Malware Analysis Report

2025-08-05 21:21

Sample ID 240304-11n48sfg58
Target b337b7825c832c6a31a5207d22d5f987
SHA256 5827dc336f6100d98832279ffa07c57f93ed8f233644977f519b2ac2d687936e
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5827dc336f6100d98832279ffa07c57f93ed8f233644977f519b2ac2d687936e

Threat Level: Known bad

The file b337b7825c832c6a31a5207d22d5f987 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (5573) files with added filename extension

Renames multiple (91) files with added filename extension

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Drops startup file

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 22:07

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 22:07

Reported

2024-03-04 22:09

Platform

win7-20240221-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe

"C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2164-0-0x0000000000300000-0x0000000000301000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 06a18d8092bd6c922d07922d3292f2e2
SHA1 76689f623991f89f5be7df73cd7058994c773a20
SHA256 a6d1e72ed010811b4694ab1f262d4ed4eb16f710eb9d14ac4d05f4796da90133
SHA512 5605c3e3a7ccad8c893bb39e1f34887b814011abe48681a1c3a32b3b31fc39137818ed83a950f535d80be16df59aff28f58f9a7f5477f776146f6949d96623f5

memory/1240-10-0x0000000000320000-0x0000000000321000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe

MD5 ad08ce27e5e85d84dda0d508031ca060
SHA1 5b561353d8365e404ca068a284f46be9442955e3
SHA256 63e87d4a0b445cf2e407290a31ecf5d226bb1a45e6880bafaf4fc68d1cfa7e96
SHA512 bc6ecc5d0eccb31a2ae088323a5ebfbf5509d0b313626f70a48436ada15265827f96b13dd87d94676d8a85c9dac5fff5d42b9a7dee57e57c8c22267fb6a49116

F:\AutoRun.exe

MD5 1f5e185c57a7268df04cb6b2b76a92d1
SHA1 d5eaf064d4877eeea3a52b4c0d693ed6b7883024
SHA256 11d1774e282834a8028bb9b99ac77e6a8b11e8d4be9c170f4748817c603435ac
SHA512 021716ba8d6804b6fb8c6c967abbf27d713dc0d264c0bd51b509b0b69fb74aecd252d5056da10b9241530a758a147a9dabf972c42f90b5a6e45bf1b58d6fdda3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ddadcf81a9fc83b0b626c30e78880a9e
SHA1 9224fa092550dc910891b20b6c5b15bdbd2c65bb
SHA256 2c91d8d0758afff7b10a226b3ea0bcc60af1b11b2b349e03cf97708bed038ac5
SHA512 d1ecc410067ddf6a7f34de0d321ca05d77bc632e64bfc2309bc1c3bfdd9d0b8efdd04329a16fc902f03473c78bf828cd04fdc96ae0884fee44ed804373d28559

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e1b55823cd42884621c5032600b2bd0
SHA1 ead036d292af110d57e996403a2719e388290f95
SHA256 a00e3208e4dba6080062f4953fc109ce17104c9208eec904efc692424aaabb3a
SHA512 a45887dd6d102d098f46fe19618da388da20ce04df8bfee0895bb09958de9084d608ae5a9bffc9e04752f9188cbf0814b8e9755ede6a220bca7e2adb5c8a422e

memory/2164-240-0x0000000000300000-0x0000000000301000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 22:07

Reported

2024-03-04 22:09

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (5573) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\ug.txt.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\System.Xaml.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\THMBNAIL.PNG.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\System.Windows.Input.Manipulations.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOSB.DLL.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jce.jar.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsFormsIntegration.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-string-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\PREVIEW.GIF.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-fibers-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\deployment.config.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Drawing.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Xaml.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DLL.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\oregres.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-console-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework.Royale.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sqlpdw.xsl.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.StackTrace.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.ServicePoint.dll.exe C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe

"C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 23.178.78.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3404-0-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 06a18d8092bd6c922d07922d3292f2e2
SHA1 76689f623991f89f5be7df73cd7058994c773a20
SHA256 a6d1e72ed010811b4694ab1f262d4ed4eb16f710eb9d14ac4d05f4796da90133
SHA512 5605c3e3a7ccad8c893bb39e1f34887b814011abe48681a1c3a32b3b31fc39137818ed83a950f535d80be16df59aff28f58f9a7f5477f776146f6949d96623f5

memory/4656-5-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini.exe

MD5 5408c43fd561c4d49e6d516656dc568f
SHA1 414ffdc2cb035e243593bba3d3963969a7829909
SHA256 e38f2aa2211404360f58cf695079e1d58a57fd6daac2f8a05ee756e42695f840
SHA512 bd512a6c07edf3535102b21601863c90bcfb9943817590718032fce462e7484c9d8c748c0670a4d20e6acc1ec9e6fa36c2c9dacdb81053df8636258093354cd9

