Malware Analysis Report

2025-08-05 21:21

Sample ID 240305-hbcqsshe87
Target b40701c5063a64941f1349a81569bb17
SHA256 c95a2621b681fd189ae9c5eb45ca5dd4ecd148f15541d053963ae79e387a1e64
Tags
aspackv2 persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c95a2621b681fd189ae9c5eb45ca5dd4ecd148f15541d053963ae79e387a1e64

Threat Level: Known bad

The file b40701c5063a64941f1349a81569bb17 was found to be: Known bad.

Malicious Activity Summary

aspackv2 persistence ransomware

Modifies WinLogon for persistence

Renames multiple (5572) files with added filename extension

Renames multiple (91) files with added filename extension

ASPack v2.12-2.42

Executes dropped EXE

Drops startup file

Loads dropped DLL

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-05 06:33

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 06:33

Reported

2024-03-05 06:35

Platform

win7-20240221-en

Max time kernel

146s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe

"C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2332-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 03f9d2d8776db4795a9b4dba18236af0
SHA1 45e1c5e793d0eba7e98f0c6c82d61a20d6a3bfb8
SHA256 f1a08ae7bcca488a543da40e985fa9e9c2507c4f9f4253627fc4cc9742635d40
SHA512 e41ac99a68ac216f6c497e5bd6585cdbc5d82116e4d4f5696bb49c4deb3cfda393e8e3e06ed944db6fc93193b973fcaa6e4d1b4d5e28c233c01429ba57d83c83

memory/2968-9-0x00000000003A0000-0x00000000003A1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-778096762-2241304387-192235952-1000\desktop.ini.exe

MD5 ae11a24c74b3892433036c24d5e87f2a
SHA1 528ec57937cc5c4455286c74f5d7aca7a59f6fdb
SHA256 145ea7913d8b029d60b8bac0a67522fb8937ceb5123ab2b323f7da71a10d05df
SHA512 fc6da00d249d88f5d886e539a39e20b89ef0fcbb580b69813533065c5752f94b68474acd30c134dd14354d35fcc186d2871355bbc7bec8595dc50327162b452e

F:\AutoRun.exe

MD5 b40701c5063a64941f1349a81569bb17
SHA1 7dc15f4095254976c893cb259d6335e26bbbb38e
SHA256 c95a2621b681fd189ae9c5eb45ca5dd4ecd148f15541d053963ae79e387a1e64
SHA512 e6f56a7eb214690b4b747de69e94721bd372a46960807848e54d94db015b1f0f3c1fab8fc697ff33b709cb262429bd4a0d23dfd75b05c760dda92436f7780cf1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 48703c9a2813db4e69f2ecad9dbb126e
SHA1 7722354cf99a68dee2f477c4a46dfdae012b7188
SHA256 c8b1019108d27d84e7df896d8280c0b9ceb955d36377aad476cfc0a0c4d85b28
SHA512 e51ad3bb41f85fd2d965484f696182fe8ad840fca2eab9ccb22f329f9566cb5fc1fc0b987243175a0d5bc843ae70e5c26515a114eda5ae2914dfee0b6b3bbf06

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c3a58e1c70d72a048e3dc89492ea597e
SHA1 e111f7d489e58627c873ccff055019c283260dc2
SHA256 7c1046f357331f90d604918a54eea8bb88c2ae4045aed36757c95b8ab3d7f2ae
SHA512 4eb7297f8d2a9a7487c5c320ad141ce435add53b34d2160a5763142ebdb9507e7e2518ad45cf7c61ab4f2c36a73e179347b7bf13ff19760f55be23aab7f537e8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2332-90-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-93-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-238-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-239-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-240-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2968-241-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2332-250-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-251-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-260-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-261-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-272-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-273-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-282-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-283-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-292-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-293-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-300-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-301-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-312-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-313-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-322-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-323-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-332-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-333-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-340-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-341-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-352-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-353-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2332-362-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2968-363-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 06:33

