Malware Analysis Report

2025-03-14 22:36

Sample ID 240406-r6rymscf6t
Target e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118
SHA256 1eba046e573d6710293d85856769feebed1e6a27b4285b5d3fc1bb1dc3c2744c
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1eba046e573d6710293d85856769feebed1e6a27b4285b5d3fc1bb1dc3c2744c

Threat Level: Known bad

The file e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Renames multiple (5570) files with added filename extension

Loads dropped DLL

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 14:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 14:48

Reported

2024-04-06 14:51

Platform

win7-20240221-en

Max time kernel

145s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/1996-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 e54120ffa7565821f4ba0f91f0b68c76
SHA1 eaaa2f1fbdc5d1c6b6e7cd0f056393be18fc35e0
SHA256 ac0f3b521822a9e47ffa1150074d3ed5b9ee3c44d3aacb512bbe1ae22e84f696
SHA512 f4029c137e3ea7af3208ad4cd1e5a66e8b47b1f5a15ab5a0aefd087898e0b6c8a70662513248b63ec183aa2e2bdc754549ee944ae215e63eaa1f601f08f77ad6

memory/2772-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe

MD5 5b1e0e077864227c31d0d7451b99482b
SHA1 6da651d0e473da060bbc9080c30242394286327f
SHA256 5f9b29b657ee53c9658a661fceffa7c24929e2308625e594767e86cca0029673
SHA512 1e3cd6ce023cd0cb9a98c3785824b578ad64292ae0f304a328d4c175b91b4dde6f7ea5bc592d1650da281f4972216db239d9fa78b999352b6c9ebad55d32e539

F:\AutoRun.exe

MD5 e2c6e0fe3b1d2b33196db7c8910583db
SHA1 938e6ac51fb2693367694fc1777e9f2310073613
SHA256 1eba046e573d6710293d85856769feebed1e6a27b4285b5d3fc1bb1dc3c2744c
SHA512 7242201d1068bdbf079756c2b8337c782df32386fe40ba05f7787efe84f619fad068c7c5bc3d52b8ada9b1e941d9ee43fa86aebd439a068c46eaea9fd308c356

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8cc067ff565d6ee65056d7282fab5373
SHA1 af23b6ed89b9bdbbc62df7f19802288cd55b80e2
SHA256 5a911fe6efd383c7de3a15a1e89dd2168f42f0231a5231dd354f9920955a2290
SHA512 2f427321c55abe27bae9e9ff32b420e8e3812f795cecb32633d708fcddcab0ec862c219c5db4868e486d5ab9875a86c99705e13a0b77f5fbc30852e81f71702a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ce9550af7e6c399d4a96cb800af232aa
SHA1 90ce512584c334d4131833790a590497310717d7
SHA256 9e334a843ad659e10ab4c5d85fe6b91447a6e7c99c88af4224783f73260644da
SHA512 52c2c15fd8bdfbe0816b34d98d70f13abad9f2f0f851bb96128767f617e16c8b577499e1192e1ffd3e27fc9e3903837435eba3799374cf0f9d9064f913242145

memory/1996-236-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 14:48

Reported

2024-04-06 14:51

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (5570) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.FileSystem.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\msipc.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OWSSUPP.DLL.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Windows.Input.Manipulations.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.WINWORD.16.1033.hxn.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.Contracts.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\Microsoft.VisualBasic.Forms.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Drawing.Common.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lv.pak.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.DiaSymReader.Native.amd64.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\ReachFramework.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\WindowsBase.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcp140.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\mscorlib.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\UIAutomationClient.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.Common.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Cryptography.Csp.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\UIAutomationProvider.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Diagnostics.EventLog.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\msadc\msaddsr.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\resources.jar.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\pack200.exe.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.VisualBasic.Forms.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.ELM.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\System\mfc140enu.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Emit.Lightweight.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\System.Windows.Forms.Primitives.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ChakraCore.Debugger.dll.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.INF.exe C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e2c6e0fe3b1d2b33196db7c8910583db_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/5008-0-0x0000000000570000-0x0000000000571000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 e54120ffa7565821f4ba0f91f0b68c76
SHA1 eaaa2f1fbdc5d1c6b6e7cd0f056393be18fc35e0
SHA256 ac0f3b521822a9e47ffa1150074d3ed5b9ee3c44d3aacb512bbe1ae22e84f696
SHA512 f4029c137e3ea7af3208ad4cd1e5a66e8b47b1f5a15ab5a0aefd087898e0b6c8a70662513248b63ec183aa2e2bdc754549ee944ae215e63eaa1f601f08f77ad6

memory/3192-5-0x0000000000630000-0x0000000000631000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\$RECYCLE.BIN\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini.exe

