Malware Analysis Report

2025-08-11 01:27

Sample ID 240229-cxkqmsbc6w
Target ad742104f5da2b146e926f1eab741103
SHA256 7de456532b87725cb5be6a3b13d4859c1b3d0fcd220b1935741373b567c8803d
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7de456532b87725cb5be6a3b13d4859c1b3d0fcd220b1935741373b567c8803d

Threat Level: Known bad

The file ad742104f5da2b146e926f1eab741103 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (5576) files with added filename extension

Renames multiple (91) files with added filename extension

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 02:27

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 02:27

Reported

2024-02-29 02:29

Platform

win7-20240221-en

Max time kernel

146s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe

"C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2940-0-0x0000000000320000-0x0000000000321000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 384ab83d8ed3c45c36d60d29741464eb
SHA1 2597285c83a7c9d358c939fc5a8ef06e5cc57583
SHA256 eb53033b855dab1f328d6d188fda583a6e6c1e06527eb8cf755a253df2f4cf32
SHA512 3bce8af44e0bdc91c275494750ed691ca5608c099057d7d79058c0d6f3cf391933f6dcdd00e726af91889d9a4ec94b10e8f9dda31fb6ee0a81289acd680c9015

\Windows\SysWOW64\HelpMe.exe

MD5 9ddb0a95e58947e15e12fc6763b192f5
SHA1 e0f7aa244a07c98504134a19c4ff7873d5ab6c42
SHA256 d0c87acb23c9b4b754636f5e425a9596250318680b6731ead6d873d0e82e269f
SHA512 7fc0b19d777deb83b3e058d09f01e84dd28efc0e7748b111384b346cfc15724cdc85f7fab42fb43516fe44663a6eea561c43c9186992b6621824f0244f53ef44

C:\Windows\SysWOW64\HelpMe.exe

MD5 6df66513d010e726e8bab7ea168a3b2a
SHA1 056b838ff2c8dab9929726eaba3f62e310369850
SHA256 5ccad7e623d4172d29561f039f31866d5a7e4c1361ee83cf848eff53182ef1ba
SHA512 a70258dadb3004dd2dff7ce02d2682374fe714117d6991f66870b595707e03ff938d08c2dbc2d32ea76aa7c54ff7dd9fc29dbd0bcffc2bf53d7a02cadb52eb1a

C:\Windows\SysWOW64\HelpMe.exe

MD5 cf98708a8528d5558fabd25bc8b0a90d
SHA1 f7b1523417093d83a73f055edebd61834353102c
SHA256 a90f2bce8eb9442e2c02aa1df363c180b6e44d4514eee0faf36568fa85e9e527
SHA512 71238efb548608692722136491d71bd094ddbbd4672e468eab321cce18d7c3f6302360bfe319eca65e827c65716975aa6123f794acc3befc2ef255150f970c10

memory/280-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini.exe

MD5 8bb5f37966997b090b3597a413d91cd4
SHA1 9f4040787d306f302aaf29929bbcc1c5ea912b6a
SHA256 0768e092a31c70f89bd03251783a0f28c99e3642624c98b7d5465fea75ebc266
SHA512 9d8e9bdab84f9918fc10a02703479a1c38fcbc6d779dc2dca643fafe7978db8110831816a9adc6197695165beca81943934e0bc41f35d05752bfd89c221214f2

F:\AutoRun.exe

MD5 ad742104f5da2b146e926f1eab741103
SHA1 0f8ddc0bf413c54159752ec412546ac8794a6819
SHA256 7de456532b87725cb5be6a3b13d4859c1b3d0fcd220b1935741373b567c8803d
SHA512 ca4ce3da260debbc9a87b7ff9e03f81bec5641e6eed36b27f24d9c900a749214b81f49686a72c8ae66b66f0d9a47ad1084cf235b6f2a9cf76744ec9802fd7dd9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9dc02a3664597e6b8f2c70067a2da226
SHA1 29910a232eed37ba8b49823e71e1cbbbbf975fbf
SHA256 5809238c5cb8f48877ad57ed2c7597192609e354c156f97bf7db6ad99a6f681d
SHA512 9295240707c4d1d3c0be616d2f3b9c01d8c74fc920a62bcb0947f33e3366fea632c4ae2d1f5d95f6c9b6bebe053e591c4f52779ec859628d4e58769c6459e2f4

