4d6deb
SHA512 b7c566292415e4d2eea6d450dd1fc9e62df3dc6d83d109f27bbb28a71d3eb0cd20d81b58146a5696bdb1a3d922524a553d98d2f59dc025397a8f157974977710

F:\AutoRun.exe

MD5 f52056a9c6848d2c7e3d5b6fd257de56
SHA1 19f30ea8bc3d5b2abb9663e80d60e767d3916bee
SHA256 1be562090a847bca5064f982c79452122adb6ee8014ac1012eea45fa0dcad121
SHA512 0c6741ce04df021c6708c8362ae98678ba9ebff099fc601a5f31a6b7d61ec40ff84b25673283ebeb6d85e4fe6be3afca91b63cef10f4b4382591b80816fb1101

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2320-50-0x0000000002510000-0x0000000002511000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9a72b1073a26b6d284a3e0fc9e9da61c
SHA1 b0df4996659bfe161a9143ebb9998e60ad4b4bcc
SHA256 c133ccaa0b85eb8fde89baef058ff9c8342c9f62b1ef70dc4d353fb71f8d895c
SHA512 a65c65f4d36307a9dd32ea6b36e391101a7ff837f8818788c53766520c42207d69a820250964d0f4a8656b103223a071eecaac31c2ae839aa71acd595435cbeb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1be8bca92e7d25a4d3a42363d47a342
SHA1 ec2a3e7c77f45c8ea6c0d8164f7c32758b322d12
SHA256 c30baa0727aa3075a03ac44231e240adf2b9a6defde170bc96c52f15846feec5
SHA512 a0cb029234adb2286577d3aaa1c238164de927f6322d2327d8c15bd23338d57ebc589791636539ba39089076865c70294f9b8f3746f89a118984dc3cc226c3a8

memory/4716-55-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8f7d7912d33e9a84cc725ea2bc4271fe
SHA1 19d058bc9722cd2b3c16b13f76cde49620dca851
SHA256 50e3a361e4603af1121f9bf4bd0507d3363cd6ec9b36e9c67f9e0f68f94e02ff
SHA512 985aff32f878b28636d06a5547a7a2d2e94cbd02f48b852f92de2d9227c8b6a22397931522ebcae5bc7dc3bb98d2416851c2c7c2c2c6019ab6b7412fca462a42

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b40441bb7559733b4719ee16a1722866
SHA1 fd39c0380c7a53fe80c7d1f89e1624a7826d325e
SHA256 d4292dc3246e48c7224f6e1e73b5230e5f4a29199b254f70f1f1aee9b38405ee
SHA512 fca9151ffc6b183b59acd77827fa5d5786da103eaad105fb1b723d7419433ebf9ddec2ba18f7b611cbd4841a3152e972a4f722e44b62c451d68528aa6b7ca90f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9554b68d651479ed6116285af989752f
SHA1 866418c6c72f9533e9299de2e4fa392fb0428eeb
SHA256 6e78419a77ff2ded126eebdced6e49b3c391c6d3f769041c018a0faf141f17ff
SHA512 1a91393ac1b3f6fbcff13fcc2451462ee467d7c0f6d3e4377655761e704b7903430cefd163180f46aa18c78932491695bf072942d877e606ca80bea493c4baec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 64b73d19001b5874286796b0792217e3
SHA1 1292e3bbce8d364b8285de644d66a94cf8423791
SHA256 180c61d4701c95d6ed3bce35042d987144ae8b8c11a5a5131d4cb254231b48a0
SHA512 4615ef7e3b062c6de220fdb61c77c724ef49b57cfb005d4dcaf9777e71b95d93df8041742aaf2a37f2428f21db70fc8eceb9b791dc5690ae6c3f039c1e27fe78