MD5 a6a4f59a29f0a0fa9d813f3bc5f63daf
SHA1 6eea701e44978e772cd81778be4abf178fde835d
SHA256 c235db892aab5fe89c02b5cdf79dfb6fae18b786f394c3419ee96b7c8cb8ec22
SHA512 70670523e2bb24f45ca5486c86d0c242ca82dcbfe08cf986a2e69e779037481a4c51daa7f5136dc8df30cb9ccf31165c27d50905b5ce026a7a0ca974be2660d6

C:\$Recycle.Bin\S-1-5-21-275798769-4264537674-1142822080-1000\desktop.ini.exe

MD5 63a3ddf08b262a0cc11671e14b03b717
SHA1 ec844232eefac728ed134438608e97dae10a9790
SHA256 1a75c3004d36a8c0a2728940be7cc24f4cefb7d51a12f2e8b0ce99b1e3b4fec8
SHA512 75c81b5b0a6cca68f1e411bc8c2f34e720191e0dde4a8da206d5be418f71b5be4348d172fc4536df4f74d0c00bd92575cdee0f889731aad1640fb5681f73e8be

F:\AutoRun.exe

MD5 e2c6e0fe3b1d2b33196db7c8910583db
SHA1 938e6ac51fb2693367694fc1777e9f2310073613
SHA256 1eba046e573d6710293d85856769feebed1e6a27b4285b5d3fc1bb1dc3c2744c
SHA512 7242201d1068bdbf079756c2b8337c782df32386fe40ba05f7787efe84f619fad068c7c5bc3d52b8ada9b1e941d9ee43fa86aebd439a068c46eaea9fd308c356

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dfcf27c86a14ba3ee52153109de6d4bf
SHA1 e0382484dedac9d4a90c9b5ab72f5da6a31fdc7b
SHA256 3a3c77945fbea6ada6e30f802d4a3293675adef1d9e73a6dba147646a432bbab
SHA512 c8ad35aaffcf4de63f96feabdb9d3c92c857678c16fe9526d8523bca7bfdc1c07a18f2ea8c808b43dfed5ca6977d2f1d7c3af6d82780f33aeeb4e2f13564940f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3619532967a84c99d3e874cb9da4a7bc
SHA1 6564f46a6068e5ee305f90385e72337ecbe153ed
SHA256 83d5c22b8cbb7e7443076b97d668f4f2f2668fd9fa56e3028b7c07a4cc347586
SHA512 b0925bba2a763130914e6b40057b3d6f05995dbdca0b739f600f6b008be64e16a184198d9eac282e7003838fcff6c17b68b754f1fa6d7ab4bb1c08407e34d03a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 076585bbefadc6cec68eaf883cb1f271
SHA1 10211e32e2118295e1bde72c937c319ab3117e94
SHA256 579b3d544c192b88bb9a074ddf0d2e75a8c66924270fc561a88819564627588e
SHA512 60ff4fb8416d923987eec4265c9e4a252f26f1f2c7994a4aa90b77e3c7839faace0141ee63b6c12f9accc8826beca1dcc9630a010d0747fbc7cb3a51d874b285

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0e3734d8ffb2433d2f40c83817efd7f4
SHA1 55a5e95af02dfd46347ddb3521df96828b29aea2
SHA256 2e6bd8e1930ce06b26525564a7b92555292c10854c39237f519db6e8752eb37d
SHA512 f03b01b958c3768fae899e20470d7a3a7f35a66e3d8cdd31c72f344ef0876a956da69a5ce176ebddfd8a56a3ce0eb994ecc3403061139cc0137b73ceecf2dd6b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1ba05bfa209facb87b74fb7b83e4b46e
SHA1 44dc384e53738ff310d1f1598d6bc9e05fad6c7b
SHA256 fc2bbaeaffb0b8af4da0ad9362452efa8483d741f29d581e82f894c24893b948
SHA512 c276336b2a5dc1667d2fdfc005e5701c13af7732cbd7b6f595990f0d7324ee44773f137edd665fc5ea9bae0165dc40aaef2048318ef61f9b95b1e51feaca973f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 842e687aabb45fc5a7b59d6bbf74155c
SHA1 2dca4cd126b6641ec976250cf84f62a36da1bc1f
SHA256 c8ffbdb3297d0ce390bf5cd35953a9fa3cfbb391d9918125e5026217c5d4ce63
SHA512 68b40822f71d58697fb1a1fb7f67768c7de2d25e9d5689cd3bfca90bc0a35dbbf8119caf5632226e80712ac08debfb709a9c58ded41d9148c0485df8b1e8e87b

