Malware Analysis Report

2025-08-05 21:21

Sample ID 240304-1pp76aee4w
Target b32f8e38b6835b37ce52f3aca570ef8a
SHA256 dd776f08b03b1ef85c1eaf1b3d6b945f003a04d8ca1570de6276ca73de37e814
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd776f08b03b1ef85c1eaf1b3d6b945f003a04d8ca1570de6276ca73de37e814

Threat Level: Known bad

The file b32f8e38b6835b37ce52f3aca570ef8a was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Renames multiple (5581) files with added filename extension

Drops startup file

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 21:49

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 21:49

Reported

2024-03-04 21:52

Platform

win7-20240221-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe

"C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2928-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 6ec7fc7dfb5c78eec8a56ba45493f029
SHA1 18cd2ab17678a0f4c3153b00363c549586343c79
SHA256 2d21f38e5de7d7a8b7a40b5fc7b463e9b7ca9077ebe899018e9242b51864d17d
SHA512 9d621ea7fbd2ebc3ea529eb28130f7426fb0ca3cbcd473e04d9c17a57748700650b66e5e8e23e54b361faafc7aec44aca9296d3f86fc36a8497947ae62f7a3db

memory/1296-9-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe

MD5 569baf132f3455efb7b16f1947786d37
SHA1 13165399307e115e80ceca5c76f94ea941388b6c
SHA256 08dea23eb844f8ecd2f373595064133dfc44f1efcd9cfd4b35d317b8b42be049
SHA512 8e6564ca3496fddd9aa01cc9cc728cf263f8ad11dda076b0d1a6eacd4fd5a98de6bb7f75267e2062b1e6743883e9a5d810bd7347d6609bf131f40bfe5bff1ad3

F:\AutoRun.exe

MD5 b32f8e38b6835b37ce52f3aca570ef8a
SHA1 bb15c07e0bf974d09e45954556de0592c4b57d08
SHA256 dd776f08b03b1ef85c1eaf1b3d6b945f003a04d8ca1570de6276ca73de37e814
SHA512 dd2833c1efe50cb5f220bf28bf1ef57394db8aad34b34499352c68306ed6b753efc0afb7038daef388380cb4a34eecf0ea85a099e4ce5eb3efe024c311e18b73

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b3f42a5c7c1350c6d2c820d5b7bb2e4e
SHA1 76552523bc2bf373d292787542ce0ea6f55e3156
SHA256 2de99e344bcc1fbe74b5a2e462ff61d37cadc40cf0f1069163c46e98da157acb
SHA512 01be09df99df9632ce6ffb0532246b25f92fa5053446564fa82515f6fb18ae4260d42f01098ebc4de6ced5ede1812acf55d4e5e542ac292d4acf5f31142b89e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 546e41c33c20c2f562621ae1dbbad3af
SHA1 ccf3942c94bf0bbdc92fb4bf749614ae915a4df8
SHA256 59b72688edee94c7a394d2fbde8c4c92ebe9afa641ff12672a2e47d325ed19d2
SHA512 141d7d9111b0bd3f1ef868319c599559b075f757ca9a9d728bb4a77ca247326340a6306bf57d954d9e5d74f2be52d45ec9d2a657977034155982b3b6f3d9a385

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 21:49

Reported

2024-03-04 21:52

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (5581) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\UIAutomationTypes.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.ELM.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.Algorithms.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.SPClient.Interfaces.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v8.1.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoia.exe.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATASERVICE.DLL.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELM.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEOLEDB.DLL.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\mscorlib.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sk.pak.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OFFREL.DLL.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Microsoft.AnalysisServices.AzureClient.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\PresentationCore.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART5.BDR.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia64.msi.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO99LRES.DLL.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp140.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\ReachFramework.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-processthreads-l1-1-1.dll.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A
File created C:\Program Files\Common Files\System\ado\msador28.tlb.exe C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe

"C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.178.78.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2972-0-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 098a7ef48df51eb2b742b0570bbea24a
SHA1 7a16b5b07ad2966ba39cde6f5a6cba0c1b56d4d3
SHA256 4f8f094cdfd61ec7fd6ee7170e7387001880dc2a8e195ac7a1126e8ea61d4e27
SHA512 122481e51605b8f4245f3a9025b954e059a73c86ee70bf261deb6649dbecaa59c309d966465ef30963f1703b08dac6947903739c8203f5a0cac8c2da789a3402