Reported

2024-03-05 06:36

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (5572) files with added filename extension

ransomware

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\UIAutomationClientSideProviders.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXC.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SLINTL.DLL.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.png.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\PowerPointCapabilities.json.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\System\msvcp140.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\DirectWriteForwarder.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\WindowsFormsIntegration.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\RICEPAPR.INF.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\PresentationUI.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\WISC30.DLL.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-handle-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-stdio-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.INF.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\classlist.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.INF.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemCore.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\UIAutomationClientSideProviders.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.ELM.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOCRRES.ORP.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\PREVIEW.GIF.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\UIAutomationProvider.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\PresentationUI.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-processthreads-l1-1-1.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.Xml.dll.exe C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe

"C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp

Files

memory/2400-0-0x0000000000680000-0x0000000000681000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 03f9d2d8776db4795a9b4dba18236af0
SHA1 45e1c5e793d0eba7e98f0c6c82d61a20d6a3bfb8
SHA256 f1a08ae7bcca488a543da40e985fa9e9c2507c4f9f4253627fc4cc9742635d40
SHA512 e41ac99a68ac216f6c497e5bd6585cdbc5d82116e4d4f5696bb49c4deb3cfda393e8e3e06ed944db6fc93193b973fcaa6e4d1b4d5e28c233c01429ba57d83c83

memory/2640-5-0x00000000020B0000-0x00000000020B1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini.exe

MD5 f586c3feed45d9c7804314c16c12d131
SHA1 083353d9da2caac1aba148ce07bafa4717e50b8b
SHA256 2c0162129249e5525dd4ec34e0bc21a578cd6b9ec8db5be522c95005c83e4e95
SHA512 622da193d85d5b8220a38bca69c94c57a87a79d07342066d3cd8bc84eb7d46b6ee4953582b5116f601240082d2ef10cb01cb7d45485ae13d6f2921352b824258

C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini.exe

MD5 82af25016fc7cdd8f1edbd97761feb99
SHA1 18ff52abee6fa48011eed6c90d49ab18e3e1d044
SHA256 f2bd539cb9b0edf5a4abbfdabe0c35dd025faa3ece61d47da2640eb54a3cf53d
SHA512 6061b8c10de6fbc9940490995f365cded5adc3ae6e1e65c2239fd4d9ee05f521a431e148e81e0e23d928cf412adb78d746137a7e6da9bd3874f1bf27e1f91344

F:\AutoRun.exe

MD5 b40701c5063a64941f1349a81569bb17
SHA1 7dc15f4095254976c893cb259d6335e26bbbb38e
SHA256 c95a2621b681fd189ae9c5eb45ca5dd4ecd148f15541d053963ae79e387a1e64
SHA512 e6f56a7eb214690b4b747de69e94721bd372a46960807848e54d94db015b1f0f3c1fab8fc697ff33b709cb262429bd4a0d23dfd75b05c760dda92436f7780cf1

memory/2400-494-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 06303ab5d9bc3a5d3ece772bf9058601
SHA1 ae272c919d246f6069d1feb06dcc1c6976207a88
SHA256 229e191dffd4ee2b3f879b6c50a1484a2171a0ebc7f2e30d469c9385e9c284a2
SHA512 9b8076b47a181a8d1a0d44b1ebc1ad4d5155962a47d28dde2ac2605d9fa5a752141b0012858dd37f5c8b5263fec02fdc43852b7e9ebe06404fd93c0ff299092d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 02af19b68fe3300a919ac73eb6a48b22
SHA1 5f479d474e34a401b059448101d09c9ca045e9f8
SHA256 13796c74cb79d59692a4edf6d1f82895b1659e7c1ee6cd5222fbabd08c96be58
SHA512 1327eb4dda3dabae1546aa1a0738d0223e6ba4afcc7fbcbaf3d5107652cd7116a0acb315329518f224b0b803a6d4fc73e436c83537d12972be16a173b8952fc6