memory/5008-8103-0x0000000000570000-0x0000000000571000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6fdb8df645529839ee0de22e7720dd35
SHA1 23c5fb52190d00728a114156190b24b84cd0eaf3
SHA256 a7f3a65433f586e632f168ca78c19d0f3eb309cc9e53a29e18e2aeca0f7f589c
SHA512 aebb15fc5b6c623880506e0d304a85ca7da661bb4c5703ca1d4de7d3368e44804afcf75d4bfc2e6ceb97d8433c4ee1c4e88ea94a55431b8dc62b09f940113184

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9dc5bf814532fdf54cee23d652adf07c
SHA1 97a81190f73ae9db6d3782323ad3742b1a1731a9
SHA256 47923c53714290f62ef885c6f6173fffd54f763116c37db147a1df0f109b52c5
SHA512 3066e46b3029effc5851bad47ea80307a254513711f6aea4c0d02506d28590341699133e5e95306818a3909f85fbdcd2f4bbf882094e57b8a4e40ed701e6e9c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bf94a9cd04ea37c4fb65d27c91db360d
SHA1 8b2a0d74b66cad77def69745aa7fed919bc7e5cd
SHA256 838833beb61eac539dfd60afa09caa8c7f1d6a53ec1d77a5d1adb0c66d4359b0
SHA512 b86a1bb44885a44b002e9fa655642c2333852cd21d1f6a0852ba340d9e8b0acb2850026703d716de3cd97174e033d67b55970caeb66fd865c998ed1374b65e60

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 43b2ccaf0ba634649da2889a3999ec12
SHA1 99569435a84a5df8db8d66b7e2a2f0572cc3b286
SHA256 0b09d8b55e99fc749b04218b520d8f934067f0fce2f570e5852eb78e03c70e8e
SHA512 afd62b82cc951e86afe452bb16e99875dae9862cefb6ff04881168e7ce37f9d0b4838001f3208ca6e02838b9a7c95db5dfb664d62a8a560e10cb0e135f2d30f2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 35ed81713aa0c8c2981e28050a3dc004
SHA1 a250e2be79eb51ddcc3465c7408edf8dee125ed1
SHA256 68231e710504a327f4032bee40fb973a4767d4f5ec26afe0f44ad3348a0b4da1
SHA512 a3f8162912b7cd5569dad3c13ed1d4f9ff6d45262550a834071caaef86c024bc9c5238ba4e063abb4af95bb6a26052a9670c406762fe358f88c96aaa1dd6c33f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 199b25e2cc99b786504506b8b8dd1b0c
SHA1 7cfaa9caed075f6d26993cb319744765b981e6bd
SHA256 6165e0c9793694255d6bbab8fea199b97c6a2c6b7d8e3ca75f400d228e3eae93
SHA512 88c290c3d6e9db77440344ad46c59cf8b2d05cc4d849ab1730643a6d0fe41190fe08277d40199407b3458a17a6b9ac7595e95e654d00fe901393271ab9a48fe4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c5d25674978b0b31364b3ea6db1092df
SHA1 0842866bc1b3474543731109f923f1450884a1ea
SHA256 205bfcaa73a05496ee346c738eccee415461e98db5665fa41aa64732fbdc80b8
SHA512 5bdc5d185ee7df87b356aa8ce2da5a7f2097960b5d746bf69b47c17764cec5d0cda7267d418b071fc0958c549224253212432f3744ee47a79859ee6e002143a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 417e87f78b5f5cb54ca7cbeeb8304bb1
SHA1 38aa21a11360b3986054bfb3c6eb99747e3e97b0
SHA256 1f071cb1632803ae4efd5c1f411d68e4ecc8a803734d7f1c99016ac01d63e594
SHA512 692a9558f3862935fe4f867b2ea9870d6753cc487fbd6b5e4bd664b46fd10d1720182792cf7a9fa743a3cba35c0d74eed664f3c466523b50ad04bf2432f1121a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 22b12c604000b4a2e9aa013024293a06
SHA1 dbce254267ec96c47e907106fd995b8e900ffbb8
SHA256 95c294dd49bbeb9e9302c16cf3a6d47b4227755f486173abb422bedce572c193
SHA512 77a597545d026dc778d8f0169fd99c2d8345d2ff07413a9eafae1404c7fcb50c02aec5c5d250eed4c13ce1a6ac524d7803cd103966133d626daa58421b533caf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4968596b1366b95389285f1c64457f36
SHA1 c7e2e4c1eddb1ef417a979835215d7141cb09641
SHA256 b427aba05d43d08e33bdd16959779716840891ca783520df56cd42b5bd325eba
SHA512 4842f43774d345b962af5d3126639c41d1bb6f25ad0a38078dd57dfa981bc8d3f866900d3a1aa88e0a8ef22ed82e17312e0f21b3bb1d28c31a34bc50f974b212