memory/2940-72-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-73-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bc1a4e82d2149ed5aa20fa6aa584a536
SHA1 130ce2f53c382591d30dcfb4da08bd5b862e8853
SHA256 66d2d23156979927f4a832845cd2d477b081c53ec35905ae584f8a5e8e26412f
SHA512 93542c758de71a100acd8e536a55b659699cd1c4223165e1029f458bc4acd50033961ad4169bb3119bb321af036b6dd3c3bb66878939c6266b6f78703d713823

memory/2940-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-240-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2940-249-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-250-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-259-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-260-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-269-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-270-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-281-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-282-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-291-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-292-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-299-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-300-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-309-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-310-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-321-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-331-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-332-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-339-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-340-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-349-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-350-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2940-361-0x0000000000400000-0x0000000000478000-memory.dmp

memory/280-362-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 02:27

Reported

2024-02-29 02:29

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (5576) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Security.Cryptography.Xml.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Emit.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Serialization.Formatters.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Tasks.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.NETCore.App.runtimeconfig.json.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Collections.Concurrent.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.Algorithms.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\7-Zip\Lang\lv.txt.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\itircl55.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.tree.dat.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.Debug.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\UIAutomationClient.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dcpr.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FREESCPT.TTF.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmgdsrv.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\UIAutomationClientSideProviders.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\PREVIEW.GIF.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\FPSRVUTL.DLL.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jdwp.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ORGCINTL.DLL.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.tree.dat.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\SystemX86\concrt140.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATA.DLL.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\System.Xaml.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Drawing.Primitives.dll.exe C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe

"C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/968-0-0x0000000002300000-0x0000000002301000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 384ab83d8ed3c45c36d60d29741464eb
SHA1 2597285c83a7c9d358c939fc5a8ef06e5cc57583
SHA256 eb53033b855dab1f328d6d188fda583a6e6c1e06527eb8cf755a253df2f4cf32
SHA512 3bce8af44e0bdc91c275494750ed691ca5608c099057d7d79058c0d6f3cf391933f6dcdd00e726af91889d9a4ec94b10e8f9dda31fb6ee0a81289acd680c9015

memory/2020-5-0x0000000000720000-0x0000000000721000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini.exe

MD5 282d61d15b8697cae87c1a08d4ddadb5
SHA1 065f73ce2b1a558bf21ec4b9ac597553375e6844
SHA256 2691065b39e8369e4f56b3eb5e7ed17a49515c815d29fbae376e986222a3d0e8
SHA512 75b88682524dccc089c568d8c8d0cc8332e3675fec4af6012d7a76a099a72d8a6e5f1dac80be6f0c00e1cb697a501be82a31e046094aea2aaa6f455d13917228

C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini.exe

MD5 62a574f65928f653c749930deec85950
SHA1 944289936cf041364f0557fa91dd97f9da70caae
SHA256 0bd818a4a97e9f2644b2ea6463915f08c8f7fba5535babc89c9b8ee8c76d884f
SHA512 89b28c66b1f3657847d083fdbaae1ed1a714cd9658c8b2ec867e1d5587f3f3d22eec4ac3d8414c6b2573ba842b6cd78c18045a81f0eda2cf650a69df04ba78ea

F:\AutoRun.exe

MD5 ad742104f5da2b146e926f1eab741103
SHA1 0f8ddc0bf413c54159752ec412546ac8794a6819
SHA256 7de456532b87725cb5be6a3b13d4859c1b3d0fcd220b1935741373b567c8803d
SHA512 ca4ce3da260debbc9a87b7ff9e03f81bec5641e6eed36b27f24d9c900a749214b81f49686a72c8ae66b66f0d9a47ad1084cf235b6f2a9cf76744ec9802fd7dd9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8472c7a0cdfae2f8fd04094f40dde29
SHA1 1a04a3571530f200cd246339556abd1f3899eaa4
SHA256 4d7d773062dba8e2905e5000db2ce859d60e2c317e8b8d61039fa78b62459a27
SHA512 525cba2a38544a6e9b424fd6280a86cf6e79f568783b3118f2c5ee1b6d37b2fd84fdbe23006c71c6f79006184189d5a8837d5b83802b0ebeffaee728c147efad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d647677f8cb66407c7ab32ef9b5bc9c9
SHA1 5a59c2a39b7b4c10b1caaeb0b092363f92e58225
SHA256 76036a67a369c91d5ca6ce935f0824d094b6ff7e9256765c1847f7508c9fd96d
SHA512 9dee75926774a7b847866047ed196191aefacb709a14c230c9e63424c2e4974a14296b03c8dd4efd6a47f50b9decc1d36fe32f65deb61c21e624a990b51cad14

