Malware Analysis Report

2025-03-14 22:10

Sample ID 240407-2z5w2ahb5w
Target e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118
SHA256 3bb8f22f7d2cef1d1bb27933a2c14dd51d579e7b702431ffe695b48568122a77
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bb8f22f7d2cef1d1bb27933a2c14dd51d579e7b702431ffe695b48568122a77

Threat Level: Known bad

The file e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (1863) files with added filename extension

Renames multiple (91) files with added filename extension

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:02

Reported

2024-04-07 23:04

Platform

win7-20240221-en

Max time kernel

146s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2796-0-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2796-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 cd3af7ff67f363d56b74b3be57d8b6bf
SHA1 28fcd311731eaf8506dcb5abb7be257325f3818c
SHA256 2ad841b2b837c023e0b324a467272cfd929dc87607eb860332420d0504753a2a
SHA512 3780fa66be9ad253339b0bf003fa037e2066447c16de504aca0d702dfcff194f2555e647a2294d82fe558bc0d6466e9ad152bf6724285886b28eb049b7928fcd

memory/2796-4-0x0000000000480000-0x00000000004F9000-memory.dmp

memory/2792-11-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2792-12-0x0000000000220000-0x0000000000221000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini.exe

MD5 67fbe2c0140b74434b74925c17c007f1
SHA1 316a6ec956db507f58842356f0f8d86ca41c4b03
SHA256 0070dd87b6b73b62e4053c971d1c17b71fdeb297dbba3c6cdbf838f88b78b510
SHA512 0a75f5bc575d6be819fc5f4f3d9e9662046d0196e6901c2ab3dd726b53d1ddb1557d4f8a5816130362888aac4176f833658173f393a939efe16baab188a0e696

F:\AutoRun.exe

MD5 e60ef3e2e27842f334caabfdc020d2bf
SHA1 ac08f404cecdfc02e9abd543ec969242ed21fcc5
SHA256 3bb8f22f7d2cef1d1bb27933a2c14dd51d579e7b702431ffe695b48568122a77
SHA512 6bdd3707826b12fafd5f97d56a38f2cbdd050e1d627b112d09294cde333ec34c327b7ba887f480aba32f52f6ff3e69644b7a509db5766d9b2a6ee22257bbfa64

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9bf18002162fac32642868f4d48a2d2d
SHA1 988e97712ff4d617380283e66a7b9c50c18b8367
SHA256 adeeb53f6e3e956fd3bf1e8a33a5fb64b290b44e6dfeb5b7fbfada38f524b16d
SHA512 9a6555f1114fb11cac5f3401c23b3bcb1681c5721a8212f6c05037b6f4fb64b1fbb9fafa50b02e38dc0a7f0fbb7a8b3a46869fcfae50407b977bb776e5416dde

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 31ec369759c942971feb06060ffd34f0
SHA1 65209ef9781f2d820151fc57bc1b0388bd7beaa0
SHA256 fa00f04be3ce65bdf1766b30e10d3751461162bae63b1d3210eb343fe1bb6ba1
SHA512 c058cbe8bc5aa23b19a5b930b8f7c18a2bfc45a069e8a708f055e573ec6e0d59258f56d88d07e712dd39af3cf26e708959adf471a6453e3e1ad2e6e6b21b14c7

memory/2796-222-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2796-240-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2796-245-0x0000000000480000-0x00000000004F9000-memory.dmp

memory/2792-246-0x0000000000400000-0x000000000047894E-memory.dmp

memory/2792-247-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:02

Reported

2024-04-07 23:04

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (1863) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationClient.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationProvider.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Drawing.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\System.Windows.Forms.Design.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\ReachFramework.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\PresentationCore.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-errorhandling-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Pipes.AccessControl.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.FileVersionInfo.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\hostpolicy.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\PresentationCore.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Numerics.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Memory.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemXml.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\UIAutomationClient.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\hostpolicy.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Forms.Primitives.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\Microsoft.VisualBasic.Forms.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\UIAutomationProvider.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Drawing.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Security.Permissions.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sl.pak.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\bcel.md.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\PresentationCore.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.WebClient.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\System.Windows.Forms.Primitives.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\System.Windows.Forms.Primitives.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.Tracing.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Resources.Reader.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\System.Windows.Input.Manipulations.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\UIAutomationTypes.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-processthreads-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Formats.Asn1.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaps.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.Csp.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Principal.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e60ef3e2e27842f334caabfdc020d2bf_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4432 --field-trial-handle=3084,i,11997299123381683778,5904351605020331957,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 172.217.16.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.16.217.172.in-addr.arpa udp

