Malware Analysis Report

2025-08-11 01:26

Sample ID 240229-dpbnfacb28
Target ad8a053573f17bcef0da88f613a5aa87
SHA256 a33402764a864c799f950d109bc8b176c56216d4fdb0cf09bcc281e02724f005
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a33402764a864c799f950d109bc8b176c56216d4fdb0cf09bcc281e02724f005

Threat Level: Known bad

The file ad8a053573f17bcef0da88f613a5aa87 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (5573) files with added filename extension

Renames multiple (91) files with added filename extension

Drops startup file

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 03:10

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 03:10

Reported

2024-02-29 03:13

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe

"C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1928-0-0x0000000000230000-0x0000000000231000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 0ad94d1d5e36331067b4d0b470e21d6a
SHA1 02b345a4b2bceb1aac5663bae61d13f692514a2d
SHA256 d6f25f47371f29fecab67a4f9538aa92612029c6094c8102bbda6832f0a9f023
SHA512 49b470761affab9bd04b87b43ffbc71c9ea98063daa18668aebf99383982be66d1e142d5e0f804094d1047225cb0399963767ff9e69da0ff26000c296dccfd46

memory/2184-10-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe

MD5 0204d377cb429962fd564f31e02f88ac
SHA1 83ab4729316a798b8d81d0ac27c328969894abcb
SHA256 03b4bfe6b90587a8b794728d452082825432ff23ce45c4d62e81ac66f165d0bb
SHA512 6fd80e1c609c3d426f4ccd1f7dbc51e2133e07728e6724b5a9e525cf98f667f690824da8a0a616017500a81ff3ba55233141cd98d59517ff39fee054c9a0b475

F:\AutoRun.exe

MD5 ad8a053573f17bcef0da88f613a5aa87
SHA1 9a4ae2a8670bd1a80662f55974491033613a8523
SHA256 a33402764a864c799f950d109bc8b176c56216d4fdb0cf09bcc281e02724f005
SHA512 b0a92d633a3520a9a94ea580180293f07673b19fcf0f6b187dda6954c3d9d0dc70c7c38bdd67ca96de966659494762f7457fe2adc59ff93f7f4c67725f7a87d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 67a6adadcdf506af7c89cb147722a1e1
SHA1 a9489f615a9cb8228fb50c04c4d2f76ac6e1a686
SHA256 985d7e05cf3083e62835033e7bb62302c035f5c32616e29bf7313f76c1b878f3
SHA512 606ba6bbc6f8bb01d4ba24583ce6429df5ebb4643a21d87928a3325dd19d4719102feadf65b1a3139db7c90796c60b9ecdf2a5f8bf5f063e606ecf0f052df6a0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ddcbdec4911a915b53d0d08b12e94c22
SHA1 a1ea8be0baf8730904cc9df340bab78582c43743
SHA256 94a432ed70f5334c8b5a4607b1d534a3ce0ca53809b169c0eababa087bba0195
SHA512 e040fb98426c8ad53ae6b117b5bed28aa92b61332c3798e36ae48f733d2a23a2e2db0498d4a08e79e9184898fd6e07d3d237f83b6ee676e17fb0f6a722238265

memory/1928-244-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 03:10

Reported

2024-02-29 03:13

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (5573) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.WebSockets.Client.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\Microsoft.VisualBasic.Forms.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Forms.Design.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLT.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyDrop32x32.gif.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\Blog.dotx.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Numerics.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\STRTEDGE.INF.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\UIAutomationTypes.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\CIEXYZ.pf.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_CopyNoDrop32x32.gif.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolui.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\WindowsFormsIntegration.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.Common.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.Linq.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\System.Windows.Forms.Design.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-time-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\splash_11-lic.gif.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfont.properties.ja.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfigOnLogon.xml.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Dynamic.Runtime.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmsrv_xl.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOPRIV.DLL.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Forms.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.Dialog.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ONNXRuntime-0.5.X.dll.exe C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe

"C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3272-0-0x0000000002220000-0x0000000002221000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 0ad94d1d5e36331067b4d0b470e21d6a
SHA1 02b345a4b2bceb1aac5663bae61d13f692514a2d
SHA256 d6f25f47371f29fecab67a4f9538aa92612029c6094c8102bbda6832f0a9f023
SHA512 49b470761affab9bd04b87b43ffbc71c9ea98063daa18668aebf99383982be66d1e142d5e0f804094d1047225cb0399963767ff9e69da0ff26000c296dccfd46

memory/3924-5-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini.exe

MD5 12ddaee6587c142145565aeb9edcf1ac
SHA1 0e709ef44f5f77c8b45b6fd5f088c0bec22df95d
SHA256 73bd7232fad8f368c48276a9c2a705f6366e0f607eb67cdc77386b62c068f298
SHA512 a4bcc56e06bc92a2f1cbbe045640a0ebc9af99e2618c7ba8b0be882019aeb6c0f641dbbd39c084fec85e48cab9575af0dc4182a2bdcf2bb0c879e55c0acef36b

C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini.exe

MD5 564eda99ff17e1851303bd8fef28babc
SHA1 7e14f31ffe4faa8b594082710558631f823fc200
SHA256 0aea16bb3bb638d69905e222061b9c15bf6d3c977911c97cdebce8a8e06e8a7b
SHA512 316d46ad1ebce8d5127b981b1ccfae5eabe83073769c4264658d6c624aa49f67e6e928a757df9880217ffb0992fd45f78590ca088f032f7a2f806a9015acc788

F:\AutoRun.exe

MD5 ad8a053573f17bcef0da88f613a5aa87
SHA1 9a4ae2a8670bd1a80662f55974491033613a8523
SHA256 a33402764a864c799f950d109bc8b176c56216d4fdb0cf09bcc281e02724f005
SHA512 b0a92d633a3520a9a94ea580180293f07673b19fcf0f6b187dda6954c3d9d0dc70c7c38bdd67ca96de966659494762f7457fe2adc59ff93f7f4c67725f7a87d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0db5cf563b4022fda54aaf81d61bb671
SHA1 ae1276199677cc1328611b6df05e55e3bea9837d
SHA256 f32f7914ab1ff113fe0627f6447315760597c8392a61ffb47c8784a6b51fc1f9
SHA512 4d5ed19999afc1d911f56338dfbf3bb26cda3373e95f69a0e71be6862026f56522db99e613b5257f95d9c989e1ca3491dde194dc4027195e46d8dfd27f59b37c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 689658b430026e2a085ea835a5638882
SHA1 993ed2ec192d53dc1891852cfb7c63cd02c600db
SHA256 cd2a713e9bd10488870a11b6d0d058c93b22fd84b0232471f75a75076fa5a4aa
SHA512 22069ab74707a87e57f9fc4780f3f0b33e968a66167ff1c36bbdbd2c43c056aaf23c7e4e7abfceff8b23158c2974d6a526f65acb655db442925ea355847f9128

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b5c422e9aea4aa7a24a55901e3bf94e4
SHA1 b362b36795c10c393000302af458acbc8151446a
SHA256 8101daa274f026e1be812503b259cf2c75a7d9a543a083c119321333a9003231
SHA512 d9b55562de02c808096e8ffb790c1c24372af89ac4f446236c17723fb0bc2e6de259a6265d492548a2e9de46c6b15a5105ce39934f0cb3721d6e6da43b608ce0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a86e7416cb599c741a931b64a144045a
SHA1 175e3714f7d7f0b0caff35ec4d19b9a887be1860
SHA256 f31fcede675a8e60c1670168fd08c7215a73d4e1a4217beb6efbb325ca17129f
SHA512 3985c428703807c8db9497b5fd5bd4b608309c9d94cc5116f6a6d6f408e86007797661935455dc2b6d5db28b93208651f5ab215829b9e9e81ea4542ea4577933