memory/2640-757-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b624563c00c3c094f56c6d8fc12f1882
SHA1 a68da67a555be4bb578767178a2300637cd91de6
SHA256 0d0954b0b70ed9008bc7f3282cd6d8de7b4934f0d8240ed64614ba8fd1c1ffd0
SHA512 4775dd6dde6bf8d7bad6fd10d74e0ee3baee915fbe8f7ef1a86d08d84e0cc984825669bfcaca1fb94c5c7568ab5e1635e650a7a21637e8b00642931fcd79be26

memory/2400-1371-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eb67565b39b9cedfcb72c3537c26e5f4
SHA1 69b20d548c2f25b7e96e058b4bd1cd7be7b3ab48
SHA256 2cf0e59d03efc9ce8d244673f7087b6c6de809dd2fabe8200dce9a715cc74a0a
SHA512 7d743c91e56a054069138c718c044ae8652d32cc70797fb423b1406880a2f78a03aad2f07b616bf6737034763155a30eb510faf7c27e6435811d46040d00b3c2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2346dbc4d60304387556cc47e25c3b91
SHA1 392bc6510a0fa0150c39b965e9c3d9654fcf139d
SHA256 9c08b3b9c0ce8ebc2a2b7887ccfee295e2d701e7bc06c19db3819b0c914fed99
SHA512 98ad1230ca7645526f1a1d89813f7bbc4b36ebaafd8835f3a11fa1592580cec4beb453631acff97765679b9c9a3d3f4250d7cc81c308ec9f786d9ab106490e17

memory/2640-1417-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2400-1418-0x0000000000680000-0x0000000000681000-memory.dmp

memory/2640-1807-0x00000000020B0000-0x00000000020B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c89182eb0084fa184cb00c9442d9b0e7
SHA1 bf859a7f83834e36b1b191da7ddc63cfaf481835
SHA256 b502df37c5a1648c1fc4dc8202ad0dc401d390915313e40fd0160eb5d4a26fe5
SHA512 fc84310f49b1c163b5d32f3c1ebae9c1cde6fcece9de0b5423d9f32cb38fd8e63ec73177b8fb77841dfb1e16fcedb6e836daf7b359151b2c56b5e1c6ac40070b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8fe15db690802464b6bcc4da6d71dd6f
SHA1 e55cbfdd5fdec699402b792758f91bef8cfadce1
SHA256 c4b4008cbe14f6f82cb16a7374f6bd2a1e986f75d6ccc249ecd70e419fb2f491
SHA512 5d710a792e4dbeae678baccb996de88bef44acd5f76c02fc28cdac790cfc944d55139cd6ba3475dc2a8b6473d876551a196bf5fae3be05b2c3ee5414f2bd7051

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f870aa6f46a77c388897b955ae453e15
SHA1 82eb077dfe19c25bf21e5ce2252d7c0d0d2008f6
SHA256 4ef7cdc52da5762b214ce7f445d64fef4b9936665650deab0679358a95997fd2
SHA512 d0ce56163a87aee6378f5d2f65c5b3e51935a896d6dada697f8b91d8c07b464b53e81c19d0eddc3ee9ed992809fe81d644a04fef958255519e4d25533ea4929a

memory/2400-2500-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-2510-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2c8472f44c2bba5aaeba09494dba028b
SHA1 833c7d57f2df9f6db40473f1de089a8a66012ed2
SHA256 1d79ca03f39eef1f975fbbfdf15674cc3839bd174a5625bf84ffe5bcf799820d
SHA512 5613e85a23bffbe8df3a5429f3f9e7a4e8a5fc0b9240234245f181cdf5385d6908bd101075631b84859daaa6ed1d2571fce9594bedb8deb5f589a51d57e43108

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8c6e395db9c9034fc95642af8f1f31bf
SHA1 d0df5f6fc6e7681c9380e4845ebb72f9158e8368
SHA256 36f8a0a61bb46e320812007b5ddb507f34b1270734a03a7d7a1291340f5e1412
SHA512 c7370763df93f6bd365b894794ca84e397edb59ce075cd3519ab994be0a10ecf5ffcd4735283cc1620327abf36c9efaba1f14694cf4de9ef67b2e862dfc75e31