C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini.exe

MD5 aafaadbf9caf4cab1b4edeee61508fa3
SHA1 4ea21907f4238c3c14d1172f15965a6507b08e13
SHA256 ac221a367432729552877bef896c7a1ff17c8883f5feec8f8e0666d34cb32224
SHA512 d14edc1f400349a5ab18efa35a636e86519f356e362796cb933b75e8f45a950a85b12a24fcf4e696a2222c1b9b3eaaf45aefdc17f6573aba3bc0b7aa8d925ae4

F:\AutoRun.exe

MD5 b337b7825c832c6a31a5207d22d5f987
SHA1 a73f1613c58aeb342afa205a0a7c3fe6dc93de62
SHA256 5827dc336f6100d98832279ffa07c57f93ed8f233644977f519b2ac2d687936e
SHA512 98002aee61204d22bb526d3e34b11c7852f163e0671a40dda28706196296432741867a9e743e1cea45a8e6d43d597dee2e3259d16d394a89d60114b808a4deaf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb658faa566ed9e33dcb8b0ae5eff83e
SHA1 4b4aedccebe35659ef1d44775f05b25d7c23f100
SHA256 1b650fc36388255b6e23e2baa58e37936de9d1a940e8c60576e03664c58e38cf
SHA512 42c0c12bc9484b8f00767231091b4e5938bd456647a218631beb37e93ab8171e4eaf9baf7049f18946c0db0287c4ff17f88d8974add58e799bbab092d73d3146

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 61278af18f7ab24cdfbf2a7e02fa4ba0
SHA1 0397d025572051788c11b6c17150e47a7fbf6f84
SHA256 e6be627ea6095c64de946ceff6422ffa45d585f32cbefbd85ce38b15ba88bdef
SHA512 3a675c6aba014f16f145d2e4838b84514e11629b990d92f744c6a7a8dce33f0068306de6f7330932e2585ac33ea5590e17255a0da9a1c3bff4f22ec27daf55d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8eae84b758084c922722f94bf8d3f298
SHA1 a7ba1ddde6e3800f2cd8ee49936ef5636fc23107
SHA256 73dd21851ca262038c4b0d461002f669e99c9b91ff68ff00505816c6bbe40b12
SHA512 c1fc82277c321e788f121af93f408b79705280eca9c3552ca1f9c94a8e4567929a68e907986d24177aa899937ec7e11867ae0f6dbb5ad5a510935933f24d1e23

memory/3404-7846-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c48a89d67a717b35d2ba0235f78a5346
SHA1 e95ecccb869036a1595b16066986c22027253cea
SHA256 73c11dfd481589b553104596a438883c302ce8de797e18fa0c87534c1d3d0170
SHA512 14e5faf13254176bb55e306d48616e055a16fec29d79b860e1bb65d6338a204caa425edd7427195fd42757fb3b91bb36b68eba4646f3af7d5afd24d03976e092