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0af27dc6f9e48d576179e47c5ec42b1b
SHA1 1790cd80af1dfe962e3ed6c0ac1028d890893efd
SHA256 34c7ff2607cbebe254335310442b32d3de2bccc72bb094a02c8da97767e048f6
SHA512 6ca3faca1d148fd6ad35f8c354bd99b98e28bd45a59ac00b4442afbeba602402601dd32bc8f9a6aa1dcac1d28fe9612d350d5fc148af6861f21caf070c1281bb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9f54f9585dfd5ded389aac2039543f9d
SHA1 8b9fdb9e577dea4e38ef1901dd4195a3c062e082
SHA256 ade0920337194ce15467fcd95af0ff4c6e922c50810a6adfa0e91ef185075e81
SHA512 73c5cd97eb2c31524d6204ffe0baa9b749bf89b90e84ac91eb639620d33394de982001f2a643750cc1ea2a65348cfd609a3c70fe89b6d7972415f29974d76768

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 86533455f98f2a8a3d4367dbee68f8d6
SHA1 fcd007b9f7822ad7bea22eaef76207e3a049504e
SHA256 1a226c2283d79abba322f792d3142f872bc02a360fbc92c0fc143621127d9f8c
SHA512 a0370cc4291b60431b79fcd1876af814ea5a7d355b62b8792ab5e053b2f4f5cda3d43eec1e4b58f19d89d5b10436e4d81e8e78f3fc5b9974953457afa420003f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f1e550968817c9be91eeabc391f1ef7
SHA1 fb5189d56add43dcaae5bd0485f04a65dca9c526
SHA256 84f1a5758a19c50fee331d52c55e3cda18dfa3fc24139c0562c2596ec072b2e9
SHA512 ab237ffd50284c1091f1af0107d1b2b91848ed1f041e880a2381f67847a7df8ff06b630fabe8a34d1a938f6bb4fe77308db2bd8b667ffd00f4720c89ce01e2df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 89f40388e62e88afb471825a4200fa11
SHA1 97531363caa2650429712b75e26387395098d33f
SHA256 dff068fd886ae83cd1587a71ba6d50669d5e0dd9477588a45ddee1a6753cca9f
SHA512 1aabd7e915fcf0cdea4589a7ca426d559ccdee5128acf2ac691d541e197f70ac486fee7149050faa60a448fe88b57a36ae1062d52592967ba94ac01ed6dc9d96

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ff29d6720d9f08a38636563ee3830597
SHA1 ca9660b614947a202a4ff45ebbc5067e06fb6308
SHA256 fa35527662cf1fbd0cd24ec441b56ccb8f08763bccbfc7563d7e169f04ce7494
SHA512 5df7ad04c4cf5e65cdfc00a96912b9e60be58b5551fd980179244d45e7c0f7cffd1acf8a825ae37f3cea191523b1cd1704b007a1d8a1c6a9b8465834f2ed7d89

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ec46c4952ca37270af8e51ce909e459d
SHA1 a8e9cef4a36ef1a67aee29729bf51d5c92e6a83b
SHA256 992311b76327e8b5b6f91beae1590dc3a92dbd4052539cb1544bb8a831a4a272
SHA512 24517cae15d326c412ff3d92be842c480f8caa3fc7accedf2e4b5a8e24d15dfff928d3f18d07dabef74e057d0b734f5cbcd1b956013e48762d5ee00e32188d15

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 69bede6d81887024411c0d848ae82aa6
SHA1 33cf0ee34c86a26ada33dc52330550d8208e2945
SHA256 f344a6c3edba55332b9c64ca753cd7fe0f6057d8eb1d0d93f7c1a391cd7012c9
SHA512 480f3a4f362892e6cb63e47639b5ad76de0071cb4a620b5debdf1f41bdf07f1164cb4b145c9bf1d47806a7131e3315c3835b9d8aeb9f775f64ac8d6801864a69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1deba71f191f442f36dc5efde78a8d34
SHA1 7efaa6e577a7e0a4272b5217181ffd6630439255
SHA256 fe817cf019ccdd402e48c841ec22bf3c7f10e8e9314a180a20214228e3cbcaf8
SHA512 f3080f77ef8d5dffe1c80993bd66166dce2c6c48b21c85f49a02879e357b0e011a592ba710ca07866a159ebef8fef1f0cfafce45f45e58007319d8e07af9adae