memory/968-1987-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2020-1991-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0a13ad179a6d35070652f2dd023b2e96
SHA1 d6931c3a4b2cf16fb9b353dc90b08b747d50ce09
SHA256 55218309b66693d389fb5d749141da84f1f92950e71bb7b29e1a5bfd62aee3fa
SHA512 db406f05f872c1a59ad8ed7237950e10ac5271f5712509211da19b5dd96bd559f32012f3c789d647758b831e63cf1bbc6e71f7d5361ab9bbc8bb80219feb1681

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b08be7dcefb9f3e9fc86b11cc1b0de0
SHA1 20712960b9def1b2906a71c75f8d384ce1d930ae
SHA256 018e77ffc3b179d774f96e94b950454919cb3c6edecf41ba7999931f30e4f401
SHA512 cef9fa6e1d3f8f356c39e8f1e7c9752aa01dce325043c0be5df4e89a5c36cdd5cc345e1c2c51ff72f53b5c44b0b1dc4256699241449253abc4637b6b6915cc68

memory/968-4203-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4e4485fc8c51a57421fe08e23f39a7d9
SHA1 3aa75f23a7d0924cf42f7fdb2beaa47aa20383fa
SHA256 c3bcbb69d8e4cedd323371e9d7e8fbe3372721ccc920ede9b1ee003b4108e82c
SHA512 7421c8ac25e141c1ef8e41690195c7a72a3bae1ef26a615e414286f1c7a37ba3143702b0a381a3358e1dbd60963ec536ed34016001b38273a9c60805a094da2f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd3e087c994c02f7cb6bc53ee828e4d6
SHA1 add4995435cd9a5d2021903e67e87aaa50a6603a
SHA256 837cbe8cf379ba58aa4d0fdeb54035e526b09d9cf9ca4a8f8f30484dd9bb1343
SHA512 57810e938a4efb50b6db1cd7f0d3b72acd56c7dd5abd1e2648f76af45d477475287e99f33649d2be8920372c765f37ca530a253bb23bd2c231d315b7ecd3fd9b

memory/2020-5088-0x0000000000400000-0x0000000000478000-memory.dmp

memory/968-5095-0x0000000002300000-0x0000000002301000-memory.dmp

memory/2020-5760-0x0000000000720000-0x0000000000721000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9b0b1694cfd56d698a7d12a123aaed95
SHA1 64364189cc411c3a51e133bd85654547b83998c1
SHA256 c9df265c6deecfb8ad451a7af378fd7565ec19879f51a80ec2fbf44cea387a62
SHA512 720a618935291c7337aad3c82fc184bdeb0f87e05416058f7712824bfb8957885cbb9a894c0e728290db71095ffb6650c633bf6b4de4069d92bd0080a19fb099

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eff51ace3227700f82fc3af66687f90e
SHA1 9be7c31659cf694c878ca8566fe831350b2d7661
SHA256 196445cf80cb2b11113323104e7131afd7655328266ea8336d43284e2863b688
SHA512 b7108cd5f9b104d7048ac7c0ba2798f50b6df9969ff9b61c0fd4c7b612f8ceb3b66659d9764b9238ab6d9b9926093dd6505d4c43ee350d0d566b77aa3090dc2b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2fd1eb14c29f63299e820fe1a117de8
SHA1 5223a672aa25da342264eb5cbbe9d68bed3eb518
SHA256 2f47f099c1564b81ecb53160c9a253b26714605525925845816296a8c0e04890
SHA512 757b844ca257287e9da1c6ffa8e4a70ab4c7c2b71a94cbcc2e187f8b799f581260a37ffbdb7482ab61d8979d7b06ac99ae676fe420857545987e1ae40e0a2d32