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a7f231105ad693ad37dc25ad0681553d
SHA1 3b72d3d4c9f8ac4454a21823ea363fc9e157f6fb
SHA256 14d9761503171174becf9250d463d7731931043f121139b334ba31f4473ef615
SHA512 577179e3c0bfe43399e035138723f0107a7f0b676e2295ac99e5ac2bffbe7aef9add6fe7a87796ba9749e161da07d43cf817fa8949eb84067c55d07511b5d59b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4c1a488e1cefcb9270e31708930f70ea
SHA1 728feb62643b34f2c7cfba7823b4dc99bb70b084
SHA256 651cda403582112103441a423ce07693efd82cd96b67bb8277101f620910e3c1
SHA512 c45d80ad586db59418f6f095d98f055298a310cd3f73252c0f2e8f5cf7d72284d0fa032b82b51a7f171397c19a789097f6d1ac141c53804cbfe34451e0efd70c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d898fa42c01aa9259db5e470167896cc
SHA1 d46e92cfb73b516891c960f1f05cf123aeea2511
SHA256 2a87ee0757f2cf69019b7871a2505220f277ea14d0c190e1fdafdaf6fc231e54
SHA512 5acc867e716eb66524091dd97c0d3e76685a4284f2e631039573862bf97911ba80f65780db488b804c25f5bb15ffe0fa59ee6ff1299017387bdad3a8b1cd2e0b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c46870a5163f6d3439e89fe31dc583a3
SHA1 71750d3451e02c43b2d879de275a0375e60d200f
SHA256 e0c4bf89fe956f4e5d9fd582c3f1c7b652c500b6a4352bf684faca1837b2f986
SHA512 1dab4e142d283809ada0d05ac5cdfde4a6eba8d84cc4e8076a07032d7484da3199879cab198c61dd324bfce34d430a6e89b980a6378c9aa9db570e6439a5942f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 29686d7ac2b58be59c86dd60f4458510
SHA1 cdbc2f3429eb9912b6267a88664287f38d7cfbac
SHA256 05bf28314acea9e72efc2345ce5cbc2b75b35b439ed8a66793d741171ea6e4fa
SHA512 c71a8616344805c99d94de4053a2256c4f4e9f4ce18d58482ec7513722b49574b75c6fb2bd27ce3acadfe275b50a359566bb2fc216f6a2f994ae11136b102afb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb405c892b51af838d60f27fe838a6e2
SHA1 eaf1e93498bc98bd6b9442fb4408d1db91f4ce26
SHA256 02199ce7808f6a83278a8674e8dbc9e64074eb8ce72513e6093b53e0cf1d3f4f
SHA512 6e02e03532f78aadc647d0ca5912935d1dbdefa7a3aec82ccb407368b76490231b345aa76f8022aa590257b15224bd587d37a3a48ab69107e656e9013eddc99b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 07255bd2031a7cc31fedd30ba4c7ca23
SHA1 2b64def9e859e44467a30df04bf21cad38da5a86
SHA256 20c9e4e5a1351444823f0d0d6907f5291d2158806af8b607bffaf43ed447158c
SHA512 6a9855282cb66645994fe0af5be1d41011afe5ff95ee5dd7ea038e1b886b53eb97b121b445f71c18c493bf63ddbb2a264658dfad65e7f5f3ff9574bdce90348d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 42b9a2d936423504727b43c0aa8287bb
SHA1 368d881b10dfa02d8940cadc19a9bb9b13e885bd
SHA256 6b88082d0381e9ee62f4be252a39b80c50d660496960d6d587ff7630e6176057
SHA512 75537b6ddd90ffbde813e49aaa74302f6c389c3376ebd59ee9742ebe6307bd801364559efadd5a79d14581275430cf28a8e1bebacb420516dba2f50baa142a74

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 985f9ecfea352e29bf05a813b17c323b
SHA1 3256bb3011f3072caf09a981bb2725de8a3aba71
SHA256 c0d821dc931519cbf9676b9e2d799d12efdcbb98aa66900006e141e31b908b4c
SHA512 6031fe06a5d3005aa9583584fda7b0924bdd1cf182cee49cb2517140218fde96ac71953d25d6dc6231fbbc8d8aa10773c509ee5dcf23d9837a9ef7172fe2fb9c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e3b6a9ae1dfdd748585847355768dc4e
SHA1 ca852669f857f7e1d9d22d5f008dfea8196e0c7d
SHA256 a1d011bcdf53eb3d2d3430c6a448f41273353c1a51fed1c82e4ee08cc31af10d
SHA512 6bfa138a5ed146d733c692c11eaf11c15a2aadd0257837c886640749f0bbc209f2ea4044ece786d2353e04a7673e8bdb53cf5602eebbfb0d978b4db54b57625c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 008b0ba0ab7de825a5ee87d5b0a984ec
SHA1 94a3d25158cd98fb0e85ce1100a625587994c483
SHA256 36433197dbf8acd51c947b0839736a36074bd0784f960a5708ae67750ca33dbb
SHA512 a97fd3180095a50b6c9d85ba5f1ea4aceece02be5dd595e8e627f2306d02f4790f024209c85505f21179de25a73e55b94857f057cd0d90a652a05d2cda5ee085

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 41f7665bb3615f396078d6dab37e5843
SHA1 243a8b88cc0098ffbec4f53453baee72fc207672
SHA256 f546a9117e2c1e82eacd4be83a4fbe0ab009d2b65d6f7c54f9d114134aa56e65
SHA512 0eacbdc643d699a11743247360cc0ffdcbf5a08fb98b969efadef4e5984018bf84a133e7dd79931fadb80015154ab2d0bb4cd15fd142d5bbf347e4f7560fea65