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c8489012c7bb23562447a33965ec9d85
SHA1 3fb03ca6e948d30c1ba67fd016aaf436b6805558
SHA256 4642c3e74c06a5842e7940c104d6e924a2e3ea736a039d15c25a2672a5ff3e01
SHA512 2cc7b6097da4b09c8e0b84e81640ab9654018c6d5c5f6ab677b72d3d804cf45c4ab63752e1acae27a2f9431abc7ef8472dd70893957e417909fa16580f2bd28d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5df80595190c9ca45b0b14a38c48d1fd
SHA1 3caf5843aa3681f1ebb9dcafefb05b0ebfae0084
SHA256 37138a79a0fb56e8f5a14d4bf161aa6184dc1030ddab0dc8fa64cb462d9318ec
SHA512 7447a7f867d59d03a639cac1fc0cd5a01451ca9f0156cc6ae8e870ab0135c450a6dd6a18eec25efd773885431b5177b18c710f9d9e20ba87dbe61622cd787cee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9d6b6d65d091a2aaab66ddc8296beede
SHA1 e36413aa702b0baa749f816a5699ad1c09164395
SHA256 1de2925d2bf36f1f33349bcff03d6be775c5cd9007fd6741e3d45c4a26bbc4f6
SHA512 2c45fc6b1b8505063b19fbc34bf53f830d14b1106da17f897b3bfdca5be2b60585a01355d7a3f583401f45833a5fe44dd8777bf896119cd2c7ee093ab3e97715

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c4e9e2ae11e94dae6d44349bf800d7a0
SHA1 b7e471871844637f0be8aac67eb2011427810b0d
SHA256 889e22a74cecfa41683dc2782c7c056aa8c74e7777902b484fd06fac4f32fea8
SHA512 a5d0dc47324c43a584721d93912cdbb5aea74e6e318f845aaf24d480c88f149b4ea578f88f749acd55e3431396cbd7f66367a8535b4f36e1ffc0562964eead5c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0cef44a439bdcc1705ec9b4de14f7694
SHA1 321df079454c527854d41d1e0f82bcca0e5958fa
SHA256 55461485caacd7a718a74b74313dc9c8309c0ca18137b54ca02c8f47b35e2b3a
SHA512 a15923e2f4427a13455b0a39898f3605f34c13607ea5a6c0afe0d42c34c9483e4ac6817812d4da4c171f3068bc3b12f48d8d3ebd5e57bb2e898964bde241592c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd9dce9539533ab307717e396793eceb
SHA1 f995307eadd0f65c20fd0a8bc266bb00d67a2f69
SHA256 05f0f36e6a51633b9f98b24677ab0000aa21f00412b73002963bd2590f3a6d61
SHA512 4684ae064de8cefa17295f1338bd70b3cb97bf61d5b3cc7007571d646fd7cf8696d9db1fc1934d630d69dbe8730e886307d89bf4629c889ac55b31430cc6fdca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d998a89a1ad8952200685473a1acccf0
SHA1 45eae9a622fcf9b8363bafb4aa6612a4ea40c7af
SHA256 7b2af4c070f52b40086f24f227edf0d59e8d4989deaf8c67032e089870724555
SHA512 9b3e3dd9ad2e3f7869b49510598d9cafd8881ad3c2ade60991f7e0d9e37320bed36dc10a0eb45c8b8cace82d01211f083487e2d2ff28bef8d393273ab662339f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 408d8fff725f03180d717425eb12a32f
SHA1 ce2729fe884a0992719737c175003a9ca67bc678
SHA256 0a14e655f3295f6a8168681042a1405a9917f4dd1e986f6d16a334c9129f8f4f
SHA512 9f27849356d9c7d1907a0e63fbe7306f6f43fe93632483f5490bca44ffde4a43565f7f08c2e391df523badabe1d9ab077327dbbb7a581727883084b351827554