C:\Windows\SysWOW64\HelpMe.exe

MD5 0d6358510d98974a3c246ccfed1cd661
SHA1 9b146e69099e9822d77a9ebf77abf2f53c3347b7
SHA256 fd91f32e28fcab74d0a905ff6c133f804407a6a978bd1f7ce2f7b63d8008e960
SHA512 ad71c6bc398f7fdb3b77af6bf46b9c1f94241a9ba8aca2ad0eb5192db4c2d51e19113cfaa515ad2dcedb53cb09476be07b7aa1b09f11a88f3a0e641e5f5b153f

memory/3016-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\desktop.ini.exe

MD5 e1043b00affe390785e539f4d1e94ae0
SHA1 40e0028d41643ed528ae11f388f2845128126aaa
SHA256 2bf97364c7a2140b23b10107cff9890de7b69bf53ffcb47f54113e5592d96c40
SHA512 d3500b5edf7ea6be29feced200141f898d4d70dff2e41a3cb79bb275566cfa86363824a18105ca8e12c0cb91c2b456f5e066ba23f228adfa80f28b2c90698327

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 b32f8e38b6835b37ce52f3aca570ef8a
SHA1 bb15c07e0bf974d09e45954556de0592c4b57d08
SHA256 dd776f08b03b1ef85c1eaf1b3d6b945f003a04d8ca1570de6276ca73de37e814
SHA512 dd2833c1efe50cb5f220bf28bf1ef57394db8aad34b34499352c68306ed6b753efc0afb7038daef388380cb4a34eecf0ea85a099e4ce5eb3efe024c311e18b73

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bf880465d40e10fada758eb3a88e3a28
SHA1 ff713945fca6719bb18cac147a8316e0ed02818d
SHA256 9e81e6f3a861e7087f9e4f805d58ddef0cc57b3a548b60098b4b1091731bd5a2
SHA512 3e3e0f72168d24e92a178ad4f15a272089f5de8d3037e72881a6373a887585144c90dbd05df639b6b9b787c918e63cb7f36f820b87f290de31933dd4de61b005

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 02d5e995c91fe06d6f24514ab869cd76
SHA1 0b1eac534ba271d15930920c313fc5c5d2d6417d
SHA256 18f7e80865dc09d696eb50dc3949499ab6e9621ebf111a5bcf3709f9d1c61f26
SHA512 d4f6660b6725f7a6203fe45521169e1128e84dce6a6772ee1190bcfcfd1762e75fd943f253d8f7885b8728482cd8453de4fcf5a8e75c975815509ac164f4e2eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7c0c931b8aebdb73fcc692635b51cf9f
SHA1 8c0b7bb1bbe4439c0ab06765d53288169e427bb6
SHA256 c7a655f0b25612d0e5ae0abcce857245eafde3a4418200e74052c6d14549f2d4
SHA512 c130baf51f4e7e3d246d29a69e0ab32be68d7062162eb4610f27d5a4f20a56aa7cc89e549af2d8b52176d02c444fb35d76a1105df2cbc4d652c35e479ca745db

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ba6343e8a6e0adc7949fc8805768aed3
SHA1 57b787bb48ecec6d4f25e198281012fd0fdcb65f
SHA256 0a801be84b660556bfcc8e9e535bdee03ad9baa94bef05621ee5ef29a1c765c0
SHA512 5c5f129799f872e7a9902a76ec33a599b2b192335fd267ae38e5f822a237197198c8dce0897ebe01a3248d9be9f62e44273c37afbcd54a6132cb33897f742132

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 09d0212a03d3a24fedf5ee2e319ddebf
SHA1 456de2a09d6c67fd08e6bb4aeaf2b4eac66f76bc
SHA256 9d520319bd6f47ce7edf95ac3d6eb3c5df7bbd7990adb93084f4679ab2e1c318
SHA512 9f3920dcd96d8d9005ff526bd5dde8c00702387511b4373ee077f8827c0867103a575b61ba97adc227799e396e6b02269834accc309e5fa7face9d04e823907e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5c6d19859738741278b8ec251933d2b
SHA1 14851f72666a910e5088e63bcb30091cdf0203da
SHA256 5c7cef378a7b70ae7489be4502c0e1b877a242c2725424567b09a5187b0ceeae
SHA512 09e0145791cf901f1fe2303e9285b136183d01f1f6fb1faa14a1e02bb5755f5842c66fba7511f81fd11a8f9fb871bac7f60424fa481551146364e84520cdb42d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cfbccf9d2876aaa3a12a7ae935f88fff
SHA1 319a665a0871334c916ba6ce3d3d2323004a5f25
SHA256 3746b99b636faa1c9486c160837cc3140d68a886f4e762b3fc12de139b5aab3c
SHA512 e30374a119ff6a79c248648001afdaf047c0b9fe5c267416999d5e45644e60332d58147b54a24585dc5fe5447046f2ea592dab24c14bf2386d051f780839e40a