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fb0e52191e628cd7265d68c2ea22b1e9
SHA1 e88526d9ae5e1e726dd84aa3091378a3a1f5dd41
SHA256 5f8dacd812ef81d91b29ad43da8ddbe8ee3b1ff09b249928deb2a1b468f0a837
SHA512 b363add56243259d1e6dccf90898c6a02d95b9efb018bf4e023dbb5328e0bca6269e0adbc992d3994160c0f490faccc39e931cae7ded6e0d5c4011a00a43061c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e70611b374be5b20787c8b91549efb5f
SHA1 4ff5f5166d3638222fe6d239acd852053bfed7fe
SHA256 18b41980e5e0712b78550db8a0dfa58a4fe0fccfd019aea3cf6d6bc6868cf236
SHA512 7113d19fde46693917f6e4778d60bcc69af29aa478516fd391beca594c2d78f2c12d186a485579cfd3690aa6bdb9d0e95aff0a224ee6b8e7be7ecebefcf744ce

memory/2400-3342-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-3343-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 34c1b20abcd6ba1d074ec68de320efb1
SHA1 83696b806b63b573b7098eedfd1e68ffb4988ed1
SHA256 3c6e0891c10670508984be280bc0069bd118a6681d2635eaf59f9b1b39c21daf
SHA512 af4a0c4aabfcd190c671de0b9114ec5a52ce34db8dcd2366e2f9bef18a6c7275e3e793fcacdfd6d2bdec2b560b1944bcf30e9f740f3b13ecdcf721420545038b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eb8a7adb7c97e99b94d4ce33b4349826
SHA1 e1505ece6ddc71e313bb46a0f9a69b0e8412e5bc
SHA256 d7ea47bf52df1d355672db57477993f07c116e12d96f695dfd681010a1cbb272
SHA512 d11d284566dd4ed495694b7da79f1ca7d4bff2faf3abf38a4fa0f5f00a9d728c46c95defb87906aad551aa6dd33eaf26e52f58b04843411759d823bbfb4c60d9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 aa3d9760524b30130072aefc67d9b5b0
SHA1 b3e97de374c52c47e54c5f92b5f0edd8fdd10a95
SHA256 dccb94c630e61bdf8a7d7df932cd918c4d220fb199b2b194489a02ecfc7debfd
SHA512 59617eeef70fb6b8264e22db3ca8230ace9599e792f7fd00d3ec05dc568fb3d7b6881a64b76e1321ab5c95d33a9988aabd36c2e5f30005fe4816d313e85aac17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 af6526cddf36caf84037e904eb318f1c
SHA1 a6f8e4bb89251a46a0299e5881169bd401022fc0
SHA256 e2f81adc88770042e36548c74413afdba46e337596b8fa62769d2410a0f420f2
SHA512 a90ec52dce9184e2840cb05dc9344a2bacb9cb89954ae3ee307cd54c522a29aa762434d55f13c7e864cba7865d077c08ba82cc306be31f16bca02cea7f382a72

memory/2400-4729-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-4765-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f6c2391f6621801adf09b9c02ee0f5d5
SHA1 3e86d4627ebb27100f909c25a4626cc67486dd5f
SHA256 def3089ae148939915524e5d07668dd382014537f57556c90ebc312a67d3569c
SHA512 a9afc62291d2f87f17e53fd2d837002ac63e7d9e701f636be45e69f108b7341e4c52c9ffa3976b549c40264d9d7f5390a85c1339439bc57418f91caa6642de79

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 baa0e3805c7ee956bb4ef5836ed11a0c
SHA1 a77cadd38b763ac40dd1f50f3d07db3f9152a5c6
SHA256 12eea6d28f809dbbe39cdf4e97a0e58480e3001ffc204473541bfa41c83dbdf4
SHA512 d6758598ed889bf97e84a29d9cf376077dd7863919e2f45eea8f90b00b392d838e2121160db4bc4e37e9e0bc6bd02eb07f665d6d388f855743c6eb202ebdc435