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dc8bc66a8c521e7f5c808831d5468d2d
SHA1 51943cc59108d539adeddcb486a27abc55ab538e
SHA256 a478dc6c47ccd65932956266a414a86255035cac85962408e2a41503e3cf0524
SHA512 19454edc1c344b29a5890170005fa806e4580679afb29198c4fd88b700b3ab28c7d991f52bfb1e70b68d90e93e7fa2d2aac4bf9a4da0e1d8155159348105aa27

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e6ddc13273000d2e45376d9080b7f8f8
SHA1 228650466877436fe81bc187504e5f24cf6ff599
SHA256 2988ceafc85498967d70d7d9e0802ee716904c640688993f816d214c4832ca72
SHA512 de4494a371e2d83da9e5053d325055d7deb73c7021c9af5642c74792be6ab08c2005e523702ba4cfb505350bdfd57b4c919f33c376b386b56473da0454f919e7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3bb0349708c95b870a2e1e4caf1a0f33
SHA1 0df4e9ad79018d41833416588e74383f77daa3b2
SHA256 ad746d9f9bd0714d7b9f920bcc2ebe42995170e2147dbdfe28dea29a190a80e9
SHA512 505097f200a6d5a1f3eba36bf404dfa0d2bb28ca5078353ed00e1b9a4c6cc1acdc53e657d73aacbf9f42db728caf5aaf124b6952f01273d50aee481cf246240e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 59f72f445570c200f60d411c9655c387
SHA1 d4712c19201a51c3fdbfc8d6c8f6610322a66ec0
SHA256 b6ad3c4412f3ac5315a77afdc566badae34d5f0bac06868deb19faa81d2cfaba
SHA512 f5a220be94dad105290a2c4403acfbe3a7947efd585ad3f74b1de7b570ff8e00c2927825c56056738a33ffec52abf216eb090c8ab592b18ced503c41b749c8b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a4356bacdd4895044bbf6f993fce3901
SHA1 312d60079412a7a440c648a0fe9cdd4770fd95d8
SHA256 9f584c415ced4a39a9d26eec2a19be8636f486ee1f538141133f13b4b64de284
SHA512 2d95b447d737cdfc538045e60535509ac44fcc92718487911db2779a2411228b1c375d646212256d69d1aa840e332f916c70a67605e4a10b53053468b39517d4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e93c61cd9bb715f40fe3eb77da85d755
SHA1 266d33cd753bf1b29aa921bba5c44af749fc31cb
SHA256 07347d64feb9c05553421de26da789dd00c196547b879226c2e6452b25a96a73
SHA512 bf9b595254c37926a794db886f258d1f77bb66d9162dd3fe14f3e4db75cec87837a8e0638ec24ccf7837469757cb527c4b14f1bca56e3fb5009e9d81a5e038e7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5736c9829f9d1fad6c5576969ca46b47
SHA1 c3d1255ecf9c22ca20a08ffbfe6a9e536aa1e3ef
SHA256 a42f65e61c909a9fde16b6b621830192461e1cd2b7d2d5b07eef6647de8d214b
SHA512 45a94b89d2e4c2015346fdf22787f1ca480ff797677c57f005f3eeba9e4fa6416734ea04640be0cd25e59ec7fc173d45399585b1ecbc32de04f2531237af46f6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 afb23357e321a39df176ee38741e921a
SHA1 0fb80b0df7a0d6dd13f6837137197370f6b9afb3
SHA256 2799857b6da771085f55206e0ca6c99273b151c154a1f1b0666a0cf9d6bff659
SHA512 77e40e84377e54c742fcc2de45bd3fe9293d256524c0e4f738434195dd9c3c8614ec0c7f15cfe60564025c52c060d3db3ebf0c0d8a3efc6cdfdfe3f58943f7fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5bbf01616596662a1e3e292d42a59b0f
SHA1 85f90353ace0786453fa59cb473b547d3d2ffb7e
SHA256 6e33b42b8e143eb4e2e375fbd3c5a4e1753cc437df306b1e7e294799c969910c
SHA512 5740de995bf9780d822f0c53422b725955120a5469931d4392a92ac1f4b678c4afd8ebf6727f21f8551aa731fc4baf8ac3ec23f769b48bd62f0c5095b9f94f1c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fef8c359ac97f52ab5f7d5b9f53cd13a
SHA1 1fd1944bf6752358757a8f655395e5939b09b7a6
SHA256 bafdcfc857d111d30f75bbfd360a28d2e9fdafdf996be890011d7bbed86005d6
SHA512 8882eb21c906761f12419a3ee0ee9624f90edfcc74ce08f8f73c395e0abd0f0098069bb6355b4aa1b090123d578b75a82e8200dab751c7dbcf6bc1cbcbd1e9c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dcf1f7b4018ebf74545d77481db66a8b
SHA1 5b374ea11e14844e1221ab38595621f78d9ccbc6
SHA256 2a3b4094277b58b56bc6eeb97e61de531e9b429be7107e0647ea76831b0dfd89
SHA512 d61e4c833781030bb7d0007076a0e57a2ae69a33f6ceceeeb005abd99449ab168e2ccd5b08241e0fe100320fb4e3aa21875986ace333e8231214453b0ce100da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd38cf88ee2b6abf57a75fd5e067624a
SHA1 0a58ef5bb9823a46d7241a546b56d2cb3a2fba6b
SHA256 f9afb3ce6c6c1b0b6af6061425ea816e393fa3305efc31aa761478f9649d23e6
SHA512 f3297bbd4210e1d9a027cadc342fb342011a11f15657907b4d57ac791d8210c4836b41764cf23a9764cd073ca147a4bc4489aa93ca7e4874aafcdfef001e4273