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e38215efa88a700751f01d068d424c3b
SHA1 0172dcbccde06f29f54abca86a9d34b283934e39
SHA256 91e1d1abde8d0518febe1b66f498ff412e4a12292e74fd94d6620ab184499401
SHA512 4b57e5f772f07c8828abf8e55eb33943c84d7b9ddf3e2df225ccadfb4cfe44419d4165c39af71104032b7f24de16faa96474d9b9b8e2d71d4b751c48165b3351

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6abc4360aa0c6f6693c18ee366b9e098
SHA1 0340becf597e6f6cb5886e8c51d69fe4b28668ff
SHA256 1d133dedbb4ebb4b7e9aa406c831fba89a0f49acf6538ef7b2671e976665ca26
SHA512 5ea4cd107c6dfd98f8b556ebeccdf593f15c445a3a1f3ce99e9b32d5d0ff265fdd4dccf30e36bb4072393d540da1bd960a10599030a8609581ba8f6b384f4d8a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c603e7cb573a1dde5a47c0845b00edf9
SHA1 1ab3e18c0c897a893817deaef1f158243ccf0f00
SHA256 155d476ceb176af81ca4f88088509c38d12f2a02956ae1865cd0179f66f34e61
SHA512 e36d666de5a33f176b36565468534c8967b1951d4adeb0d0d165f656b894aa5fbd17fefcb367aec005a8b8f36815f4ab3fd9ebc47344990ab84d2ab72d41cc2a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5726f8222f93a20cc98842ed0bb04bad
SHA1 f1b1a73f6fe998b613c0f83b27c8137fadf130a3
SHA256 b73857aaa6ddabf1d901dd833d948f9f4dc730ea2a56bf5d459287516fbbe8f9
SHA512 818ff1ed17fc0f4e1418ee648d2558acfe14a3ba3f89ba810002d8e589387f1be7be7592fa074b34cb3b61dba56943d5f8a0daea79037c36fdaf4e0f06ffc48f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 397755d48394e59c99579362ed79d221
SHA1 29a38c1266a84a3f468f7a0081a5269c176fb272
SHA256 ccebafa9ebe572ac89a9dd78587a83d80561d589b036b7c25336f06530e3a899
SHA512 3cbc28a8f678667c41e17c63c76b2ff2c770bcf0a0696f4df9f355902f070653543b6330ff14feea6cb8401100335c1ee574a0bdcedfd0a1a80726b6d4fa47fe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9dc4aa1b45ed1e9afa97118b2459de78
SHA1 f6d966bbbcd27bca3fcd201fe71c0bb14cce0cf9
SHA256 4c16a56a7940ee64115138db00603a6fdfdf0e2dd9286ee6e6c95efa29a1da03
SHA512 0fdb1e405a169d101a9ecd85925f07bcb8eea826d79ae680a52749e22282566f68524b6d52da58f6d0dbce18300574cc4ac1ca33032eaf0347017370d5fc76cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 14cf77a26a8dda08d642313e826b3630
SHA1 3bd973b286c7340f7e5b8db2443a49e4728ad781
SHA256 41266e55a66c2255697ac860bd1dc8f59bd8ddb36a2705fe3661a41ae6b1a3ca
SHA512 eeefae76e07b8198c614355a4063d6f5ed14ed789845b05b203ff8193b3a519d1448e5308847aabe467d8385b23555dda74a0623fb0c284e38be9d179ee802eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 547647f1434b7b0b5983ec5d8a634e8f
SHA1 3e285ff2a3ff58d25e2d40c5e36ac17708f8613e
SHA256 36ebd329f743768c484fbac53b425b34516885a3670d80105049a2cd7c923ece
SHA512 27e607aa0290af69718f7272edff13931c0a96430f8ad1a3246b75178132270260ec68036d07382cc8a2b9a6b0637805b7c5b0f442c5363dc6ca55f52be97c67

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e3fa4332d21c1f40c47d7514bcde6f5a
SHA1 f2e10941d57c25d035d5af8b4249d0d198b3c04e
SHA256 94801420d655773b11b047fd41e48e8c5d10e8b532d47fff28e1e0f4b478ccc8
SHA512 c626f40da1d4322b31310b8711972f123e0d1075cfcd6fae231de1f632ce8bdf852a78865abb053fc5bd0bfd1849018d697ac27f9c557054c0939f52c728da10