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3b6780bc207be600a00cf655a0a22642
SHA1 3f82df29782fcbc231bc02ab12c95f5565546529
SHA256 0399e6f16e0a074592271a34f1b12e65234ebaf9874c7add99e924a61bacd3c5
SHA512 d92631b09d02200aa365be6ff58b110839977289eec10d69f23aa673bb50bc8ef58a0d23594b455c361fb3305e1f285cfe5ac3578a3b8c6404f9addea2fdd9e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bce0093ab5520d5f873c2aba85f92413
SHA1 e41fbac21e9101adae0051e3cc88a6dab7938f6f
SHA256 b9caa5622c4f3cd4788a9acacd9c190107bd37c8e1bc7be4feeb0d4ee8cb718a
SHA512 0a60413018b3d0499fe6e5f9de62b63999a334e5a53330e029819076e1f20bda98fbcbe17f0b8e3be23ce097aca48d0b124a2216fa6cd0be55cba164141b3333

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a60b27c51263b3adc3fc8c2c0058211b
SHA1 5a99e48b401873231311bbd54e1159630d14fd71
SHA256 05314b3e8de80125a6d17c50669cf5481273ba5eb94c78bdf0ae919a180aaa1f
SHA512 9ac1f9c5fccdf04d8be1a52761a0069efc8c23979652c684c69cb074452d63673c3cac96cd468cc0a8431e1124d0c7b1aa88532caefd4bfb4edff9ad61a4e862

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9f1104f47c07d755fe7e88393509aedf
SHA1 12434a09cb2de8ea909e50c7db28d042768ad4af
SHA256 531c1b61f94c445d5f7cbc5943bf1da3eac1ccbe4ac13776baa916952bece127
SHA512 048ee99239c99033151b4a53dec8d9ff70c86f52182ebc8f5a10a265529502e2d38511b28ee697dd21267183ccabcc343712d9b435e80027833c38ca59648aa6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 394598204dc1853610a197ef91eb0288
SHA1 35042bc28d65f9b17c582301903531f08ab7525d
SHA256 03292771a86a9de5b99641f29d27219e724963f322be3f08bb73381c243820b9
SHA512 53ff1870cd0c6a30d4e028b7761c0afcb356172fb92f33b2340b31f76462fff16049d6376f7d8873c433591232000fe56e7166c8f3f5fd71ed4b3859fb079289

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 381ce0caaee85288bd2b271929f20cbc
SHA1 c62ab32fe27277502556b74eb7c3b0a2ece2cc6e
SHA256 e8f6e5da165cdc88f2270e5601c7f87cbd057a83075325d990ddbb1cd03fb929
SHA512 a3508d645658f916364c530aa97b5f11aa36e265c9a736ee80dafdd01197e9c09ef000aa0398dd7ee8ac8a17b5b2115a9179df66d061f7ba559d88b08d6351d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e074c1e4c6afd65dd37e99a4e8d938c5
SHA1 09f0249eee27ac264bb7be411e18a31eec8478cb
SHA256 36c43a0c6fb21e2baa7dfed2ec8839fd14662d16ee8a62346cdf821999777087
SHA512 46a65b078c2fcd6a4ce5b9d78f58e27f9a5f3432371e14f39c5d83207af90570f4855f02e78c1bf3d323a2b7ec175a1996209d8ea905b73c8c32540a9d8c319f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 76a2d0a0083129b1c2dbfae33ca68a49
SHA1 2f78b8b091b83c071d6cb9bfc754c5682f6260c0
SHA256 8ef678a9a76d2d2a7b13bcc4ab7e807a7e46579aa06b369d2edf2ce75aac8b0d
SHA512 560bd4ac8da07173fdbb3939b58278bdf41b2103b7a4a5a45c13032affd25bd67d93b86443b4f3f2e5b0a965f8e7950478b930708bb0484462a77ff60fbab455