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8262cdf4bf7a9a8b872ee41c3eb609e7
SHA1 b217cab4c193b9fd69a1d9a22bc5240e3eab0205
SHA256 a8c6e896d3cf304b44b64aea306118996efa2f182d1ee56c517db0cb854871bd
SHA512 43a38edf5b3292f274ca9532241fdea34dc9bff00f4d06ef630fa9b554555a18ab3e1159a63e05f69992064c42548d50d0dbc355edae49214ecfec03cfa08dd4

memory/2400-6512-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-6525-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 60caae8ff0d4c25d16a22267b191caf2
SHA1 498c88debf2c06e3b8e4a23b715aeba293a7a333
SHA256 2018fa6e888dec30a0b4a87f831fa4eecbb48a0d4198d153d01820b4d6bd21dc
SHA512 93c99d5df706730a3a8476585398e4d4f168734aa86f3f5efcb2a2d94775fa7afdf79e1233aaaad989fa8c48225e1e75216735e1fd87f7a10f723fafb4075b13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 331805108624a6e32b12f8a41007390a
SHA1 d8d6d5d66b8541a16bc39d84784516ea05d40ba8
SHA256 b2b382c3ef10424cdf3497e102019e1c8fe6deb3eef394bc9562a5430e485113
SHA512 dd2dcfc39719ac5d746f514cfaba2621e8b1d670a2d234413103ed74815087ed26fb281512769eebd91a44a353779b781270a6e0fcbc80ad4e6fdd75158ac631

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a7ed6fd6ae245cb7a2be382658cea2d9
SHA1 fc0df5e7a456c1d75d03fd16f3226883da1a786f
SHA256 b3452e7f0ecf88866c417ef7b54b8f73ea149589e614274a0e16269860b8df00
SHA512 4ce584d43b0b7afdbe806511e7ccc6988c93910043fc1174d3d58c997719879525fd52560a62f7b0baf029c44c6d400ab4720dfface7938e24797b15eee93bdd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7dc6822f0e2eeda03e8951885fdc42c4
SHA1 087d9b58d44f7e4cf76adc0a8467180bbf4ab6a6
SHA256 04d0386410bf52bf4c0b3f0401ec153785aa166958810bd5201df2fa24fd5867
SHA512 79f8aecd7b6477bc3831dc68479144310118e9f9e674941e695fa89bc7f0ed0ffaccadd110cc8bc1250497ff0a66536a823d4bfb97cb880513377043584dc0a6

memory/2400-7796-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-7797-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c299aca268383dfc1a46abdca1257c9d
SHA1 29fe49b5be6b7d4e8aa5ec445cb3a8c1f6cd152d
SHA256 c2395a35cbc7b83d294dc31bb4b96e37c4142d2a2b5991341f7e00699ed8738d
SHA512 b4063c5a0a3ed93eb0b6d1600b76d96bee39bc40427fd610c6dec70d3e6d97d18955b92a374222c7f1dd1c2f2b9b67a61edfd3746f577612a7815e18cd0a17e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 03e3c725a7efff651d6efff0e00661d8
SHA1 0442220c4d30298c8778362ca416c306af1e5eb0
SHA256 437cc4953f68801edeafaa859b7c727c96a456077541609cde731f1c52b44247
SHA512 afd2a3690a3ad522df39960a8ab6cefed61502f88abfa651f7eef38d593725c4af6aae433b5b130090c4801e51763601837322c97135e7d705f6f7b3e511757f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3e6045d2ef716ef9e84a3df64608e202
SHA1 32d5e851a9c248bbe90a23ffe818707d6faf5d69
SHA256 9db75dd71ab84da1e90f9ef2172e7ff83cb6d54f6de7833d2effb579d8e1349f
SHA512 6548c270e0aa2266b6554372dde17a7d028d47c904451741d8bd0f8e1833dcf263b570dfea6b71588c600e96a0cb0d9a5b77d5f7d7629255d176363f4aa781d8