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f20e22a4b0d2bb3ef9ac7f79d987f87a
SHA1 3de26f42bf08b8440a337b8b492f5318402238fe
SHA256 e5d5d12054dd5aed690c1d578f245597ed81fb965a6cddddcb42b78c9c634564
SHA512 c3735ae134dd20aa4b8dd019998f3716b0b1261e9b040c50fcec0a4100d734e53be71a24b2e09f51cdeec4d5515f0af5825893578ac10c067a4224f1188a3454

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 da24942e3076600ab0ad539bf16a4285
SHA1 16726ce7c26616c380cc0da1173a4d361b3ff28f
SHA256 44502679dadf14219f52d1f79b1229bdec53f11aab220d80c4f2f8dfbfdbacf7
SHA512 5639c408a12746510e7f2d977373df29db53f851fbfdb557c823a4294162de8bb686236806084a312bf0ffff5e3c668694e0bfd54c9705e64053406082f7023d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 94c6439f80752218a6ff2998b0ed7b2e
SHA1 3786cd0113707d95438460a60315d8a36767e793
SHA256 93da1fc8e13bac44ce13f2c215ba78f40febc2d80f3578ae7b1664b1c5e73f10
SHA512 d463131031f0418e9f3b15fe9ba9bf9d46698d3c8f11fb1f4b7745a9e2fe0281e8fee3327bfb35791c3ec7aa32e857fafd702bf43f2880cf774e7f11b1a06f7e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5118b87aef168821db691fff33781ddf
SHA1 684dae81cf65e3ab2ca2b7beee25ca3dac783f84
SHA256 f3aea10a3a67193ebc05c3c5b4bab9a14a89e6cb09eceef758d53eed7e6124ed
SHA512 afa032aaf68a4d80793ee81c5f9094625e7f980e0f54781faf23cb1801f91a2af8091d08b964ecba5d2c6f9d50ce69bf7a6823e40adc7bb17da3205181af64ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 03acc876d80dd9989722189ef688f5f2
SHA1 a3a164d1ece7de2ac899853b4ad5ce288474dccc
SHA256 fc51d53fb712c061e54f5e5793c1a9015f356a48752769ed7cf93e58403a9a76
SHA512 d4a5e520246f867ce60e515d5b4afb8d7a1676d497a23c5c35144cd654f13efb4b0ee47ed2c8105204930d04b28ccd466c3d67fad2b0c0a250fe1e030f410369