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab78b2b6c96636826e6a18b150878ffe
SHA1 57e175170982d9e5e7a1b88c911fd688ad75fbb4
SHA256 76ead64dfaefe8c4a9dda2bc1d8606e91c420fbfbdbea97d078632429f7395cb
SHA512 09297ce9704ba9da69445903953e98527e7e049402220ec693e24a3185f76bf54f3a6b259e97f9f5002d85debd888ca1985e72b201d4ef81cef7bf31f1f866c7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 575ad9e73098604e3e5001138690f09d
SHA1 b2453a7c64e71c683a771623517f6a61f022720f
SHA256 fe0f88da13d71cde21997d4a8f00401d35f20aa8ad7d09d8a957c3e5346b17c9
SHA512 9a3072680e28252f3591b04f727a567fe9a8b197ad55818d4ff5bce8c48cdb1f20ca5088d60f6537b244a4c38a9a2c51668114ea5b64175bb576db7247a7b949

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 75e0afff2c02a20b27f4efd0a9a12723
SHA1 e74b41f256a94354d8c984849a837eafa12c9762
SHA256 67b8b79df0e98e571a816ba00635c5d6c136ab34536f6696f40855e3e70ec12b
SHA512 34341544a323ad2b68ac1d8a18e21ca9e1b1d5233517cd2b9d3a86d738ecda51279d7fe1fa839f82d53c1c86692b7cb9d8bfd58e0e956b94a5c1778ec2a02519

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5f20727f2ab54a091eab8ac33e6a71e2
SHA1 433a540985be07695383f8925037c8522b91fec7
SHA256 587649098d664509f0bb3c5171f040c5f767002553d61bcd01c6d9dd9f03d9a4
SHA512 d764e43e8e26b5f3f910978b2f5267e18bef82b0e13ac669834207255c022d6e030de1875b028c8d77906c5aad9d26643867464e163c40a1a72192bbd18ae25f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b4d50b792f8f66410b1f175d4967eb9
SHA1 9ed90c1762d7ef689f922e2fe4299acd19e5432f
SHA256 c065188ecf20be37b23f163987123fc7eeeaee37505a78ca7aaa82fe864bcce7
SHA512 0dfaa1a028c55837fcb0545fb28e9b1ac98c38a5dcd76e9fa272597c3569af60e27d7c06bce03000952ce2feb428e9f67019981c6d5b90144509c82395fac4fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4d2103b35234095710263b439a8a516e
SHA1 b2dc6e82475832aefacfe790aaa8d5c9af3aa068
SHA256 5cf373d48eea2db369f1f065b6f26147a6d73b26ce37c00b5e59467e00802cba
SHA512 2d0325ea299bd492981492ff1d05a12bad2894c64d7429350b5dec5c596e1a5480de057177f135e142a0bd250e9a40f75571d6010e5dbc84c4113361e44223cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 22fc9f1e744ddf1d89ab8c5ac65f8f5a
SHA1 c4fef4164c84114844eead9ecc3c33279d6c6b8c
SHA256 00d1e4dc8a97ffc21bef4c70573de72d608351e3b58462cf53215b0be20e2e71
SHA512 83eb2e9b7395eddbfe0edde43f7f77cc3f4afae8ba6b5025c29642f2ffd9e0a96792ba2b7f099b00bdd197a4f74ae720c9be5a31fd3d6a09dbe5a168118ad9f6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 14e514875cc8bbac3f5c715a7ecb3077
SHA1 97844e0ac28e3223b3c0bcb1642e727eb43a0ee5
SHA256 81e0099d7046195100fa4e0bcf981d6b87c63d90d066dc252cc799c8e9ba7fea
SHA512 8afed7d0aa0d25d122a60dbe1636805e2fd9d92a0d93d1e86577bc54aa4b802e718f7f8d17c5edd9f88aecb8941d660054def27ef141606ee2416b25c1d1338c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b9023baee4b87e31c6f88a5034150141