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 87e884cd33f7ca3ce17faa138287c5fe
SHA1 d83aa6c28dc74d74e56c0054d5441a1cbbec5a09
SHA256 2af90baa2243e1adbe4cfcb0a9e2263a0506426e7ac0680742da0b69a454ceaf
SHA512 bc81bebce533f155fb189053e6088e0bc77cbdb10e8362e364cb14c6b5549c1128e1b3178ecac2ac322630ee815ad29bcb4c5e0c02b27e8342386670a7dc0f34

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 476e3d02e0621f5af0947a88816834dd
SHA1 be8637530dc64e435e5856db94d201c46b095025
SHA256 7a76b8a100b69709de6f435225fa733d18ab70d53e070e6e84429fbc973bc48e
SHA512 2f2581c093a4ba45300094a247d9b935525c60003b4e00408b203ab90e0c902d75e727b6358ab4c364ffdc3ffd7c430bd531f48e06d797f0a85748fa123afbf4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd6b94d5eca8fa24f99b405562e4ec87
SHA1 bc3ff4d9157b318499daf3e636ef0f909c8e622b
SHA256 d634c885efe1c7df91fb48ac54f68a586588aacb420b21960968794b93df1407
SHA512 f0146505e34b113b79d929cbe511d910ce72025ca7786e07b590eb6238585108806191d990496760385dff5de02a11f019cae973d1ec1cd0db7f101d8f91cb57

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b0ae11bbf78b74ca53396c1d989422b2
SHA1 3d74b7fe5369224afdc036e9b62cca903273516d
SHA256 5c882a1e97ba8c68a6a58af86b6d8abdde377fc39ad4db15ea9766d274c1621d
SHA512 1651f5a6466d74d0d7a96c88f4e027c69351fa50212f9aa034e80f5d4bf9ee9c5c3851c13e09f389bbfec25c58d0a516ccfbf1a2557b8a538745a604d6585050