Files

memory/1472-0-0x0000000000400000-0x000000000047894E-memory.dmp

memory/1472-1-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 cd3af7ff67f363d56b74b3be57d8b6bf
SHA1 28fcd311731eaf8506dcb5abb7be257325f3818c
SHA256 2ad841b2b837c023e0b324a467272cfd929dc87607eb860332420d0504753a2a
SHA512 3780fa66be9ad253339b0bf003fa037e2066447c16de504aca0d702dfcff194f2555e647a2294d82fe558bc0d6466e9ad152bf6724285886b28eb049b7928fcd

memory/3584-6-0x0000000000400000-0x000000000047894E-memory.dmp

memory/3584-7-0x00000000020E0000-0x00000000020E1000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 4242524302c47f8e375dbe3a5244aac1
SHA1 aa559fd405274041cdee65e45602f72da6fb0d8c
SHA256 7b9bf3db09baaf5bfb7b97e82af904c7f04dfa84d46c16858ee23ea60e730b16
SHA512 119afd4200b0963b0cf1c4aad08cc3e678404e94853f92ffadba3ab1696359ee5d19fbea5f0c0a8113db3cac3518bb3e2d92c0b57ba29568a92378550c737cff

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini.exe

MD5 1e0ea32e6489d2cf2126bd3a20a328f7
SHA1 b7da6da7e3558b68ca018b37e3bedeb752a657cb
SHA256 9c8c31a75a6a4842d06c872dc54ba53587701d54a3596860378adf7bf50885ff
SHA512 43a9a11aafae3727467f2c656c8abef8b20c01ad8f1deb93c5a79f75294b8d14d66b41799e2917685b82b29dffe74929c1a59f2062e6ba20a7d07671b1cb3aac

F:\AutoRun.exe

MD5 e60ef3e2e27842f334caabfdc020d2bf
SHA1 ac08f404cecdfc02e9abd543ec969242ed21fcc5
SHA256 3bb8f22f7d2cef1d1bb27933a2c14dd51d579e7b702431ffe695b48568122a77
SHA512 6bdd3707826b12fafd5f97d56a38f2cbdd050e1d627b112d09294cde333ec34c327b7ba887f480aba32f52f6ff3e69644b7a509db5766d9b2a6ee22257bbfa64

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b13435788ccb47c39c2b5fd2408ff35f
SHA1 c1e79ed47148477760ee857f9957b468dbb95fcf
SHA256 d627cb30499b829edb4e18b7edf0a0a7e1fdb1eab84d8580d7bcfcbbed060f75
SHA512 3a4fe8dcebe7897c793dc8a6ab0b394adb412480dc15fc9ef785b14b095d58cb8925f85c72a25d9d3a11966deb596ebdc73d283d53805db2f18c5383653b4a76

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 87fbf24bf2efb9800e21d57b77827798
SHA1 60d07b259421b70efcfb2804c54d3360dc201235
SHA256 8a2b03f70009f7fb606ec977856403b55cfcff3b12a947054446f846c15d5f8b
SHA512 ecf0f9687a8ce2fe8c2523fbe54f20119dfae08aef77732dc47c9ae12548eb3fecc450a3fc169df5ca21d71a317d51818a6ba4395503b3b876faf067e5c6f3b2

memory/1472-527-0x0000000000400000-0x000000000047894E-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7c023bb3a8d8d133e95bbac447aa7a65
SHA1 78910e3e96bc64531b7471aacfa6930a388a01e0
SHA256 89e03849a448cc03844d34728074ad7fddb18d91bfcdf5389727f4d2dd249fdd
SHA512 1344c59af94b672907247d4d103136446bef698987370f6be290265b21365b6a31679fc4a901c78fc98a899c99921191820359e488aa5aba2e0acb74ebd06b6e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 14793f66a69df9f0b4c37a91c1434288
SHA1 e4c0c0265aab7453928c8e3b534ce6d2e347487e
SHA256 33ee2f429bf876728e33720d2a10bcbb325e919c3b2729a5e603a4c0a3f0d607
SHA512 f2a8049c348143d4bfca6e3a15736b1a44cee036678c7867ead8666792c99331b5fa53f5300c999273964346a5a53223669203760a40219e97e4ce296a1018bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6420ffb56a5f86e1079f20e1951bfcf9
SHA1 9cd9893a6ae8945b32b8187a98e07f5bb993f2f9
SHA256 4fb1ae9b1ad200cbb49dbb0a3cd35c10a916b68e8ab91894fedd470d1dbe637f
SHA512 365b74632ee46e96ebb0b8b8ac4c5314b1056670264174a89caa3d097ac74a1b544bad17b269d7dab93d0c463e6cd272dd96997116cb4e3c39c138900fcb4fd8