memory/2400-8945-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-8946-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fe560a8d018cf3e7ad85c37b29adca9a
SHA1 488f5eb97edec4065fd36f4f794a56959bb86736
SHA256 7cf3e2390dcc20b2f874f052c8b743b31f1b02481edfafec138ec4e088a1cf2e
SHA512 4acde6b025f6cfafe7d4834db1b98bdb1df01bb91c928c875c8297fa5731028f9da4d5115bf4f183ee1d0d3691c54705f1bd04a7026d21aa5ec401d7f073d0a9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 15c816df747a1f0524cc655847a47ce4
SHA1 8a569398948eaeeaaa039c98e05b37abaf20579c
SHA256 96bd9a8c5170d4152d5736ac30424f89b5d6db9c1cf378ff03b6ef430d80d7c0
SHA512 3b5cb52f6df6e4c9385d7d019e53afc84c6ae27d20ad74dc866b8658be2e7e97d00e5803c1facca2adee8977b665529c9966e7c9f135ab277172362a5e639e76

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0f71fedff418ca73d1731daea22a70ce
SHA1 92c60b0a2c4539b3c55b1836be142f6c140e1e52
SHA256 6b94f042e3957b77a8d605cf117f92c07fce785f10ce28c7ee888a0ef37a7d51
SHA512 8c25d70a30a7c787f0820d439d9c03a2b0fe374e109c4198628137d5b050c822de3e597f4544bcc830fd646df004a9469a027eaf71893d66804d9978e5740206

memory/2400-9591-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 50defa8432880952d118dcf48895af66
SHA1 e6d9726740bc4222306c4c63e30a3d5be6fc65a4
SHA256 520c13855ea496c508bfdd3a8aecc1c70ed9bc8ff2aff0e8f8af0839fe2d7647
SHA512 1a02e9a2191145249545670b424b44135b228b544e5a7696faffaa683d6d1be9e9dee0f977d5ecb02077c7594d0b31dea5aa525dd0967b7e89024b35135e8236

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a613c789f59d20c47ad894f4ee7a3d67
SHA1 2142e5f67c60d70cdf9a8de30509176f7d57bd3d
SHA256 607edd6b4bb4cdf96fb45bbe1ccfd71f2153693afff5a80e6daeffbfff9d5721
SHA512 fa27f739f016888f73e01dd2ed6ddfa427f4802dc839a04ce407560fad2ca8a398fb0292942cec00b0f50917e4034e23a30d45219978fe61a1c6a730135e6f44

memory/2640-10174-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ad41f4f47441cef0b7e3289232dcbe27
SHA1 3578f10417cb562079f574e776cc46bcb3d221a3
SHA256 ebf5636e8f1b11ab93ccba946501b1d4fbd53117481afe81a3f2c7c2dd8822cc
SHA512 3416f6e6abe294c3d9af3f80de765917321d59b4632939408ede266845d312d17daca6e5a7689eb9e56a75d2133821fe67a707934fa2a2b47b028dd4f7be1a16

memory/2400-10834-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3f9f251aa83969edf0fc53c086150d8a
SHA1 0a742a9b7883d7255993a1f76b9f7ec579afc191
SHA256 3122ca4d3abf3da0ebd0a5cbfd8f15bca4062f6096a24ac666ff038fd6519469
SHA512 9938af12be238772c98a96e68d0e37e2bf6470f857c6ebffa6f2e301ad2e4a2613c8df9d96a093426d419f0ee75e6a46acb041a8e5e4c0f863b017ff45c0873c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc2d79d69e91843d4af7d2ab2e008df3
SHA1 1d433ef2a89bd7808042069aa73e0048184d0d58
SHA256 eedcae630838a0e0ec6d3a915659b7ab9e9f954350413beb6927319d9f99d0d4
SHA512 8686c6b332dad76dcc4b8c019022918ed57e678f7b693a02fea4b561373b6f7957f9cba3c0c31107bf986ca5b390f6be94c85adcb3d33bf0858512aab072f26c

memory/2640-11183-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dddd823cccca7e8a3c0afed6cc4a5e36
SHA1 82ea270af46182f16d24fd47d616c11b4c0feced
SHA256 692a6c446e80da5e8a9694ce0ceb319b7354926b529fc7e54014427da5190a7b
SHA512 9fd24b7768b943e31432de754154257d352358eb0f083e00e2d67d7875095765284a4c02940d5988f93ac76636a0136a88f2ee689226ee14666f79910aaef036