memory/968-7825-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2020-7834-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1856671af678ff72fd13098b3ce79009
SHA1 99216d36fcbea5b264b068b0fc64bd91b4dd18b8
SHA256 66143cedadad031dfea322ac295fdf75eba1656fb8fda50c7c5e3fdd129b523a
SHA512 aae422c0e2bb67edacaec51136828c8dc801cd50d29046278f46899e5feae28d30d5c2558a0c2f1fa79cf2115138d8ccacf943e10e03bd3c1d0d5c82e0bb36fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0754400e29a1164bd8db590e92e02c77
SHA1 dc4daca55946fb0b6c5f55fc0f03f0a78bd519c5
SHA256 5c11cfce89f09e30185d32e6f0d6ffdf30e5042ad9daca42e5fad0b7ccfca766
SHA512 e70a7040c0d8690c4a675be360e131cdb67520e85a1fd784cc4901359b85bc03bef9c2ed2900216a1520cb7279420caab3bc8b791abedf71412d5940ae8ebfc3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 77b2ffb46f3614dab7532cd8872c0e20
SHA1 bd5d42c4cc42cd215ae9cc2633dda34e8895ada6
SHA256 44614d009094444efa17374ab5e4870eef918f2bcb06bbbc5e9dc5e5d6ad4a27
SHA512 0e634767c0a68cbd22a58ae3111e4871095697376032811cfd84c3fce8a4c045582da281958a17612150dfb69afc3c9684439a749710a66b097f42d0ac4acb3f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a37424efa5ce8524c442c3c1ca2a7140
SHA1 9ed81f7407dd3c5d81a239b185d863e913fe0aad
SHA256 eab90eecbed3583c217d66b173cd6ed406fbfa12147d84a037b8f298e0935bc5
SHA512 9522fbf3acec9f1f4a7376f01058ee7711c4a44a28d6627c6843e694624bd4cab6aa35b33100ce2999c93e147fcf9e139d770f7071b0763c51aa67827e7347fa

memory/968-10467-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8efac66765803283e47aec2610d61184
SHA1 80ce976adbf4fcf9b3419117184200a72edecdf3
SHA256 bd7b25720a671267c2df526832a76b7c206b0433933011596da8cd1e193f3c81
SHA512 e62872a965ae70e1a35121ba8be0f85c74a8aa1b1afdd6273f0fb8416f31788329921d9c86427dd4eb6ef832d769df2aa69b1ed0b0bb18797ba49ea92f11d93f

memory/2020-10476-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6800f99699a2eca229262acc3a490f9b
SHA1 4b074a0d1bc2eab0fe44eaab3a94b46372afdc40
SHA256 8b3e64411f7673ddfb6de124bd9610b93c10a3e259cf61bb91261a817b13071d
SHA512 5821a8afbc66624bbfef91d15ce8944b3677ede72e2a76d310656d030bf6b804eaf34412f1ca618fef3884865abc5809bd2d3e4cf0fb046b38c1de7719404c76

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f6b28d1ff97403c5b99197799808787
SHA1 b471a131fca2f4c038d5da9912eb8c92ae5b9480
SHA256 cfae9f1f3460b6a212aaf078f3e08d1cfe502f11593ffe1d23cb62b1b757c856
SHA512 a8aea0290a1a6595931ee1a25d37ab5ae254f222f548c50c7f80ab4a9701b68e13a00c6d806f58bb7799f145a70280c109814a5c7e96a12b18b923d76c14f119

memory/968-11789-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a4181b03f1faa81fcd52ee16f1233419
SHA1 6ba694d5a3c724641827950f34aa4427b346c550
SHA256 c89a52056a074d623dbd82eee02eafffe0fe44ff80755a9cac5aebf5fbf93a10
SHA512 a090748250baf5eda06764737724bd7cfd9d51d10be4de2f078eed012f5bfac99504beb977e9d9541e0416e6844ed9490817bc1997980e57f813686598340586

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d2afb12a4010e584be715e37ca02b864
SHA1 4e253e8470586ebe93ee8c8eeda68cff83a89039
SHA256 fbbde36a07f3eca01f9731c85752e8bba8397facca01377b20bb9768717a40ca
SHA512 fce805379a6a0833b17164e9883329771c60194292f7648f077a5c88fd8d94e625b1be84292d3466ee7d9372161ff8809b991cab14d8b2f2a88feda310145bef

memory/2020-11794-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78d7e56c4d0a315eab762cecd7bb3351
SHA1 b81f28cdc05a4b5a7041838cc1d8435787c168a9
SHA256 57f824a00bfd4193add5d7a51445bc62fa7c61b6ed5ba3927a0b76eab7622761
SHA512 122cccd56d031c11a0453bd94043d538a297fb2701afff3b2816f2934694cf2564f842e4524b8de1be666a8bba9d8677d8be2ee6d22e29234187563849b7376f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 57e2058dc36aa95ccfd66d56f9646eb8
SHA1 a78a2720f98cfdfbdaccaecb16940c4129fdc809
SHA256 ea8564cad54f8bbd5a13476d1d68863a3e4673a659166f16ffff9e32c4d632cc
SHA512 71bf4380a8e4f545fe6646171dffd3bb82275182ed88e436ffe0a97fc90f9f62786e20d816bcd00c04bb5f841deb5c13eabb613a651b221b0d55cf1b862c7a26