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dbf4cf796181cec1c6dd4f6c09624e56
SHA1 9acbac1f5a77e6b83f488d8e037a5ef42016d6eb
SHA256 c7aad6eeecdbc34a7af9f57d56c8f9b537f469665cdff3dd1e3e8ca4f8ffd97f
SHA512 61144d32897987f7fb4a809455c408cd5738b785f4dec2288c4d72fe5f3870d46bb2348fc1a6a32c20105a06a94e62835cd015b695d357c80d76dfd1c8a487af

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88a6305b586714f00d95925210610eaa
SHA1 6f3d6cf1c028a1b9f4247b5fa58f107e1186869e
SHA256 9824854e1e61f5a0250b7c6700c783e7581adcbd6d937c76dbcd8f88c4cd721a
SHA512 accc89087c1d7ebd3a92dcd3d54e4c5b4ca797640980221c2d8835e7d14c9b7284e8ed2a34e0d28662802b8c2ad5e98734fd467cab247529c2315a325468b8e0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9fadb227ef1eadc11f28fe0acd1bc4a7
SHA1 30b3f81eb2697f7cb04361fb92a2d4a8fe9e47f9
SHA256 eed601788d0254bfb4dd4cb04d6e0901e5d9e32bfe5fa935a5b9b3ace88babe2
SHA512 8a5a1c7d769f8ec82d69dacbd48048e46cc870039babf231a7a54da713d0a73f8b129d6c17879998ca5470749d3e50a6b12158039ffbc3d94f38f423be2635bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3dc551318204c4fd76f9dc6eedfcfc67
SHA1 68e22ad3d95a9a69292af5ca71b4a88615fd23d6
SHA256 5b662dcc35e7d83fda66a36a0a532431cbbe8c6220dd87dd003036f7f6bed317
SHA512 d217bf6ee3d03535256da8eaeb6c938d025bebca9ee575f3a872b2613e55c0ab21e1c976537c81523a6b494156a533d41df6e970458964cc8d4813bb2d7f6482

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e95ced12eff44999b98f22bc69053630
SHA1 4cde6a9bd724b8a7e6651817e51d212216f7d8e0
SHA256 45dc2aa4b5374a60d604c5dd4d1eb1ae78954eabdbdfb6b6322cfeb8c23398e2
SHA512 c06ba1b7b514db91788fc3ff408a43a90b1e5c175e47efa803dde3019341cd54fe3ae64b3a342a06b4c8adcbdd5b10d5d08b7972b4169a4ac54bec5a1a5925c5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f4851511ff4ffddc693d9e6dffc94398
SHA1 430848a163abec6fbdc39eb25c2309f41d54febc
SHA256 11469c2e25100cd4b418a203ef5484b286480c323887bda935fe690cb055ebbd
SHA512 284915ab31973098c93282a0192fc816912d11348e7830612ff445a6bb33e9b2b6bdff9d6d5749496c4510c64da5e2ea04cd585dfce6f08dd1a613e868a915c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8ab0fdfaf2203209fa63a52903bb7db0
SHA1 f5b8b47c448cb6a6d39e7614054015360a18ad36
SHA256 fd1accd6593cef3165f18858eaf586dc2c597d21c6f893ec2c8005a181d509a0
SHA512 517dd103660e2851cfac9d329124269b841faee71e7460f520cbeea0a9851116d40984151df296301f170060329fdb043f3669fc53460c65560bdb1f6c4886b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 71c1c64d613acfd9860d7715c82ec376
SHA1 185d41ad84f296b472c9232a76a3aa6366b14b72
SHA256 24942df5fa14bf0b15437701a6e596366b95620d2994b68c782f9c45cfc1c441
SHA512 5cc21076ac4749ce22cd9b81a62d69a5d76e0c09beadc3856f26ded39822926bfb97d87f5004c822aedcab029514b1a66c591c8f6b715a832d3060701495482e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e76904287632b851f715705b0bd71c82
SHA1 5416ccde1a0e9f6d525e0d0cab1673b2157f90e8
SHA256 822d302d614643f382100bd3398661ee559712e3e81c61021be6b61c590e63a3
SHA512 0ee3008e4af5ecf4643dfedf70c79e729c2b0f4f3a88524b81e8cd957097dc71cfaf3ce65d0d2045c8cde11fe5dc4d4879c70d842d9bfc59ad8100f01eacb459