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a014913e603bd5571140ecc7e0a64232
SHA1 0dddbadc2468559a4daa0d1e54c0771eaf18e102
SHA256 809a0796d731b3437b28dca8f2a66a0fdbe4fc349b8b765b696e97312abc1a84
SHA512 ce11b7c438636d772d247d5b9a848cc73720e9769647e2ffbf4c05ca4ed417d13098bf3ebe09651b4bce236184cd9faf60f9d6bce494e14a5981826ab7ffacec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1347e66e5b89268750acdaa281775856
SHA1 70cdf2f2bda6de067c15f56c96d0208e8750d125
SHA256 72031dc5c9b75afde6ba2210158d4723e53352d4ad9e7475867977900312ad1b
SHA512 75521aa7b28031b42b6fbbb882c891f57a2f303182735970ad0179da44a24de7cfe6ad780a9f28f7cf531d48b36f5802788c4c6852f45c4bd1bdc4fa7d679cea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b52403717384b365f30a94154b448458
SHA1 eb5564ed86cbc2203d673ca342c214c6db16744d
SHA256 31a1d50124266cc346769b1541344ce8cd86411e7b9c9addc1fd79a3d7223955
SHA512 2b9c6b23375d2d41aa66a03eb40d7461dbf8f7c8e4eb091938937ac966c97d42f4453b1050f6c67ef4e1f2d5fa90aec762bd3d8ffc03cb9e497cbda98edf3fe8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e5927064e3c3e63a3c69a88ebcb94dc3
SHA1 3ca7c8929c4aa7d77ca84be4b88d7b144f7fa34b
SHA256 711e9bf15358af7351bd3868e66d5f22f16c1c63f14be14ed796a184aca950c2
SHA512 9731c227952204e7c0ce530319dd776073951575a02d1d9c5c405f1902f1e8fea596566e20e623aa6666ed3f921abf29d73887bf0da53efd5280bc5761aca1c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 626071a9d0bd8fd488b176b6e643d156
SHA1 bd3b29e6086fe1b65cc64a22eea276e46b50c3eb
SHA256 350d1bbacbf10e6ac6d8030041b5ef834821ff939a24631892301cc6e0c10e4c
SHA512 a4ab075ef3dcb3d8d252b4e04ef6e21e75b7e3cd570ea6c1d96e5aeb308e60257d72367e25bd13b097b61af5e8345caaf3b4719125391ddd30db0dfe5b2938d9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 09c4fc622f21dc4f56282b4a180e2c01
SHA1 3da9cfa7e3c347e6c420528462551500521ebf52
SHA256 d83e54d7e52624ccc50b5ed4fe0bf3fdda9765c34a78bf0375a7ba73f118d8fc
SHA512 c465c88d9924a9171e33b617ae9df2a0ff29896038eee8b4e8bd38625e55fc53019e28d92f781930c195ac9d86fbd18d6e036a48c52bab6e574dcbf9172ad59f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7c2845e65b01cb7265c0828572db6ff8
SHA1 785e48be804672106bed15f36489a21c5a5302b8
SHA256 5a2ed5fa4db27d2b452180763417b8ac63a9f634f8bcda8ca94a16610b1b6d58
SHA512 538745f9ac636d9c2663a4c2dcc65d996f095bcf4aa50c4f5ef72b0b1cffb6903b919234d085ac40de88e1aedfc9334da1de3c2c7c461f65c3fc2069377ac7b3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a5b67f58e462b77537e6622b79e10fae
SHA1 b929f8c6f55d4ed7ac786fabd0d0c768083e1246
SHA256 edc9ceb55f241fefb85d818b20588b223548ed46668661d60fe4f315bbda7c27
SHA512 e01d04ff968d52cdeb06089363cf8f686e22032b5289aed8dda832902c21e486f5d0f3a24562dd86d41fad157a68ba4667ddcd02146c717d8f36d30783ac6541

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 32e0118bea4a360c6b6d4f4f7e764e30
SHA1 bb10bebcf04e8cc11dd15375305b200f4f992b25
SHA256 75fcfe1d30c136921efbff4053f8fdea49654786b657af53e9e755aba938f1ea
SHA512 d2be6ea32af9c3823f47f647f7d62831956996feea36f6d88584597569f182ec34c70adbd6dd10b182f8cc364ea0ce07978740d918324f7b334a6912a5aa01c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c1ddb744d057c2a873946bd6e527cbe6
SHA1 52865eb76e06510851ec66dccc742bf7ada12c0e
SHA256 c1735ee19a4eca239c901b31049fd57204f69d49f2ce2bdf3f8e41cce8e55a85
SHA512 732361aa18a60acf444da2ced2842f6be79c6d73b761b9b537e47341262eb3d5d03a3c7e50362bd751883cdec565ea9ba2c27557fdd37e0b7cadc0b5c0d97980

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0342b6fba6c77569421bbb901dc48070
SHA1 41c7116d4570e562afb8ddf2e28f31279c8f5f5a
SHA256 b0b8a860dca8432e4feb03ecf77dbebba29af841cec891b0fea8f1484bd22cae
SHA512 b80fbe9b6a454d4fe2a014577402e74d129997d171736ba7f5c5cfa0e08cff6b82284fd5ac1821605d028b62bcb9598e5cecad62c4d5e34311cbb5a62d0af944