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 acf43ff08413900579f31edc8efa567c
SHA1 69bc5e1e5bf08408def3d1150fe5180619073304
SHA256 e9031e0472f2657ca7d5ea1ecc9ae20f921ae0c8fc119540538cbcff33ab5b68
SHA512 d1a3a0acf6049e4154a3a552e124a9c13a8442d4d6001020e0de38368e72746d1f34f352c38e732024f1dda8819b795faf1483be1a042a1f7b43f42777a71be0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 03bf83f5ca7bd01cb06f6870007db697
SHA1 95bf0f28b3a36008809df0604530da4750b7fe11
SHA256 f2bdfba7a76ec12bb9324f150cdaf5f3b34165f1d505d802d7bd0b287ee6b78c
SHA512 56dec6704011616f362d2e2aae258c463a6a7f5133d87de288171684d284972c709b2c8b4062c0072f4138ea8916bcaf0f78905797e27a6666920f9ec92b0f94

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 29c0460edfe1bb7707b2068829b24c2c
SHA1 3de2c99fbef3f5bc4b62aee3c174945ae7f77560
SHA256 7c6d2a3dc9943d151f587247c8e59a862bab4543ec7b3a77211fd61ae5584e26
SHA512 7e3f3a528b080d168c90766f5aa5904324e1e2404db9a71bd01f123feeea8b04aecbb25401a2adb4dbd582aeccb62f87122dcdd0525aee6cdb02c78098bdda3f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5b87679adaa57481881f9350bd334529
SHA1 1f72b90453ab4c74bb2460714203a867d2712514
SHA256 f2a23e07970b06c5e3826e18fb1ebdb55523bab8d3164d88d7b82375cf9117bf
SHA512 5b854139b19d9c3d407899dfe80daa3121c8f5970d588ffaceab2d9fea015b732b2ef9e58e441318b33a8cfca7ffe37858f2faca3d4a60723ae2d9ff1293d14e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 012f07cea2f27ff1adfcefb5715f2736
SHA1 82fea8117fb8c136435b637bc65904358b4c5d15
SHA256 2fc06aa122fba1f539ce18a6cfd3e6437e7a18c47caf1cce94390b8b5125f2ab
SHA512 a368c2d88d7b9465e0f80c1a3c4d8ca4b599d6a4ddc4eb4cd2ad9237b6b2a946145ae25670aebce24aa1c6bb511890b1162eb86768fc4374b11196421e08ea03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab25fdc5a0d535cb279b369e85363779
SHA1 a8fad1909e7e238e5136682ef8d2c13dea01d45b
SHA256 6a17654a41d7082b1455848507a4914353725adf12b7b9c7972d18694bc2273d
SHA512 3c180e4b92826231efbd8e29e3043494f609f0b66483336de41204d3f681aa20bb9b2bdd9176cb11c39474891300771226e8f42814e762d88af28231e03abfb1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9a91829305f66184b410fc79cbd61235
SHA1 bcfede777a13475f76bbbf18a9cedc16ccaf20b6
SHA256 565fcc1311805d81fddb19032f8625279da162225f1e6c2f9152f127484281ac
SHA512 af5d30772810ff3ed6bbcb4e8cad75ee215915d9599f7acd50a066a90c1511b4fd52592b612bea5776927efb593a861fe61fb4aa3c78920979f3b11a227edf44