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8270d5c2546121417ff76b3d62dc75a
SHA1 37ebf677c1668669cc1a75609568c3d9e60cb2f9
SHA256 f1d657ab13aeb3ff76e401ba4e743bb54f6ed3f6646dfee3309da891d3f044a7
SHA512 83a00d379bc57da86bc56b7b1fd8f99e1813176f084677ce59e7b0d63d19f9cd7838987d7f10aed9774a43b3dbafa69cb6d3517f97b91ce1dcab782870c2328b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 61a301f0777bc248367e171aaded6dc8
SHA1 6bdc8bc7600802a14118ac536e69d36be3a2ddb5
SHA256 99844d3983a7b0cede3f0698a8c335544b3f4776e6a12e8cb16b8fa5d29abcc9
SHA512 c338b788fb357903485b6412f92ea80e5570d4e7762957af7e76e458eb879c6a09e226af058db77e246bafc6f1b907d439b71a0b8292d18529bb1c46a99372b7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ad829274cf204dd2f3e17a508c30d0fe
SHA1 ea2a51339bfc05d5050c008039c5058aa90bd76f
SHA256 d718a2dd72514d8c8ace86dbadee27f92af7f408e230505ed971672648f8ac5c
SHA512 4786f0156eb5dcedbb2dab9e4cc841ba38c7e56d4ac051ce4110a948cc97a297d491bc6c7c8c244949aaebf31e4acc935a7c186885828c0c7020d149f83f446a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 10edc3d2afcf27b1ec7cbe7c4b7d6af0
SHA1 366d75c178b205befb25fbf8ac91188564866d49
SHA256 44da54263a501b6318411cc55bb6df76c69c1b0cfecc8cceaabb49dcea8e779a
SHA512 d282ed0c31938b863c88335df069079cd63d7197c100aa3832b79fd3c108a629a536d2dd1eb131a0d7ba3b040e2aff88427d1be48dcc483e154a78502c720111

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8eb65b7f5b75c7bdf5c989da96e8c075
SHA1 30076572e692c445250062f6e190c68419bc0b61
SHA256 ba7a3adf165d2cb82f1528527920e19e27f30e406dbbeefd498b9c7dd538b4a0
SHA512 7fd649f0deb3243edba6c39b18eaaffd480250c81e61cbd8476839cef8457c37563157a70fb246cfe6babf321fb4d9889b4a153aed86fac890a1a444847193c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 83c2a7abe0de4a6a1d60a76972699acb
SHA1 05302bec302c67392520ee272833bd76abce9111
SHA256 58b44c9c4d643fcd5d343c9ab4b0df09ac8f3c02a06ac1ccb9b98e970762581e
SHA512 37b68a9821e0243c9094ce081ef561f06170451e1603a0d7c7d2aa94443f58b8a8a7a8a5145aa5eccc104b9547a7051e0c277bae1f338c0d2a77fa07e502c1ca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 52cc22bd10a652762316e4fe91d513de
SHA1 d522c4eb7fb53c05f315e4d4a2ebe36b6c17e684
SHA256 cb8ef96d25b911fc912bd6afb4df40920f5ae1bb5c79668493f73397801e32ac
SHA512 6a4658185394b64012589767a001e8de003de230d0337e65e110f200e4688899f40f05bc5f966f65c32ed57418c8bff7419a0a36cc190d9d2b8105707436ef5b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b565c03de75c2a5870d4ca7cf87439c7
SHA1 ba41ef65ad30bb46e32861106a68e0d568a45532
SHA256 5bd39c8f37870da4574c44d16f26b502b987bb2409414d765b836581132b7922
SHA512 a07b63a56388cb1dafe69f09ed8b94624e439902a4fdbf7a9bd6c56ac6d11ca4ac47d24f2c2c3681d5892f02b4f1c44a489b048a873397ca64ce836fcfad20c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a0b94dbd700f54e1dabdf3ef69b8ee75
SHA1 42b553c3a63f629e6d2ff3946d2434f9a3a90a1a
SHA256 c5ea1e70372a377e21f5ee314aa8d0be6f9a133ba6c1b15797e8ceebdd0e38df
SHA512 e4311b6e9c3464f3badd2c65247686c827d793de6d53131e3c0f694fb8b406a6a2febddd411eb78cbe6ef0f87bc01242fb87f0bdbf195977628ab0430c409122