memory/1472-828-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6bb4e99f718b5462d73031294291275a
SHA1 db36a811563d836586f5413b2915d5c3a3c644ab
SHA256 37b17f9a7c8012c4b331ee186ba2310687e1cccae4b32799198f69cc3ecb6c82
SHA512 e9c84148716756ce88fcb4b70907bb538460c08b3410f10835b582f87bcf32f15ef08f380b4c19e065cf5c02a8d5ad110e5c440ca7bb18cdeee23118f478a834

memory/3584-1001-0x0000000000400000-0x000000000047894E-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 857ff4e34e37d672b08ecb0b978d66d3
SHA1 aaa7aac7d094bd6b932b59790ea07d834704b187
SHA256 4a2c9ab6880a9b0bf7f935bce389d213e9096a52eaa9be868c9eca054795d197
SHA512 443daf2434a1f545cff1040862972b256b24b16c0bf0be17f9cc53ed232e0e712a6963efc81244305ddd0d93ea37b6b4de5ead5d76366502862c4430885e4233

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3cf77012464fccb24234eb9f3b7dc613
SHA1 9961a5223b367a1c7c5fc1a46e50007b00ba9786
SHA256 64e710e97bab826eb9ec36172a6b1968b0d6b7c63016f7fbf689a2ecab2d1b30
SHA512 8b9da8082e0f62cd1b98f4170ace00999433594f142a1e169fc1b77fa226946137837bb166efeaf0cc95bde645e8a925c573e06a03381bd358f6e38cc020f991

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d7cd87d8ccfdd75fb5430012f739fc36
SHA1 5490aaa93a81d7d79e3b04610623b8b8833a0b6e
SHA256 ce4c9d938b7356307312b1cffe84af9006290bdc4458d4d16b24c32b860f34b9
SHA512 fcca1d63bbe6236d5a8a4ee6594a4e9f9607190304539a5efc093a9dd389aa3bbd6d137f89f4043abe790c2fe7bc0c702fca5afd72833daa38cd6371f09675a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 452f2c04d6956b3ac0654d19cab86e65
SHA1 0341a622b5cbfebd3667281af1e8b9be70261851
SHA256 9fe73ae90f38b3da96a0493fa2c5955e5e39849a90853c22218e5ee032bd4fbb
SHA512 56f0a86e9a7f6ecf73049728bd72e2eb48b8f009f1641beb0ad9ce6f291e11d9f9b5218ce24bec3e06a8090601c1913eb9dc1322abb52715b8564022ccc7e28f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 07d2b6e31024d74a9e29c93491f620fa
SHA1 f97fad7c1490288a8508bbe783ac5b8fb2887170
SHA256 dbfaf5cfe6bc78afdd0f2ddb6527319ebeaba6e9f9737333912490ab7c81ffb8
SHA512 a9cb02dc2dcefaddf83e49b372c38fddc99ed8f7388593d061c5e771724d1f0a4bc2e2770e0da5614b0080b71b894756ab9fcbc0177d4acbed14c7445fe869d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8d9aeac737285ac6094776c468e99c3b
SHA1 0d19da7f1153d3cde397288dccd2452d32c690f7
SHA256 eb7396a0d96b32668a3654adef93409ff5a908a8a69b918ba369ff44382ce33a
SHA512 0ce43f286ca567119968c33cc1d2591971b2f64efcde3ed200e3f7a4f70fb022631e9ed3ebb7e6351ce74dd236846b86df0fc1b8967be4ae4a7e822db7703a2c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 afe823fbe8bc84b7d11f0bd7256f41d3
SHA1 f4b6f8dd0ed718f53ff0619684fc98df821143a9
SHA256 1307edeeff5fcd53e0ba4cd943b98fc8bcb43da70290dbb2c9c7493d04617db7
SHA512 7ff8b06d5587a7430d8c952737a8233ae4f275af8f2fcd00bf3dbb0cd4b8a2f504f158023b5187dcefa1e6e756705c5560e8c2c3b8486544b31fde301ec8261d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 74cc2e9c5f1bdecf55f83765a569def5
SHA1 1c823d09498728bd7868bd2725eb9b4f484f1930
SHA256 d5de13226df3d69dac98a2be1a3a05de33a62adfed77ebcd3127c655f2b22ff9
SHA512 1945ed852148ccf5ca24f863545f5720754fbd46d06689be8e0aa18b201af9c8a6d141100f5631a3f09f20bb3a3e1a694d8bea341addfca7f951c7bc46049650