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0eced04c36ca3fcd1775eab35a60915f
SHA1 2cc997a180a952331ee5f205de3f9178297b95af
SHA256 cc0d284c62bc529e3963b68b094a9b4aabac73862b801a1f300f32e5ed37c58e
SHA512 ce43473ab083f427907a5efd6e52ef106f76d434c678ba67cfba339ae8a03726754e534cbd24e45892f05957843d6e95ea34b47e8a556ec1dc31a0697b4053fe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b1dbb0ca0dcd0c7c32f8085a605a459d
SHA1 aa2b1ef98291dc916f16023b2e45879a673449f6
SHA256 15147991f41d64db095837c61dd36303a39478dba4d455c0e9e2fec82fb32a00
SHA512 2ced1c977f684d7165d08691f9b0fc9df4af0e1da1e48a494c0a1d893681c8beb98462cfff5e106ca53182453b921c8b62542b64f284750bd281da1928de974e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 adab0665d1ae0d924f54315cd88c93c7
SHA1 200bb5252af92a3f3bd957757ae716cddedd6fde
SHA256 6ee766998c54e8d8e4769170efcc0539c6ca6a4a402355a65996e68b2d0e31be
SHA512 619ffa23ecb52de0b7f582fb57ac4da61e7221c04b680980bf7a731367697065b1edbe30ac285f2084afefa6de9f5e472d7c480dae34cb79df2e250323e514d4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 839eed30ecf1f34b320159847602dcb9
SHA1 56e7695eb32a09dd478f9698135c1f92b9b7a13b
SHA256 60de059a57c6603214dc4c7158567e8eb00c74b7a92fb18e174b1f36384ae200
SHA512 29525b3f78261cbe7b02fb7e092e146cc35d25fada1af176143e9ace59f742a8434b12c44c1a6f1e03594a5321848fbd581d4793c1040c02774aea2565bb565a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1d46a97553b1edd54618bf6a126b10be
SHA1 79d9687f609ed048f1fb252b7ddc4085e34f1774
SHA256 ee5d5dae586ce5990a1b78b6a93014338b40acdeca181742e33302c8ee39af6c
SHA512 e332c2aeab1ab9fe3c11ec5f8e60d91e63cf66781ac6680a35aa856cbcd402f61c2a52d7559e7f1e719b169768aa3ee69b5e07d2ecdc09fdc3bbb4ac0055eb14

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0b0f37509d5912113f062409d68b2d47
SHA1 f1e2af24f2ddc0d1ca040a706e79b6792275d149
SHA256 c16e3ef64d22cdb7af7dd47cd6921756f161ce6f2c106b4edc0db4ce0796dc9a
SHA512 a31a6f1635c4c6a20d0317630c553f97010e4e0938ba04caa0ab7b7cfa4660f2d5955aa7f5be8962a00699a4a0ffcf7385f7633115234d5aa8dd6618c0a24b28

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c2ff576fd1efc93aa8f5ae909a87e196
SHA1 32b11bb0703de1fdfaa031a7d1a3810ed30dd6b3
SHA256 494e06ac55f4444b3a56368bdecfba36a574aace2b85d123a54334ae93463fde
SHA512 3def5b07a07cd85f94afe4dfcf0fb93dad427a9da5f637d8971665ed9125fd55f0b7222545b396caca4afec8925b9cbe6805046a4dd99bf4db35ff419cda4d75

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5102f20b866017a333029cbc680eb581
SHA1 1491454b6cc71f941d5d00c24095aa7d75e74f38
SHA256 db716ab76b8b6ad43733ed46d9964d8209ae671f97dd86daa0833790a427ac30
SHA512 29d2fac3714046169b744876eba9b2b5d5010ad241c46b93a2307ed46ee2afe4540427b9558daba3ec06ebd6db5c006ea8ada94aad85fd7157b3be7fe12fe0ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e0a7ae23c828441882637d5f15cf29c8
SHA1 5541805269d41f7feebe3b0f9a99a713d476158e
SHA256 4b2c20678777577cb9f505379bdae885a5411dda5a5462ede261bdbf3b2847c0
SHA512 47d6cdb7ee81452050ccdc23daf43666488a03dba82f1d6d767a080e4a8c474954b7e4282f6ed37fb54787acd528334e4be15157fdb49f42c008e0823ddc4752

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ff54bb1d1772753596caf4f7cff15eb
SHA1 711b02cdcd2a632f2cbf24d24364b66e898f0efa
SHA256 4679939cf0361fcfb077d30b4c843c6b557dc21630c5d4a5658860a604a657bd
SHA512 803c40f9b863a0655620a9c2dff69115a4bb215dedd597f11a894f840844812953c101dac34d02b28f7a894c57900c0d38bf98fffa7aae4f03982df0c2bcc16a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b9f30bf6ff5cfd2bf9488b9f78ab1c73
SHA1 59687b26a719eb2be0f439d3032468312302f9fd
SHA256 687c89aa925dfea311e8042bf7d601069310bafa7027da21c2a4aee9b70cc8b6
SHA512 db3919f8dcc850cff9cb09ce2118d0ea10ed1c6882dd8cfa4f8eeb66581341d96289ef5c82d380eaac7cb00d9ab9aba886259de4d8d2ec42543fa46b11bb3ec6