memory/2972-5597-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 77cc8ac85d06baff31e078eb9b8c9ec0
SHA1 5876af1056f03248b890e142cb5156d26a2bffbf
SHA256 49c2d0ce4710bd7a0904a9897bdfd2149b809f45114e03f28986bcfce52fd11f
SHA512 4652f41dd0b63827e536b75624c9497a504bcf1beb5ef68a2f85fff67beef9f034725721b44ca3bcbe594197ad8f66cd969b630bfb5ba7e149eefe71242fa648

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5676b872c879d6c479ec311bf30c62ac
SHA1 bc4c04f315435c74865cafc6ce04963335150714
SHA256 47a31d0815b2703dc343fd196c0d91b16034a91c392f98023473744f1937f094
SHA512 99ea7714ad9cc1a324a3af9753bcd7430dfd5b6def2611f67d95cc5fcf6435d950a138a750001884bba7b0b64f7b908151201fbd1ffbfa63862ef42b49bdee2f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f82332bf6c9b2d5a398a1c00621da578
SHA1 8a499cf7b96d73ded17d97b067f8c472fcd06dd1
SHA256 e4e9bc312974c3b7695bbfb9331970d4a5dbb379cde609df753204541ca02dbe
SHA512 4f4fe12d1eaa72978e3b87af6e47c5dc99cbb41d5849683e11011df62792053f6507ac886c741ee2ea1ec4e63f89b0bdec2b4853cf70ef26e951ba905a52fc75

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5e42a019aa7798a31c4d8aad2c35899b
SHA1 d971b170c15b4cd5bc54f25dbf85e1e58f4c9a3e
SHA256 69c59d16d825e0876322f563d1c195471045e118bba91c7d74a01d7221b5ba5a
SHA512 50d91d248e3a04850a46e04b1f4b170167ed250730427ef333d6768434ee5e5c44be7a6192fa8866f21fdab77beb81d46ae065904d37fa8adebd5d9b7a3e3e90