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4eeb485ce307d33fff23fb40d8836e20
SHA1 f38369862f86cf69d111a3d5361c9c7e94ab8782
SHA256 54bcf82318cdf18303baa96592d4019d2ddacf890055118c3bfbd62520481f1c
SHA512 713de1d10470b2c1400d2352aebb27dc566f5eab0c56523035f158b1cb94ac6baec7e0ab7ff7d96be2d6c4090c85dff8c8cfbb18a9b11bd4453642f557d93c17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2ba74df917249de06a8322d1fb360dcc
SHA1 c5df3240288b180e6df751591ceb96939fe45c99
SHA256 e98094861a02e383a550c7dd8acc56e59e4a502dab9b8fb889fac740a4a256a9
SHA512 b5f3a9ce97869da6fce6b4c0dcded39e4b1cbb0163fbce78713ecaf48390722dcf63044c4830e8b7f5c43b936cc5914f89ec4726ef79adf42b891048da120f99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 95ee6bfba2a0de261e9a1527a97af238
SHA1 51c63852a3ac79946c0faf76f797f8a4bb4418bb
SHA256 d2b1467a0573de9e1e1a8b1e0acf31679d6887b0ad1cbe74491c4a16e609f930
SHA512 67df4c4e048678a326528f777bc202e7410d25f482eb6a700f2caa1f02bc881e621e8c30190d068a1c76745fd2485f3a1c85a1f0b816e790bd2f446b34ea5312

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 44f9ed7b4945a6ff3ae9e5f2e5f68539
SHA1 f2a454a84bd5d6183bc1ecf33f4698edaafbbd8f
SHA256 6f4b69a84f17eab064e75d6b4c6b9ff80ea50ceb78ed64ff2895da9326bde690
SHA512 86c30c487ff0dcfc16ed7af456ded464418de664f0756ecd5d85f9784514fb31662682858ec0a7f359691f44d1d0ba1584d29767e07dfc1f93ee83a37f78b696

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 afd41b995bc54eb98747caff250c20e4
SHA1 9b128f8f44a49ab9931cb70aa48cfc8889a603cd
SHA256 951711b0fad01810fbdbb7bd81ea5ddf7a87698b6456b63930cd1a11bca20132
SHA512 a7cc35bc5ffee90750e819bf52ab3ab54c817c93c6cb0237b99d1a90c0f3eb3353a9a6ce8e7c9abb5532bc6b785f0fac46fa0a5d636d465d02237966ead90f05

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a76cc9ad4d80854cc5e4221706cb7c1a
SHA1 ec6d33bc93d3fb44fe3f8849165543621493e95b
SHA256 10691f409acaf93495663849b6285c6af5703a1e028c60f12d4a426cce1c7051
SHA512 2c94a6c4c3340d6fb826b5de992009a5464503b924bee5af22e481d9cd7cb1f9554c40f09643dea743572a3c0b7518dcc86a3172f1abdfa55e58f505dbfab95c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 46c27e27b362c6ea39e6825497c2ef12
SHA1 5417ea1c44b71eadf7b2fc95bd8099ee0bd2d1e5
SHA256 11d1e8402fe5eb21e5a3cceb1bcf57510a58e37e7be06f9d7ff674c122fae39a
SHA512 7e32c1401080c47251e2d0c45d156f82b7dcc88f6539789f979e05e53eaa24d85d99ac1105df8a54fb9ed9f76ea5cfee949fcab6b56c2bddb1ec1950c6e85bda