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 48b2dca23df05fbe7a07a8f4ecb67778
SHA1 51e24ab56c75cb103b16f0aab4a8133d7be0f936
SHA256 7b308fd10c89d6a42374ee9f0e4b8e03da694f06a47df09c406bacdf19e6d496
SHA512 dba3b6be35d027b2d217cded35c92cc45d1b28cbd7e67f3923a90bc45bf66d8f8cdba093e673b18aafeb7dc22df677185d61c86d6b52db9d03a5d7961695ee2b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0a22012a28b48c197d1ac73199c7b051
SHA1 1a5bdecbf21f1027bfca49ac08633bfcab0f78ca
SHA256 38edf35cd92c4086b6e1b253d042a356c5976d34ce5f100282632ace39d65277
SHA512 986182199a74e8333e96455fd2e20bf4311a7803de7dd0fa3247b7fd6fe8efb3e4ba09cd3e35ab7a00f4dbf6d7ba05ac07f2e8e43d68ded6c8f978b7ef38fc65

memory/968-11805-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2020-11806-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 92d9fbe38cf84dcb4c29a0b627d5ba9c
SHA1 467a3ed8c5da131f3c29ebe8d864ff19e65d78c7
SHA256 753c353b8f0f36f39508abb7333de40bee8b51b97278c828d5278dfeab9b0749
SHA512 8bbdb45082f27052f612583dab71d8e5f50fca1784f3e01a05d77793833e71f357ae9f25d537d5dd9e1a7bb0452aed9a2b18349d7d82e770323d2edf38452e95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d0d34378c2f97eb62ac29a2e8f02e525
SHA1 04a606b78c122af340edcfc0d07d2e82a55d80e4
SHA256 f75a54ab46a0fa2f2af640b2d6f62fc947512abf36ed17e31d58d6d8c8630cc0
SHA512 c7f231c0aa7aeefb2d630565ce3e0e0bbcd765ed00133d3f5cf2e707c9bb6ef3344f2d61ce9871de1f444e347ef784786d2b125d0336949138f90df16d16f746

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd5d55eae166c787c51e316352483890
SHA1 2b08533e4fca7908a2f13ac3b73c5a3f865177e7
SHA256 897ad2cb4107c7edc3928a9caac76fb4d149c9624ee651da7aaefb18916ab907
SHA512 20ed0ad71914af6c57433b50dba5a5417ebf7accc94bf831f90f4bd3de37ffebf711cbb0c025a69a85702f1b976ba7fdd5bb8cd017066407a20cb12059549bb4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2d363ad085276315167427fd1cd6fcfe
SHA1 de1202026c845ddb0597f8f6a526e78c596b66bc
SHA256 3118daf24cf7c52937dc081c42762e0e9f999c449aff3a11b9b8882b0d4289fa
SHA512 3e5b5063ba39231fb29e8345eee40bca6322d2573141ddef7936b8bcb3a7bbb656ead5d9c46511acebedd98861c7bca5cd47378213df9d2f91f9b659c70e4ced

memory/968-11815-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2020-11816-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c4f6f19dbbc64ce0e2ae374f234bee59
SHA1 eded5a5b18a8d5368bf7af59add35fe26fb3837b
SHA256 f0c22a161606a0e337dabc3b003794374086b6e03becb0ec5b77ad6851631ad9
SHA512 779ec158ac018ca98627774e41e30b7f4094700f8be9a6ff1ebae17483f4a05c5f0aa419d0967306e8fb6024fa43acd78c69b28d899766cf23d354ec9c72bf00