SHA1 53efa3702e92de01197d989c93f659c822f87bc8
SHA256 80536e89c7cd4ee9ee40281e3a7e3b325d62cad5090384fb4677564b18e30bb2
SHA512 f60d8dcd006237da06b0b45b9fe8265ff81f268ed19df3ff94342db83fc99e3b335158093d70dbd7702d2e58f05802c0c913725bfcd82e93b7943c124a03bc8c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 51740a50516267db49a092cf3565e162
SHA1 d23e1427def46dc49ebcd406290c282873b53f1c
SHA256 554ed0cc5813d25e2f5069c42283e3bf2292bc2a300b0c9848120a5e10109217
SHA512 4f0e31e5c75215e11d3592d11672489c67ee49eef1338dfcac4519959d69847af47bfcba57026a6ee5723759ffb4d3117d89f9dcf8ddf58cace661cfb8895d7c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 05d157cdaf624e0fca509e80c139cef3
SHA1 f568caa9f15da27fb54bb823e966a2c9ef201a57
SHA256 f0f856d78e9ab157f9c2a55ecccf01405241796cb6421b372edc8062347677eb
SHA512 7fbc9ca5c906130070d2d7da0fa6a20fe1345c3f6aeace0a8813dfe4676b09162c49182879cdd690b0f2fcbeadb1d140386ee7e98f810dc0605cecc5b1ab8dc8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7d1108f17c0d6a4c62c94513f92f95dc
SHA1 0ed15792b0297dba272c66b7cc0cc19b0ad10697
SHA256 fe8e02333b48b875407510041f6cb96f2b7cb87cbedb2ee579d2e31a665075cc
SHA512 759f8c93c703bd5b63bfea8e9e584c62466d16ed94a3753f31ad50a2c865fabab39d19c88d6090450d4891c09b3a2bc2c65804694f1ace006a5549bc1d5a30f0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7dc8433407143efb314b2f0b9f9fabcd
SHA1 2ba78d55884d2e9f5d28c9590b59ee81ce4cb82d
SHA256 dff1cf5cf9a2905a6245f3f7fc2e53037d50ffe134a85b050976d6fe3ce5d90e
SHA512 9c060365c25528e41c439a53453a0d900ce024deaf2086d17c8b191b772144760ae5a1666db38d6f550c22517a41419472367c5cbbd435b54f46e40d591373b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dd39657596e4740f2b16bf2a62f7ffc5
SHA1 ba5a0f4f96213d70ea352d19a0dacec65dff9e2e
SHA256 04c04907482b209f1f5b56d9d34f8758fdaad59cad87e4fd30d38484988d03fd
SHA512 e5c2b9319cd24302fa064a46c5864d5dcfd48b201d97d35a23b792c098ef42144607fc226276d6b66b703322e1f808e12ca61d1ef4ab773cd3b148e91d9c76d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f0bac4cc32c71df3ca9fb9b33ce970de
SHA1 334f82b6c0dcf76f8a2b15f3ea99563264b9ac4b
SHA256 eefbac98c082019a02060d4ce7bf2222558670dee4454c8edad79cb367fa8687
SHA512 f132506a775500c0a6b5b948092fd5bd745e658d830250206bbb05f7bf8495f620980024208c115b5b56a1c735f61cb3da5ae7b38bad095f61408ae15748b82d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b36968998a3fa0ed8e3a101bbf684865
SHA1 54e043ff8296d0aa9139e9b0c119b8a2df9ed247
SHA256 1e73ad5dd06d49e1474a08dcdda01e947a81dfefe62b17f05fb43f78f6a19e19
SHA512 99631bc076952fdfbd7d8fa1c99a178521f12f2473e310879929ed9990bf48874002b01d8601b3b6608ce8567d6f97289f333d38932f99197429d7e342e33963