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d1893acbc152cf9b7e584537e0da12fb
SHA1 7b73a313e557f3914b5048628d8e124a4283099f
SHA256 52d6cb15753bd642c3d1d62e2565257cf9591b87fc477fa35791e21fc4d42d8d
SHA512 b0d4254036babb85fb8a1f4836d3863c7504c127f818c2f531f010ea12a2c943d7fca52b54a60036185e3630e7385955e53e0f76beae8e869c69221c4a5f33d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8cd6d68d66af10d916378bf942338e54
SHA1 ab76d9ec1ee9f6102fc33ad6cd50034acfe7bb5e
SHA256 cc5a356204a9ff71d16feee3dadb0f3c4658a7b0793a69827925f2ca86a4c319
SHA512 7962eecfdea475c671835900261496b04f050562898c2e886d987ed2d78b2a9f2e9d2b657f737f8db91dffdbb60037b5dd17c3f1d396a5a87966f5453619546b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f13f668731b11a59529145afe7d4a15c
SHA1 71bdee3c279e9e08836d8bd6553c568e273bb21e
SHA256 87bfda6f82044d3ae6816ba058d7c9305ea77e6534b01c35b182404b18b9d44d
SHA512 b9a97335920a2db2ad9a35f9a91dcb1f7b6bea8805dbde96332b142e08b3b5e687419c301a27d7052856930ebd38814c8a5edc5a867c06f07ae8484ebeb596e0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3d9529ba59221e571ec852428e16cce0
SHA1 64cebaefc300e2cb43a4776ab4e86bea419c61d3
SHA256 e8620e4e171087ea6fb5fd73f25f33286347553322fade62879a1d3dc6c1191a
SHA512 1c1a67973902ec48c02986071658cec0d3f5c547da3a7e445a942aa6fc1caa14b384174d253f4c7b45d14e8016576b96d77064d4de23ec2b6bc83c95f046826c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f36eda83253e7d19c4b9f45bcd16b550
SHA1 be9942636ba60f0a14263d88d6251faacf8dfcde
SHA256 1183c1b3b74e0165a67bd99ac74b0e17707b980b16ec3c7e154cacc989b4306e
SHA512 50fdfc74ebc3be0fa2a67998dcc107103b58f8dc0361db02c2e6925a87b61deff4f74923f9917c71158939aae483927aa8acbafe70d04866e1cb47ba97c63cca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 663f1f77602e91955d5c9a78f0c02a9b
SHA1 a43a9ecebc9fb82bb800a1551876d6ce6869e5ce
SHA256 d603ccb32c3620509456abad4222070da613acfc58c50daf041a7d6557dbbd14
SHA512 e5d43d295359610dc426f050edd8f0506184ed423f1387e1b822379b25226a9ca986369682d2963da18703acc4650407257b8775c409379e91b4fa8fe84748c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fd67caaa8e66d34a7aa59d544ef59701
SHA1 267ccc8d4dc76ca2db6a0c7b991a145852512ed5
SHA256 0dc8210aad31ac295c6fd7ac1d2b7e67e085befe6637d44fcfc7b5e287caba02
SHA512 0f7fa56e790d54f86eb328f0ed7fee55fe17a0b739a64c348ea3c5d6bff82f454060532295bea12824ecff2d46ff2a068f4c29bf1b9260b7ab9054639e7c8e5e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 01ae624e39706347adf4920fbdd069b9
SHA1 b8795d6cf09ddc1c9927b9c25e6807dcb09e47b7
SHA256 702bd0288c600e910820ad000c3f1739508a1ffefae4abafb35452d4ade239c9
SHA512 ba3785e97472e48665ec8932d9176327b463546c80a4392142a9e0f510d176d5d4f9b7e5d3458257d3ae8dadd70ddd70584f077f31c5e46d3d516a97baac7ad0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c1c495dd73fb7d87638661314b9052b0
SHA1 2d5578028968637132d8392a8d88261821f3c0bc
SHA256 532bc1ad3061b843a2bc8a8623f84d0bb4dcc6e774fd57fb3eba89f8d974e5ac
SHA512 782489ffb32072209e115d57000399e3a946fc8305c195ee903c1219c24a66bc0a6f62cb8c736d82b05d02250dbd4073940d3524168e5639475bc54c627eb9e0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c1e6bf5288986f1337605d354671f902
SHA1 fc8dea0f53c8ed5b219313357cd4fc42123eafc2
SHA256 9b9f104ffff065147a664dc7771a41b8363fc2ca94c8336cfc1a2531cf82854c
SHA512 55c92f5038ef1f97340274fc258914a07a9ffb3a5ffd1f1b69c4e86fcb0856d7078bc92ee21033d2fcb1e63133aada04aa5d33d700db4a6e87f694ca2535f828

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 91bd9c01316d22f0c938a0476a08be58
SHA1 b38ae60869248bfec91af63c76c32433993dc8fb
SHA256 e97976c8b2839247089cd21201d62a3e5252a6c721337ca675ec7e2624c49cb6
SHA512 1ece698ca15c41d3b14e5f00626ac7f7abff4a239227f9202b477b716ba1544e1eca7ac848d53be68b7c9b725eb625247c79869db7eba10c1db35c6b714bed61

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88e293d24e2554fc5cdfaaa0422fa364
SHA1 b7167d98ee96b06859cd08dfdb2fb742e4e4a3be
SHA256 eef7cd37eae20510f64c5045adde945795a1f43977c7673b4591e210e8aaafc6
SHA512 f3d11ec40bd33bfab0e6d12016b423d11f749c79d41282ac85107ea3788be1389e4e80791fcfa0be6322928a843474b3adefac2b180cf51ac0330c073fe6b6bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 792355b58ddf21d74a5e5cf7c426c5c0
SHA1 d6c48fc86538ae0260362ac554a30402c7ffd838
SHA256 cedfd2325c30d2087c6fa30b2f783077e8deb98deccbdd244cc0103e3c54f2d6
SHA512 ddcf09e5d85a02344f1669e8de6a20a4fb8be28c9089d190a520af46e57ce8c5d5e9b99d28f86c169691413d9f90de209570427ac77012d487c8f3fd534e44b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a6cbbb6d50c767998b3ba0d04edc687a
SHA1 e4344f74808f948482e1c54b9cc202e4b5884f6d
SHA256 4e661ab6dfe62e04a59449898a7ce5ec02ee0a3e7dd46851057d4a8472b0867c
SHA512 6ea07b9a08b103aa859b1f13cda0c572c2db0982d883e068d73c035fd2e52f441d31741f5e794f2963272ce6dea045675179297704d0c28f39aeb565aaa7948f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 31b1e7d065fd5a176bf3ba32c0e9bfca
SHA1 9b69e987ec438f027479b6dd9d853b32ffe9e522
SHA256 cdf4dc6a2e9ea0ecb0f2422fb3d902a8116fc7fbb1a3fa8dffb009f43404ce85
SHA512 39a0c7e2736ea48c37cbbbf9a26876adb446a5a0b70c38e84923c6804f97d7376405a9cf473466ed723d90c187238d937d9f417d057e77858db278e7cd36fc9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a624bbe5b88955483190947cd3427bf
SHA1 bd4b3565ec65a2b5b3920c4c48e59311e6bbdbd1
SHA256 c0a227f2413d59f45792c2712af683da4b140f0f07829212c9b960bc3be37da4
SHA512 6fa11d64e40f23591430bcdc1ac4d70ae38cebffe37a8a82b2d5f9e2a7844a350935eaa43da1078684c340a3ed37c0b74887714ed8827cf385e10e60f2d6f464