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b50699ba85823712d8f108ea69a243d8
SHA1 512d6907826c7ad7fa52f0dc4a5bad5b2d7cb0ed
SHA256 275906bbaf34edaa733a0636bf32d95b664df58c59e1fdc2161c28df0ac4ac70
SHA512 7b22342e4ceec80b60348a66193ae532ffdb4a146fbcf854e887ce00ac68b4830352a50ee3219e2c82d7878c2174a4595497411d27ea5e7eb8b6d76db072fbeb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9cc993fbfd8688bc02d267b811abaa2f
SHA1 9f2ab5f1e2e37bc79b9ef6b617506f7c342f4788
SHA256 574bbc988a81ace821495af148f49031192ce8925b23534572d7ce6128139011
SHA512 dd4cd1ac5807a24d32844cd4ec8a3fa59faa3d436127309724a25c8bc77e10cf42d660471135c63a00130aaeeeb74d5b2a6b1bdb5f82a2d4944f4b3501a3d971

memory/968-11825-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2020-11826-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 32cd4b20ae0c600933287c71f5349b9c
SHA1 8216808b02aa7064caf8d1b91abc55ddd662b38d
SHA256 45c8194ef7c47f11e9562d73ae5ab14dc9c60bf32890e4bbc5327ff596739937
SHA512 78d646bcf8cf0cb298678782c8b914f93e1cb50f138c0f59e4df808c39e51cb8e4df7bb547625dbffbc878401a2ba365a810fc89f9a118ba8659b5cf8861b5e0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c6afdd7394b0b2d305a297f43dba17ed
SHA1 52daaa96161e2eaec8598d1cdd1aeabf7e55a50b
SHA256 3e256f0c85c6456a1f5efacc9993e2e628887f5c3ff1985762c4cb54dab1fc10
SHA512 437abecd2ab0b792642dc101ba9397a514762037a855d5c8503924754c061af14418a250d9546b1537e7787cb9aaa1962df25c759172b455aca53aa4b04e9c14

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 305895e3cb84c38f4848d7e85d0234b6
SHA1 963ef9c9ccab7f57673dc3db2c7b4fafb359223e
SHA256 72be0950199558abf0c88ff753f4fd965e5f9cf172eeddfbf85a2a1248255966
SHA512 d08d3c6a784b391ac34aab0717be530ce9df5c6d9acd159129381a682daae842c159a0d3ae0f2357850fd0aec18eed68151cf6b5f85f3d177b6d4330f0bb9da5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ff8c0a3ab54a3a99ff6784400928b653
SHA1 27aa38e3bdf296ce869862244fa2a6b3a0898b69
SHA256 3cd6f913a459fe649023e175bb26de13353e4dc88ff9b9cc0634d394980b0019
SHA512 5b76f95553b0b4f994c1080b34ffc08291eb986751d0280274c2408db2190683fd002db3b11c86a6d346b5d5c783f8a73548a2fa13c0b8f82ecef873cccf25f6

memory/968-11835-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2020-11836-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c9b358bdd7f23e1fd62021c16920ed85
SHA1 47e87bdd667d55cd82e810c08a9095d380caa62e
SHA256 cdaffaa58f012fcc5d2648eca9ec5db03ae93694eed66f7c78cf022f20685d26
SHA512 483de97904eb3dbe5fc767250b12acc5332ad4bedaa75d21a181f7b0b5a4e130fbe5eb9be7c8ed0c10f0138c2b128d0b9858ebf8f395f7d71f1e374cd9595bec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 368473f43b368cda8f222bbdd8865fb4
SHA1 5cd9e3faa862a36d5052b8ebc7218853647112f3
SHA256 ef29c2d7980cbe07d795c197c140e10cec3262f521ba40e5d033402b09cfcdb0
SHA512 d712ec5fba01a2116b2c34c75e3c4022e274e7ec40ca13c742581468958623e7e7479fe368d8787672cc7beb7bbab190715aefd4563162a40406e32831232c60