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 72d7f539714578c4fd033cd4bde4a34c
SHA1 ceea955263fffd42b5200d945e9995be45393da6
SHA256 2bdf213caeca2d25cf914a821aac73845b44e0391a9b2b95c82f3132e42ecb8f
SHA512 a2c3b6a33b70220d66dcd494293a78a65c3bc86698dec95cca5ca2c082ac4a044e7c4c6dcf951bb3d275751ae0d3130d4de04c6a407fb1faed57cc9f81373752

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8701dac71f8560296d4d43d477619e9c
SHA1 0ab9e90fa6d88f93aa2643e8287080711e0cc6a9
SHA256 992a2565920b25d2fa42e5a9875f6a92a71417a901e2de09a87a1fa86cc9742b
SHA512 cff73e1df72a15b8170b97e9c2257a3896a739c32d208c3fdb5450d92a1e263e25ddb2bb2c1a17dba91fc44dc18704248cac727998fe5faacc0aa28dda7e3f2b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e1ab08f413384cc2b4ab56b4cefb76b2
SHA1 bc011121f605b56dfcc6672550f00825a195154a
SHA256 969119d4ff2bc5d10d74ed92e0598d89b25e1b31019a691d085f919f53c6ef82
SHA512 1975aea7cc25f8353160b3e27e7f8a4fb3702f1574826ec677a924e672b90da1b6c55f2899f05b7747721fc652ff0c6b7bc72e85b793305077d5ea23bad642a1

memory/2400-11846-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-11847-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d88a5110059ee3e880deb038947af92e
SHA1 db789972ccd2c488379a4f8ca728860a22187b54
SHA256 555ddbc65652b832d1f59fa0264700f1f7f303ec96cae13917df589580836669
SHA512 855099ccafffb28a51d3634eae8ff2eabc3c85ef49ab883a7fded6f4271b51f3d052343a76a07595c2f5a0e40ae9f8b938b9f2ad61b68a42187d59fa4eb57413

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d1a56175c96a05ce20926d89c3d2f6c4
SHA1 d1f15b5821f9811b7408bbb3ca26d8b5666fef40
SHA256 e388b3d013d9ce185507e5f022bb44c012624a00fbc02b8c301be590ec128d64
SHA512 fdc539180e759fbc20d3d657914a9e8633c0efd06042dd0c551455097ada8a489ead75c16378b298a0f7b05f9f0501d6445ae5b0e40c8439e14b4f31bd78f816

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d404f83ad0537c49dee2e12aeef4f615
SHA1 0078cf4477a47513ae215d61a1f20f409dd67275
SHA256 5d0691465c21514401e366f01478bfa3cead501625b0faef4d8b980e303528a8
SHA512 c2f8d8320a8e157747b2ce0ca4bfc76f3bd831956ef0eeeb2c353a9b3fcf989113ff1281765c3cbf2cd49316a2b46a7606b6a3adcb14aace3c6ec7971040f135