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5e70281e850ccbe74b4c476312efb484
SHA1 5c6e33ff5b9bd6e8720efaf70c208452a65dadfb
SHA256 8e7d6ba1e0d5ad4f34e034e7bb0949522e16073f0de806bbb387905d537d60c8
SHA512 d66216dd3912a0467e5d9d76443351cf29f44f674d04bd64af777eb11c6efb09da279208e12481eb964ac53f4986ad22a39d040647ecc46f2acbc60fc5d2d60e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 84ba1eace0b79b0bde712307abbd506b
SHA1 4ae00198ef7e7ee9b3784212a738a5e7d28e2e70
SHA256 e1362514621c7d6e53d68daaa9644d983185e5652772f5174fa29ba69f57f390
SHA512 b21bcbc9b7a5a8c6335955eab6233f9c2ce9b7e4cf25696cf495e096e542ef9e4edfcce4d554f527fe730744b8ae54ade7f190bab33063a2b113c62ef8fef92a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0482d4722ef2e625b40c95e871bf201e
SHA1 bf7da8797251c6e96c9e5c91ce73038c9a143e91
SHA256 5e03d885595d7feab53304d09f2e5f719fb1b28a3084a68b749d7b4f7350001d
SHA512 d65c9dfbca226951d37c11e6a0fe28089659e5b90c6a85b62a2cc1504fd5287a0af4bdf35f7ae4759d649241c0b349edc7fa3e6b7e452d9102cb2437db59ee53

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c94d0cd3fbfcdc1cc9e56f758b842278
SHA1 47f0530da138a748c84c4d62532fbfa973cdd78b
SHA256 635e555873cc2c55f2555d0fbcdef382229eef09299d3163d7ef96efe69e596c
SHA512 02a6901667ef305cd0941b5e2e125a4daf136f13f9a40b1225084b1c98e33979989d441322659e85e2bb0a09759d9477d8ad2dcc1708eae228628033b56e1a4a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 96662225937f2e8dccf0849331acab70
SHA1 311fabfcd219f2bcb94c7aecfbcd67c27d50673a
SHA256 00d169c6e227274736733036e63217e740bd8c157d6757a4c1a76bf5754ef0a0
SHA512 cd7cec330582e63386736e385694a8bf594b517e6c3e00d426913aeca591ca58f64900a5af86317e1396dbf28b642e5665abf75540975ebde580b6261608d26b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc9fd948386e57596cbcef503c8e84b4
SHA1 633d44fc266f6d646ead052fec935f796280d295
SHA256 7c3af8b30bbaf0324ce42f65d544bb2c2167963affd951c8a55e2c9642af2a4e
SHA512 9830e7b69938ba78a3901226069d450deb105300c78272dcea3107e9aaf5ae7fa9273c4abddcd63f53a10d1517162e287872213bfd3e1302c1cf8d6a06d587eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5e8c4afcbe0339892f91be342752bccb
SHA1 5264889e10e11f5c3d20b64547f293386d211b28
SHA256 e38e235330203c40de91cea182cb86e431273786c466d200a7ff80483b66d45d
SHA512 39c366d1dc658dd59a76c4a9d911e4e8ea5fa4c510d09df79581f154a2786642e9af0ecf5d2c355f5f0c3381f38b6c0ea0e5b8b161a343da9f5ba369e386082c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2a0b9a4e09a0a88a8a04d323cf04dbe4
SHA1 9600df304dc6adf5ee66a0e9ac950076f6dc80ce
SHA256 4e66fd722fc2e0fe3632421467b648c7dfe11142b45f9a0ffb24bf01bc932d2d
SHA512 adf76a3803ad8d5543118192d01f2ad41083ddb94aca93f5dc290e59357dcae577aeac58ee500c36008b9b13045546e0a79fd2fbcb9fe25d7b3fd3c18f3d0f54

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2f132c0d8ae8d28e28a61e79bad8e446
SHA1 cd5fdc8260614dbc6ffc59673e15e4d4bb99b148
SHA256 5ce0c9ce22d051a15b86b5294a7e613c4945b4d177ecee4edbf48c5a8c074b1c
SHA512 21a1a7827caf5dc42d759832cd86e624b97c776cc4267fbaaa1b5c8bfbd4ddc04ea1e3fac8b56800b4aebd59049c850a42675fa70904963e3ad14d5f15a148a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ecde70f3ad9e67cb442569416f7d887a
SHA1 4f76378a644bbb5664bb42a89247f0beebb74d9b
SHA256 7b23995729fae4fe65fb596d7cbf5d52d09a2dedb245c01894e34de166335ade
SHA512 d924dc94a0eae9653d96200fbec17420bbcd5377cf5c474e1b8a18ad742aec8b1e04fcbebe732a033d57e4481c797597fb0fa76bd06d51f476e6f787361f3749