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1e37058a63184ba0f348121a9b924353
SHA1 50d1d32c1b2adc43f5fb84965bdac4c00c1c2b1c
SHA256 e0d97cb7ec756fa076d1ca2f09b76ce4112704d65366bb10f61eb58fdc593f77
SHA512 527eee2803c98e20c2d53851f9161efa340e40277722c93c05045454782a522baa8bae02d284ea0e5a42ddc6661adb97e14226b30df166777e23a4d1843548b8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9141502be9ed748e08877769bd30dd30
SHA1 434d847480dc4738c3aa0586ef46b688acfd91fb
SHA256 fbe67108c2465eb4a1b8f6c95a8fb3f153c976a48a5c361b4fb36638a78a5551
SHA512 3455814dbe184c9a10975df37340fb6bbb333de5f7957b2d30949b7d76045dce71ddd0a230e5771be33dad8135a53072d6549ff2d5a5330daeacfb33afd6baeb

memory/968-11845-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2020-11846-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ca5d193a838c080c6a2ab6fe1bd11b4
SHA1 95b0e536744448c9282aa20565087cb87a1e6a25
SHA256 2bc4e6e26637412045aaa4c8d29785adc56b26e381b8dd62d02925fef9678dec
SHA512 ef2d010a976c86019ad6671e52ecf1e3c796284a5a7790de91fd40823571287151f4d6175c49ce151e2243a67c4022c35e76a1f03adf8b2755ad079f6283a2e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 776d22d3293768e7e12045b01d10f456
SHA1 389d6843c065734ab4cb06c7e5e5213216ff79e4
SHA256 42a2723a1e03d4f637ce2eb96863aa8ca518f016618bd9bc5e72d51c4aed525b
SHA512 e332747372f5d82b340921df04f5a0ab6d3c42bcac9f637c19605a608127888ec7316b7fb2663e09ade43349dca44a64151e77b3f084be6d738d462f33e245df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3eb93e9a78ec27c79eeca6f0cf43616f
SHA1 055a0e74d18318abbc8e0dbc1a1ac28126ddd238
SHA256 0cb552088dae7d3e50b22a89c371edd897a0c208226765920e02e291723e3972
SHA512 c924c5db5d17b72f9fcdbddd6d758523c289dfc7fab4459d4ccd315c7579dd9a1806a1822deec3f84461071a76af253c418624d3d7145937d891d59c13dec2e0

memory/968-11855-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2020-11856-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e1c3051e816a6ca0c2322fd38c52fd3c
SHA1 df5f1d99c15dfcaea03bc5b70711ac885d9b1711
SHA256 a3d28d83608c39478cb806d2b483099442b5f85754b922f55c452825d4246f48
SHA512 7050b004f86be40c8839a6f4bffc802a12c7dac3ed9b4581ab62c3e5a87f3c3a6df98baf9da93715db5320c67f91e32ef55f9c4a77d49f5183743d849e818000

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9bdadb3c0cac543020420ff44b52c74a
SHA1 d65043557900e94dfe8e3bddab5faec3fe024356
SHA256 9f9348386d9c5aece0e97b4681d331392448734b624b47efec70e2c0fc3e103d
SHA512 809474c49805932f94feb5b1521f044c3985ef101e023e313c63d22bb7e84fbec642ec824a7d48f8a9dc6aec2dad34fddfdbc56928c14eeff229b11723981db5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f626a0dbea68e6ed2d4eb140bc5231a5
SHA1 27e1f5d0efb00562407842044325e8f8202ef0cc
SHA256 578171353ecf3e7e176c102cb1a97ec0e808f5f2338f8a63871529bc4b3682b8
SHA512 84c6f0489ad2203c7755969b294f4fd8031cbbdd6ed299170ae249a4560ae076542588b50425373c74cc87a74d5c9bf14ecbdc1120c9cc76cdad88aa4c01e4ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 13dc5d04e725a1a663d066053eab0a85
SHA1 82e714d16f2f6706a043bb4db092043f5d0a75a1
SHA256 a3607e03d7ec592ec01334dfd9e94eb177adecfdba78b293684b211f946ad383
SHA512 fbb3e86e5094dc76e93b739780a541ba00f08202ac254bd600eb2d02dd7732ce47bb082bdec9df100e20210f569bac1577200f00d2c80edc76bb0919c32f01b3

memory/968-11865-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2020-11866-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4fda4ea8d148121378461abdd2d60fe9
SHA1 6ba670964acf513f3dfa0bf36c67e844379986b8
SHA256 7b6e436ab9c4d00d91df71470a2a313deaef1855c627e4c80871fc27aa6bbcc6
SHA512 ff29ecace79e3b2e1aee61d547d104d5f759d14f47fd41e9e1baf1a1760f86fcc992b829860685b9a39d334e7e35f3a9747e812ee333235b7a8cbdd4f5d0612b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7119e25abd9c222163c5e2e043bc08cf
SHA1 24a117ff306cc21fc99f9bf9c9235ecc292d1a5c
SHA256 a67b7c591144fca1d5fb2277ea373f3e704b6d2cf299acc5149034cd6c1021c0
SHA512 c2d0385858915a66ad939bff74a0d707d1ac7c63a34d4c124946bce7992a3e5bf7f72ec7e9f2c22a250441baae695d846a17c460c90d1d313fb5921145f77a89