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 23218a78322dc0c981ef521b52c79e33
SHA1 92049119c46a7595179839626a250846732378da
SHA256 c1c48c6688cc071e647cd2e86aafc9779222c239fba1cb3cfb3485f4b983902a
SHA512 7cc97c4f092ff0223a52c15f6e8ec49293b679e762c0cb116ffab13d3f4a15586c4f69dd6e533ed682c4d36ad0bb86ac8dd156d2b30906004e34b8d2553418b9

memory/2400-11856-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-11857-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 99558a373569bd966f9bb35ec42277b6
SHA1 34015ca0d005ec7ae1f910ff3957ce161cc23f05
SHA256 968e00475072bcc6f28e4c3227fb0cf735529a63fb804a3c50aafd11fe743112
SHA512 5f9e8dc76bca65ee49fd800d7989c984482daa275bbdc9061f0ddbd5eb4aa231b2c8c56a193dbf225de68c3db1e7bb5a1f7aae9d98e50245f238fa32f156a9d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e4f99ce141630a928c7c3ecff80f2434
SHA1 c43304c73ef641d1a2c311a000d714ad7a3236ae
SHA256 4163a9c5d35ec5dc12fd3e7b02df587a704d524866aa3d0fb9ed5805b0ad634f
SHA512 d8d4ec0d16d2af660b2d446588c3839a2cb0fa75878e8c3b9fc77c7687756791790d73d0202d69332698a2e5ae9c4e79b827083e3e698c7db73a71d692ff7d0f

memory/2400-11866-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-11867-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 50dfe0cc2765ec593cab48a7972a3395
SHA1 9331a578753b3af654f4fbea90890f6b44e5a3e0
SHA256 fa54faed9ee99ddf8f4ceb3dd0888ceb868f8ce0a19e746f9e4a10b228a41930
SHA512 7e3dcbede0926f2b6e91903e5008d75b16bff952b109f68a0cb6e22346116cd6380398e1999acf7bdc3546b4ac9680134ad3d7f24356cf61fbc96ef8eb9ba1aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 66eb14d9f4fef86bdf450f04b6e3b0c3
SHA1 a9a545b15f1f189465564382d47b387da38a71f2
SHA256 c83193844329c6d636a746d8fbb14eb47fa1f949c0bdb8d580ea97f0f5f8a30a
SHA512 282599e727bf0cbf3804fab2ae13209e6ea2d871280d0931adfc521ea41d523f69e3ef0abd5d06d0a0d5c1abbb6548a01da01178fee4790c4cdf76b4620cdbcd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2b428886b5b29d99ba40a4c14cbfea3f
SHA1 b66047f418da43e59af8270e5339ca1281d6e9a4
SHA256 e5ffec641af2e9ea9399ae125006df541d8cd6d1995460e68ffc60d285760b64
SHA512 bf88a1b4f6593b1e1118bf29ec113dabc7da3fe013418e8663351114b64bfae5f4152c82035eeafd318fa2ceba8c29036bd9317ba9b212bdbda61a962593ebab

memory/2400-11874-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2640-11875-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ed75560cb09bdcf83c383a39be2b3075
SHA1 0b12e15cbc8c8848b513fa287672fe59b5a996f0
SHA256 999a8d88cf8a1a6202cc2c68f8ae6b2e2b8f77549f7f43b47f3303e5da5679a5
SHA512 d6a730a50f471efde2e93ac2e3d137f48d6b26800bc68ca07080ec5a178f74896c0df11161ca429cb2bb3cfa69e1c832507d02e3273b547abda6713f94b577b1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bf2bcd5a97ebe559a47b99c3025c8081
SHA1 d4b589d760d972df283014d57c99ad046bb2307a
SHA256 a6a5822147029f145ef45fd0bdda3053287b5f1598561c76a62102063fec68e1
SHA512 dc9738b8aed5a20bbb1bdeb9e0777d9f443e5d9b965e688f0228887ec3380724d651c834a1230307da9cc52db886e63de128ef8669ff9c28d2f436af1181ac17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 784ce874ab246117619fa66055b33ac7
SHA1 c27105de8f983e28552e625790701268088c05f5
SHA256 069963e94b9b2f5e7b5ea26e9aa6e667a70be910ffe54daea60d60f87d45c3c6
SHA512 4085fe5c13e262ccd661c71ba564d60e9ddd2de8a6c73b699ca396e572a98c39de7d9888c60af15055e3fc6bc2feee77d2bb36515fd2dd9d80e38ff692f5669f