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c94ed7e289bb2a2c8ce30ef9c1c2473c
SHA1 3df4dcfb67310aa462cb635acf9d937d3384fbe9
SHA256 0f0514bc2bf5126faee3a9dc79b9b2dff7f7f518bf11c4c2b5ff99c2eb3c566c
SHA512 0e09018092da84ae6e0266840f62ef1be2ba06ba85879579854ddc9cd820064a9e3dcd3e0e443fd7a218c50a81be3ee56940ad3d1dabb00cab83cd1a1b4ec033

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b84f87d24f2e76a64af38c552629ce1
SHA1 26cf992fedc5273fc8aa60afaf5d0dead5094e6a
SHA256 f5670513f7ca3b300ed72f7f274eb8dc518a8d2537d3102a85715fd3711c76a9
SHA512 5b87c8cb0f237eabf133b73e4fe666e9856b84ffdd5ebeae08a2c53a047ca4c868b88a52a7258d2dc89fc0e029ee0941f1f9d4f6a4cf73a4ce5ea718fc0e9c7c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 10879272aa08518171bfe05464b0dae1
SHA1 3783504352b588a150135a6c7082e62fab5cfbb6
SHA256 13b946acdd75a9fcf205285d1a38990f31d9bcc5340aeb1ac70360431e203c27
SHA512 1ccefd457b449dfcded2591b76cdc460b64cb02d4ca6017a8c972f64690cd494e8955a1b07a23dd0f4faa7720dba0e8faf845249cbbaffd018aaac415d4cd467

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2eb5084a443c5c91fcf23614f5883768
SHA1 179378b0a285c0d82548c67df3511f609e92ee8c
SHA256 39cb25d611928a0751589d5135444c7c1fedacebc5f5614ee844e0365c66293a
SHA512 d0a8d65f506a188f596b915c556772bdafec1d24b07fe1be727303fc45b06dba3cabfc0f7dd97057c4eeafe0a8d5cfe8f2556c751e49be29c2575cfe1ebda75a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c8e49b9cddce0951cf2b1659921d022f
SHA1 3701812fbc6b5717dd5a00d29fed0057c225a571
SHA256 3d1e57fb1f8745f7c65d201c4032c7832b0ce100eb4fa2d724b1f9b04a236ffe
SHA512 68f039f1c39119922c3ccd725a297cb8423dff65d5f41f2db2c9e9271cff9d78dec15d773f74bf770955bd8c6c6d5c03d8dc5d37986d0fa42e680bad28232a79

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d6bf3e08b0de92a8b4cf68505086a9e0
SHA1 b41f62f64fdf1dc12ae3dc24e4846534d3b50509
SHA256 fc461ac5b01ed677c20275b7775591e847588b7cfcb99feeca9e9310a843d276
SHA512 a4a6624cd4d78a3e9144595f6ef064a14cefe3b56065817f18b8c54f663a08be5b7ba469f75b31650fbfcb3622fc8a2bc4ad79d19826cb65c29fb559f0cc80cf