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd7b10b467e676f115f91121b8dc0236
SHA1 4a013c11e9c0f9879cee147bd33d5a5dcf9435d8
SHA256 9e0905a4dee5c9dd80f96dc1e61829f3594236a94fc4ab3ebe8e03b258a9c260
SHA512 da062a1c0a09c89d80fc2e4eabb50255e5ddfb607788e4505fd797eef36b773635da81a2337ecf3da5911e3aebfd9b0c8dad64984f6c3d7e6f5d772f7dc120b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f7491353124bf614f11842b267729ec9
SHA1 241f07ce39ff8df9fc05a2e979d2ecbb86fe1ff0
SHA256 21f3e04a4441a2a3cb87d3ac009bb078fc0e5d45682d7ddd63b96968d34d7975
SHA512 ad5bf0ce91ed103f3060eddfe80b79e63d6bf8a5efdb0945d2e4274865fcac41c86b10a6d649cc0c537ae9d5ca7c0af7e30a861546ae87cf505e3c60f17df95c

memory/968-11875-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2020-11876-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ee4f06a7dced6f60a0e7710d1b2e0294
SHA1 b3b0e72075ae81b052f6fca533f40f1fca50f9bb
SHA256 386842cd9de84d3c3dd73b36b3129615db73ec1ab9183011792b2c1af04fc3fc
SHA512 388a591784011add45850522a5c33a001502a375b25898d6bd146a712f11e0e9cf3ed2d775a8a981479eb64c2d155bfc5920eb7c6b0d2fc11135fc68caf2ac98

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 180a6e681db18f87cfffaf7a99c6a77c
SHA1 b836e02902d2d01feb23b77b0aa4d219ac6d40f7
SHA256 45eb2e1dacac7e1eee5073f31d8a2c1d81960b2e1e46efa2fad90f794413d880
SHA512 368482128f2ebf147f56edc846d2925f5192519f65749e110555dffbe57265bef92cc2adbec3ebe73b03b97a25176b03577a922ec455a48bdb0eccd858e7fc95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fc0fb35c1c8249b9bde7b2510d0a68bf
SHA1 18ceee1a06fc4f2dcbc33b336a34f2a72c3a9be0
SHA256 babf1b2c630d9354dc79a2a7545ccb3331a7af497cf83b4b0e33390ff20a8501
SHA512 66e682f4f9b307610a18cce77cadffb960057ff2433afefbb37e45883f0bfe6add256fd9633ad74c3f09092e17c5f73e2c5f409fc7195c7e8f2140545325c97e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b56cd78f56f25be3c8b69bbb94125300
SHA1 cb1424244baf4cd80bf24a9f97b464c41d0eb4cf
SHA256 8ed6ca14f67909be319c0cf07f71531e9f3a52fce91d822931ca7e0beb494db9
SHA512 502cfb0b0a4a4913704a309cb427ce4aef45815d637ea24db2cfe1bcf5897c3de55da447c31aee49dbcb154184264acba8dbecda19da314595e5fbb2608e7352

memory/968-11885-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2020-11886-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 43c69a3008521e409ffdfcf8be0bfee3
SHA1 df86d50d486e104a9c1b98cfeb4eade0d1eb09a1
SHA256 95225b4577c2fc716e2920790ca3a85c3897844e6dbb090e70517fa61a11e15b
SHA512 47979eca4c8f9eaef77c94efa15153ca7e2fd23d66fa7037929db1369505143545894c5086baf8a21752f863c4eb1b567fbef841b0fdcee1a0e7b5149016073b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a24a98cba127bcdfb50bcd5d31556fb1
SHA1 f4ccaf46c37f1def681505e80e4c9423daa2ee02
SHA256 ff1e48c0dbd478b8bd7cc6d9c48f75e71ee41120ac66febe7327b4409a8d20ce
SHA512 606234c7fe58fbc7fbed1f75eabcb244a59a7e22a25079d991d98c0a480a48c4730aa397fac4831cae63cf712edbfd4347179696842d80d4b09af655bd48f0b4