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e7fcfdb7ce41d9bfcf53fe69a698dc20
SHA1 2f88d8c57119bb75075e22b7281e0dfeee0fd5e5
SHA256 283c8470d280cf74818077467b5bcd603513f2310dcb017dc5d0df8cd47d1e9c
SHA512 21b8bdb5533ed978a6cbe0f0f6a9f8c2f935d5154875eb06070c2d9c86c7e253a524dc193b7329925cf087360f118e169e8b48d4fbee500e9d8ccc62ebb93a4e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d1f6e33db27942836145fe91086930c7
SHA1 b4c01e7e4aef712ec5df417d6c0196fdf0d91a6f
SHA256 b9229e65a94734e3901caee9f6f76f1a33099025f0d5e82b355655de54cc1466
SHA512 76638bf5c66eed51a5e044750ad721d915f80cc1501a43ef7c03c4a85a96b4532ae0c2b6315c608c6592528caadb1b66a374a7612e9acbc8d73eca11920a18c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1144ad6da357fb48ac8c7ec34c673ca5
SHA1 e63c400a3243ae6e30f5e2d7cc8c670f98ac7387
SHA256 b9c79a0d16dacee39c5d1987d910440f6c91d2a43ce4579250264023998895d4
SHA512 709c2b090b859ad43cca73637bddc2a91fc085ff6a90516f8736c22f05f6f93006878c6ab55cf2d1128a6bd4496113904c4f73afdb24ba0a535130203e17e7ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8fd2fac4ecbbd17bf9b13d0d4e20de5e
SHA1 64805096d7d85319710f5ef53bdc4b65055dac6c
SHA256 24317eff882d8709ad4ddbfa2951a4ae7b167fafe2aa8605dda1c28339ef189f
SHA512 e2d5ea4a2afaf54f80899c05f058f96988ddf2069d7594913f5687097da7d92cafbb46b3a8d984136d4f70747d3a1a0e09958ba5f678756d8cfdf246442a4092

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7194cbdf4db1735b3d535eceff9130b8
SHA1 bf454d70f7bce4b72160217e75898c6a752e8835
SHA256 e203b956c0d277dc16f867497ab9bdb014d01de1429b4c3ee6fb31adecaa7a7a
SHA512 1fe18a0c46cdcdb9604c4f65a5515918ac27b80445ab2c288039abca23463e337cb2d145ffb8d2ab1d9b4651c245f0f947e9e9d6c5832b9312f2ae4772bd74a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f1104c7de25d20f058be4b503a09bf5c
SHA1 6e75b7a8d9a417192c70b8b4f2b50995076e3618
SHA256 9e6364270284b9a6b11d20e6550fe732c5fa445e5e0ef9af8aa3293772318522
SHA512 9277dcf52ab38221e5f4ce983f3fab3c9f445585dfc6640845bf4d653428a12628f5e64dd1244c01dfa1db819d1f9e5fbff46e5a4a83beb5ce268963c16e4cbe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3ef25d802695e5b68220bbcdfcfb847f
SHA1 124d54c6ab39b30e6339b4d3bf3d4476b18f8497
SHA256 72b72fa2a8873b03086861b8711f0162e0a48f6d46d33a933b051e02973d8df8
SHA512 04fb527ec275f50a23cbff1623cba564c0268302fc33e5d6ddf55a1b1a1cef54d0cddfb173a135dd06f3222145bbcf0ded30adde99458393eb79bdf0a5034123