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b4d817cb54dec94e786b49d7bd61da7c
SHA1 a5989cbfaa1e0cb19080029098c98618efa4b94b
SHA256 ddbbbbb1a918879ed4db7f8e3bb2a80cd99768195f329f2fff6aea910b62c60a
SHA512 75414fbd66e853609fe58f168c3bc132f260eba15b89de2ac1f776adc20e07f5a6bdf9e621b7b222b5b96e8195e912282b0b7a6369a5880a89869ca41608899a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e70903ed68550a3bd902e40e5a1c6a3f
SHA1 0d2c88e437dc8bdc138682c5ae3282c1242c9080
SHA256 8177834624d74bdc4264cfaf15cbe2f78e503e7d91d37f2ace799997cb6260d1
SHA512 49f4f8a60fd98062372b8ff46d3d0bc501806d56f367955b1675a85aa5ec24260ce7e920eb8338e66249f77dcd515fba1086b5835be79e53795596ace24663a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9a18fcb612dbf6bfb259feefda8be4c7
SHA1 340019daf4c46d17ea726024db572ebf9ada9fe4
SHA256 8b7ac1edefeccf8c298a468e086c03c5f808091b8d962cd0113a35e93024f4d0
SHA512 d08f5e427060e38e923a53378d5947a812f49dd09f8665e7e69626570c4c56961bb6f109be801b1dc8e64d3e4321e45b1c1189ffc889fa75f1770c1913e6f7f8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 71b7e2915294455d29aee50dfdb76b02
SHA1 ebe953bb5064c9500aec0060cb7edd09b7b4e25d
SHA256 99de76cfeb493b71a605fda1601576d43564894513e62aa8e9b809bc1beed604
SHA512 aea47e818cab4252d2c9a1bb749b07ba4d94e85ca5431851e516d0aa7d1d4ab1ba4c325928a43d794e4c32df7aa5aecd9878358815639025a317c190301d7f29

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d85bf880b286ff04bc63b3f65d8d6dc4
SHA1 b5ded3b552c3c63f778e9051dd8f574966b76677
SHA256 e5a0c2fabbf1cdebb52e029b13f526ed936e2da2a1dac9ab35bebe98e973a9e8
SHA512 d4031268ae0d757e2655a93187c005510484081cce635eaf2e46c499b642ad807ef24ef36aadd0d4bc4a080002174208f0f66ec77bab3d856a1a7d67308f3b73

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 612885d5d8dad539edbba49067ba1bba
SHA1 070c39ffd7f4e81fc7571f095b26c1923b80de87
SHA256 c1a860ef20132628d890c1aa0566267ecbc9a0286f337a2bb6e87fb0fef74d06
SHA512 2c55941d2f92970d75046c99d172442556e2305663893d04f49d7f9e22ae37277003271c110e0925c95f3939bdbdb2b2b601c19bf44fb4104a2321dafa2395f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 295738e1d64e194b62f4941979b7f278
SHA1 0c1b7953122efffd8b18b812fe4ddef5f0925ba6
SHA256 54ea661544d79e86ff2936afc29beaecf71b2cbf21037e0fc8a27df8a4019ac9
SHA512 4a62e110fd2da8e78c11cb00f7739b66217a73bc286da3d7668afc4b4250b2abdb59467575b7fd53dcbf2a7128214ef990037a4d65ed4bd3a86ac320804259c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0bf1f5a9200094aa50a12cc8abc7dc72
SHA1 350105e5f7030530fab135faea1d18529702c672
SHA256 3004dcbb730ca219b0cb8256ef8b6bdaa4f334a399f7100880d814a3d7891fe9
SHA512 ec9376bf4ffadcc76ea38c310e568b30f7e9b22687513d087ff0f1132cca034b3d80889921d7ee18e6f4d160e56babefee28626b3b2c0f52a80fa3600ace8598

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 30f6ac85008809988dcef19965857a0c
SHA1 f6343ecab331c806f37da8134cde82aa6b0cfdb1
SHA256 eff18d6250c6c8812bd8ed2a8624216eb70c96e9ef661614f55b60ed1a29ffda
SHA512 f1a16e0ff1ad3c179d0bc65646f71440c5947bac49b0df6b1a9691eec399fb456bd16ca9b5603a56c6c01034653820bbd298816ffabf37ea5ad7c8435fd47c07

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fee43c2662550de878886f7f2b491b2a
SHA1 f3580d84d98ec10b3bf26092c835079f4147a72c
SHA256 183063c39b2f747d75f3822fddbab975c0fec4b592c66d1de17b29be8191f2ef
SHA512 e13987961c5005cbaaa1785f4b5689be643f3cca726098c8c3c35fb56389e4f1c5d740f074e10df1dda06e8570f0bfa6005643e7c0f039ec76a573981b0b8c75

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2e09aa69403c7621f6f8241e2f05409
SHA1 9ffb2e000c7a3bc743242d354ce6376619a466f9
SHA256 19d1c67007cb38f4c671847f02afe7e9bfbdfed12c439c04293056d09f4b325f
SHA512 8f16fe98dbe86c21f268748de102051f2c0708f0798dc82c26ef42d914e9386e5f1174b9f2d7ff1e7cc4f4a30700dd0976d294c4dd55ab97510503868690dd2b