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9e3353e76c38f74857b7d9005846c08e
SHA1 8fe0e419f0a804647a177a64099973ce50f6cca9
SHA256 92f7ebba55060086774dffc399e51c9227c9253a8b6a4f21783dfde2f100302d
SHA512 1d0e5545f6bfd89ee695498f8ca442c308ce17457538f3391c47ca95c3c1358cbdd014ac4d71f1702acbe272252c02ab26b03bd96e943e84dfb466519c536308

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5ab5c096ae6a5a6018a29c51d479823d
SHA1 bf83018d01a45d4730dfa15b7fc336270cb50aee
SHA256 ee7a7aac332c89d7804053d2aec4872b7a9bc9b262f3a88fe6e488ebe939dfd1
SHA512 76000601e8bbf750ae0c454bf88a19f6bc00153f805ac5706c30eb264d5fb3dbb30a1785704b773f5b7a4c55638f6e1e990f2d8cbe2889764bdd22ca490d3933

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6cb1769c2bb45f0580b8ef6f4acf6efe
SHA1 d878a644e8dfaee1d9abdc8b23ff48bc9dbe4df2
SHA256 0d473dd0139de4873c6959b305badcd6c6cd2a326a352ba7a096ef184816b92c
SHA512 ad02614c36e4394de9580769b5e9910e38eb5f0efbeab2c2a58454def0914f1456aa3d7ebc6e3afd57ff23024741c2f4cb85d451a0c0e6c68601b570b092dae2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5754c3f6d24855a58a9dc3ea0cb57d5
SHA1 e50e5c8ad52738ccf4d123e833906195eda546a4
SHA256 f07eaea9bdfc93889ca12d9cb143a3215d310fd48848600324aa6787605feb03
SHA512 6d20ea186d858bfebe376c73b1a1c14f0c285ecab7f01b49af57f0e35d466aa796775629ab3eef171eb56a3ae1efc486a0f028aee82bf3b38ca009630c584ba1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3b8408715012718e0417925bea1942b1
SHA1 e3d9461aa4bd5a11243a2c574efc62afec5322f6
SHA256 838ed1010e6b4ed15392e168cabca1ef62ad3353346d9ee4ba9a7bcd72aa3472
SHA512 f0a61f394016a394b009f6256943b97ca78442b370db361dbe29d5b610dc4507dc0938f0ba53afabd189c55c6ef006fcc7a74c3a41f2f4aabbc09a487d78886e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3a8ceed2a694e8be65a9e073bb0b66d5
SHA1 f0516d30c6229a9e7eab917811d2b25e4f6732ea
SHA256 cb235dcd7dc4e1b590c5849259a49d5e61ef51fe779a6cd8db2ea6e7a5264146
SHA512 01b616f818174bc9ca0458a31bd4c473934635f1aa73cc3e36fde7a8ebc0d3f799a8a830957b11049b4fb109e89c120ef8eb854391e669af83ae66f9f1a6a5b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1f0d35e27ff2087bf7c15b1506188b59
SHA1 71cdb29cbf3d9e603cd31bf1abadc6fe7c1b9ef5
SHA256 933c6ae6a0eecb93724f74db148e985ce707f364ac82ffb46c696df8f1928849
SHA512 2c84eea014d9ff62b755111f714f5a3113046fc50615f13effa329d9d8aa8c989cfec236a85336f74c01417bb4324b41dc0af008783f3e676d3f713ec184dd80

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 53c4dd8f2e645b1bf5f3a9a07f76f9dc
SHA1 ef67a20196d358607943c600fe67214f9de3aedb
SHA256 999905d0add0e2805f05b0ad35317bab3bf09a3948349b78c04e185a0d991776
SHA512 c2748f8ee35c853122dea7d95a185e001a3f5b0cc53f4027bd34d0e8c4e78098a29a66ed53387b5004dd1cfc79199491a3cb2cb5f22347707d297afbd6e0a576

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 26453d50f8a71791c5bef713ac31cd3e
SHA1 f4f5f22b79f2db0d832284321166debca2bd2ee9
SHA256 dd5549088c311935b0be8abdb7676a53827867746e77590cf56de9e578158059
SHA512 2a291544ced4294b51b65bd6e46531b92ac2567c611bcf0ef845ec8a4d7c3e3e3bda807bdf21e0fa818e8047497d45584ec94d613a0fc6ac95a7c9e960300a41

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f548bb23a482f65a5f9225a1c364062
SHA1 cc1d747d7c2c6594c7fd2fb737aebc02f2bb368a
SHA256 cc3c61d0899abc82d2ae31780b184ceb27caaf8ee5612ef7c20a393133750036
SHA512 ff325edc88b1be264b3e0303f9cbd06d91bb8c863a5c30ab950132057fd53b09addb2d644a2dec717849e7ac990539bf9c22ee0290e68d4053fb713b0b86ec32