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f759d7d8e70ab1af861c601648e8447a
SHA1 824ee13c5f6323ffd7d1dcc3f4912c3d6c39ae21
SHA256 8031f8f2e54894be5b8651840d8abdf2df205aa6e8b11ed909e06e529a60933e
SHA512 e1337a6b1570a617bb94763e3793bfb05c2cc22f5039656ff739d1d6ac24d47127a87e9f36b86f1fbfb900b36bc07633b9313e11a5518858e529f8443705961e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9c2978ebc726214f17c9e91b966c7e66
SHA1 f467ac56295002d1174b436c02173e068100f2b1
SHA256 051be0efcb2cec0f5bfcef76da6b2355df9396c56532fd9ab3d34be2472492b2
SHA512 de37ad35f30eb0c7310ba53973f03caf1b82531f103cd3f7932e9ba4cf1e48ba3fe135b9e5216bcce89dd3fdd1e85e69c2a431c64c381e906e26d36d1f399390

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cb628f8b2940c90e0795b6c2f830c42e
SHA1 aeec43b8f3781ce64ae0907a6fc6a6d8ff5895ad
SHA256 a79e386eade8428cf5876cab5e6d94f125cdd5d27676e7af0a092303dd47d428
SHA512 1a47d0f9b207b23c5b5bd16137883cd552e82d793e8534bf66188bdc0e6f1d897ea645b6471cb7d31fbbc4359713a7a4e2d2b363e61ded1c914cc197d4b6f1b9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 04ebb89335dc73e7c4c46613a849b672
SHA1 7e0da7e76443e81b6c304dad590f7e59db0ccd12
SHA256 ae22e4e24012f94c0b462fd3072c1d8f1f450c359b1ef41294ce44da3ba0386a
SHA512 c75d843b0249b05b6d0551dcfeeec53d0ce0a1fa893e580259b816b3ea1fded93f1e72729b7758f1198153f152a5e7d047945dfa85275d89fd7004e09ef67bf4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fc8db328bb0ac0384cfdbd3b2decd06b
SHA1 21d5d580198045d9e379aa5dc6cea5d579890c0b
SHA256 ad92d8e4cf7be8326477c0e35d752cb8211f792ea2ac0b5e74ebaab7dc6e87ae
SHA512 177f7ec39ed8fa86810f65bbd60085c35707cfb06cdef663aeb4608358c332e443673c1d88ee088026eb853c3d802214f4752a243e2c9e404144532c2c5a786c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 207c682717a7b91102fbb49d359a6433
SHA1 37b57d384e2e504c642ff68e384b8902d617a34e
SHA256 2bfc8069de79132a59caf4b921f80159114e06fbb40377cf7665dc161e0a5888
SHA512 16f2c203856144efafdc043da3311ea8db2f8812ffedaa6a74e46b57a64008ee856824ec63002367ca5d88a7337eb9b182074658cd649743045d306b32b568f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 619a1f1e84b20eefef5bb2b5527916cb
SHA1 69f2c429940a71c2be8ea2ec6fe70fce6250bb71
SHA256 6fbcbb2c4cccd14b2851258578dee213f8f6605c5fea6fabddc1661e4046e4aa
SHA512 fd9e07d8771e3ef711de189e05e1b764c62efde767da0f3dd35b593bbab92cc9c3115ba489016396710b7fe2c66f60440673a347d9e1a066a5bc8093c7c6074d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e60e1de36d94f54c1fda4ffce801f8c3
SHA1 09c35b261fc6c076c3e748d3077f47c8d43ef890
SHA256 d92537cdfcd4d70eebe28df07541354b72b9a579435f8f7971cc9dee9f7eb5a0
SHA512 4a6af54c7129057d45dca2d086186eb4c9800203f31169ead3430037575b1bc8ef8e39b96c72558b0b6ecb02c2130147a716d1b0cc5bddb6102afdf2ce4978b4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e92ceac24676559e5fe71e3e04240f28
SHA1 d4e53259e8b5679870b31049fd663d8114f1ba29
SHA256 df7fc244e9f19de7c387e37a112f84381bcdf2b56876035ce3c71766e4ef2ff9
SHA512 7b3d7a0872c56ac04a79feb5a7150184a15a87f8826d04d369e49f94b96f0a6a25d48ab087c51d435ada8ae4d8fd930ad6c411dded589cdd331be880395389d3