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 654758714674616653e14062cde5348f
SHA1 7faf5cfedd4ce6770504d5ae47ecaf47abcfd085
SHA256 25cedfc8bb86852cec8d71021e857426669494d0cec900587c59cf20c8e47dfc
SHA512 0bffb304db041bc29cc9d5e9b5c3b6d28adcce98c673913672a93c3ddb95ffb0c65817d9290689544fe19470e13aa87b1cbf1ff7c4326ace75f4a8b0473bfbb2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 929ff59d370d221c916616241d895590
SHA1 2c5a40d552f2d0e352b6a76e3162fded5dfbd407
SHA256 5a18a602400f454a066e7645d70954a54a18a313bf103174c710392941bb9b0d
SHA512 66af4c9996d9992dc1e43da50e10f1a9e7a98ec6d39f4e466c7ecd27fc7681fbe2832e611c3f91938095926d9441bad26ccf76fe6667ec04e9faa97086118cec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3739df35b070a8d49b8cf4a1e41e5225
SHA1 2d27749ac5b4e8ef188781141e9476efe448f137
SHA256 7ed8c2be6c6fc3fa68a4e17ea4686d3682ff945edc4b59eb704cd361bc7acf8b
SHA512 4b23cabf6d53894328809d401ca5c9fe495c6129614a29a4f0e66ed645dd3632309971cc8d53b5d335829b7090c7d02baf566a447b81ceadb8880ffed1f6129d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 decc79e6e0cf296f104d2838e34946dd
SHA1 f97e725ce9ee1dfccc9b9547f210374eb0cec285
SHA256 b95ec69c25e25c1a48f21a8584a23bdf8294cf50149da2417af6639717d011f4
SHA512 63c952399f00f1aa6b835796feae40bf2f32d5dcbd12a8da67b1c25aa472378e29d7d16dbf2b941c790afc9fcf990043aaa14ef36b305fe1f6d2818f1cb77695

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 56b817e2c2cdd1a1a047f6abfd22652d
SHA1 7600932872002693df09032bb7e7985711f683ef
SHA256 0abcda5e3ca93398fe0bdaf867579e598362f6251252413692aceb80a764d9af
SHA512 3c13821b5f8c240b7fe64a1b1526fbf018a5a363f37310bca3c67aa404d5a84cc4a023f178413c59bea5fd0502b3ee01ba283ccf08576e544bc0e8c52d21e0cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0036abfd2336856a4d4496357a776da9
SHA1 a139700bc6e19671ce3b485b25781c8decdc8252
SHA256 071ced2029c4ca10bfabe1e28233335599c36ee0caffc412b043a3fcba2a2a11
SHA512 344aa958edc8e9882ab29c9f1fa9a1673efabd8317fcd602498b087c39ae45102889026e0658ff5ff9daf4879648ad5cf0fc1272c8a1e19a132e261b3178e161

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88b90d8dc94547d1b4e0239aef28114f
SHA1 8451117af015560ff2c75cd792f1a54969f43547
SHA256 ed6f5dc3a83f16b477813a0fb9539a164dba2f615621733cb0b33c092b031390
SHA512 b79a92cecd400ae0cc9c1a70334601f39cdcb59feacb6dfab26dee3052d664bae270106a56c2901aaf9f521633c3875bb2cf53e4db95ff4e35ea6e7cd23b75a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 030de0779935cd45518794fd1e8fbc19
SHA1 91d5d56bc8f30c7464cec35aca3ed5d92b3e147f
SHA256 a4e9d2cbdec7879c0f1eae9d8f060ecfd3ade636fd591ae54cdc038cfc548e81
SHA512 170d9b0f00dcd05e19be12319605398550c080834b0d863e62526bf025cdcd1ea52c416369ffa74e14884fbbed029ac8cbe6fcce6fd3b98f3257988e1975d27c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 be34e0dceb0fda9ca784f31dfa76450c
SHA1 581134a5a5dc04ad151cb4aee3cadfaaae91e914
SHA256 bd50a163a6d0b9c8e44a9cc3a592b731fe28007d478efe191342e80419e1e456
SHA512 04f76c938b1c2704874c0e1c80cff4adf2b015490043b1698f3ae8973ee420635d640a8d8404c67c0cba51c317db4ac45f75cc99e9d470eaf6560d063480f8c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a1e9a4ea18ac2cf455d39b4bb47f5490
SHA1 de541a6a8ba4fb2c434eddec21d68698ab36df4b
SHA256 6d02dc0bdcb6ecce78bd9f44c02fe219ab11e798daeb9f12964ff41e09ab6dc5
SHA512 d23f3d1bd10e0b481722722e46307535f3b81f3bf4d4cb0f7379285eba159d5e7c6ae375d968b8403fa556e0177b71c5dee2ad7da25fe75338118aee49403e55

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c9e88f6822f0525382c17c2ac3d43608
SHA1 4c6ae6c8bdbd06dbbe5610aee62958c23c49ef57
SHA256 f28ef3afbb0732f7b59c06a65ddddd1a75b34b6afbf7bd5ece33f8388e274c57
SHA512 ac4fea95c638b7b44c0c7dafaf0a87482ef15af977032c49404329ebd6522a97c71426ecb85535741899afd0898553cab32893f7f9d9855abcb61a7d98173507

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 899bda02d7a44eb05845b3249f33827b
SHA1 1c24ae30ae7b208c85cc216f0b3dd4e7fad0b18d
SHA256 9b017615384eaf54987dae6e48d4041e04464cb89705a2c03878a5a081e6f886
SHA512 1a05d411e959fb475fcce1314f786809e21630e8ec9dcba28b97300e46e81423c4e71ddd977c2da35cb53b81de393135280cbaa5013f62c2d0b65590f24eac5a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ecb831d333732f5cc745f3d218b6bf7f
SHA1 de0ad3e05cba353a83516407d9bb8dd6e85bb71d
SHA256 20bb0c92a2a9ad8818bdcdd73d47201a92b82530d393fd346b2aaf772628b792
SHA512 ab0a5dc61f0311f54ce1e9d87fa5dfef5823c984b2a8ba6804887bf0df83973d121f00bf3ac406ea0a3181126f64270f3f7a2f1b629631c8d05593ec643a6ec0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 74ddcde966455fd7bb0de05b76afb70e
SHA1 d2e5ba986692c79f3c61ec7bce09284cf8d72687
SHA256 034ec78022419ac156fd6659ba56eb1225a9bbb03f207fbb51baf947dfae5828
SHA512 358c3e23c4807c77f91ff9320d6a6522a94e81bf75d546e1bca22317d57f1eab43ebca22df5c893977ff9dcdb92599f9e3f0d9e7fb2f7e5f2bf32a166caecc26

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0dbd78c1494d3a960cd60e1676039871
SHA1 12d64b00a223de66c8d1da924d69af42b5a9cbac
SHA256 796dbb25114dc61ec19843e59f3ff1edacbbadd0e24f7a7241811bf41ab0669c
SHA512 196dec8ef3c481628cf2001d73bb2fd19ba77b248d324e79f89cc06392b5ddf4063308d989d09c13b58a1e89641be33203004b157838f39b0cda636d72ce3e4e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e701a9b24ad51adf284890c9f74cfbe
SHA1 88d6c07c07f011ca2e85ea108eaeb22cd7d158fa
SHA256 01134fc6616fba8fe15cafb0ce969839a162725e5cc395fdb458ef0eafa1cd45
SHA512 71d615a674915bfd3f98b32f27b8c24ce7797cf89742eff8b5f2f4c83293a27db6b7e31c48d6af7b9ce2cbb275635a05e903f91ca3d60b33b837f2783b5b8968

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e6d0d69718269826fd6db2a25da500a
SHA1 8ee532b72635c591e847a7ac3d2f633af3e6ee90
SHA256 48fdb89f1dae5e5eba0d10bf5e6fcc7167a2a6b56c27629b9ad2ebf7b7e8400e
SHA512 22c2994fb25dd129c091bc19e8c4f43b9cc20e08dbc0974e6cbb3aff309f39eab14332f76c3bc2cc1065a551579a565ce5b44dcd36620450a356fadd9b671f64

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9d6dea6ab90c4b9069d48b72de4926cc
SHA1 0218267777ffb139670dff8c665632bfabbd56ba
SHA256 21269df190a6cbe75758928ef58c8ab62493fed3eb61beefa79070fbbb14199e
SHA512 00f2287e042f3ec12a5f7145514a0a3b34383d2000753ec139be082fd14bd2ea605ac31bc9a2403e29840327d762e3df1b46a5adbf954f74b0ee71a7c516212a