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e4299619d716b3564a9c486efb1b63dc
SHA1 0ac7e4b0f809dff946c00cdb32b4736f0df79c82
SHA256 61edceb43b50af91ddf88c2c2f166a426664964050e5ea42ceef15780f13e638
SHA512 6b63b459d0f270e54a0795040291786ae1516778b99e84b9e76c05e8802c03e7f4d66eb8a3b400f9786ad244e5979bc24f24cf5f3a51958ce84eb101fe95b663

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 39ae2c70f27803d02a2609a12b42caf5
SHA1 e7d1de1b66eb66183d1b22ba7d34efa0e86db4be
SHA256 76e0260c4dc40eae0c5f7b217f6a3abb76b565e9690c02479579982545c6cc02
SHA512 93102aee5d94eb5a809168c67479dcf9cb4585e686162aee8667583aabe2b1cb1b5eb187677c086371af27636a971c7193b012bf3b5cc26bbce644130cb4b4f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9196b589bb614a23ee185450ad958f0a
SHA1 3e20bc333f0ddad64beea1ee775af13f26fcf5e1
SHA256 d5e6d0fab342868f84199fdcdcc190c8e428dceb81fa62cc54497e5203e328e4
SHA512 46e355e3de97fef23e37249a2d0ea2873f934ad25568eb95401b98b7e3bbf10d74bd162bf92b5c3dc57c3e735b127707d2089a2a86e38b89d893d7e51603e1a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 46b14f0b1333bb0574f825a269536dc6
SHA1 e47321e077c1f55fb654caaaa75a28aa4cea03be
SHA256 12f73628ec7352dc52c983e3436fe985d3517b22ca36fe736364b19b4d7ee3cc
SHA512 f7e4fa10250045739fa1039d15a531820abfa7095fda8db74bba6315fdef009485928f6d055bda7d24a41cbb742fbadc91ebc31d12115c399d5f2d1ccdc12f89

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 49e174d1171066c18c7f92e4e023e1a1
SHA1 ca77569410497c4bea57b0fb54814c54ee871101
SHA256 91e6533e440af8b97a19e870fb5c6a7c1b1b6004dfda273aa761b132f67d4412
SHA512 564c556e3f29fdaa6a0f5828987b91d59a195e6960d590c016c115bfb3e4703018f72d4cb63d29f3d30fba2ce800dc85cdc09ca29a379272bf89ea224bbe0347

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 687784009049c041b46d36735780e447
SHA1 1fee9daeeee42623df62c8d872234412148f5503
SHA256 da0b13bb3670e36e12215510a599257e76698bf4dd2f42ec84e286b98a01924e
SHA512 0b4da88155e4952393605b1282f50e5ea4e9008908e9964e4a11722500e617d31e513ae2faccd7a52ecdfced6452f4e162ee949e52410318fefc9268a9fd0853

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 844441565a087b1218c474a764aaf4bc
SHA1 16ec4d7332049b4139c8d75b7a1feb7d6e4bbe8b
SHA256 a997d39398d3f8877d67e3508fadf91e3658e07e28ffbc15b081a924e2f2d9a4
SHA512 956847dafbe2fc0f37f3c926321427bee9d1ce2c82ad4cccb4370e9d12d95017a955da96a363495068141d6a69df63a893704b3433bf60277d517a797c093813

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 48b0fed699a1d0262feda0cc95cbdc50
SHA1 6c25d6805040a1313bd00b3e474a63ed0af70ae5
SHA256 f207e9084d9de9c0a4dc7932a4365b03e347154112bf846a446eea37057f81ab
SHA512 b45092684dda54f7dad29414b0cd79b4df8681de6413b821119cf48406264e794da034d8d64763f8fbaec0d451fbe17ddc15920113bc39511922ad215060fa34

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2cb82396edba60cc35480f09acb0663d
SHA1 cffaf614b7c8069e6cacdc625339e902ca8447db
SHA256 fb0d1a36e365087157df13b009e53255a43cb6f71a98ab85d69c45cd36bcb68f
SHA512 9df39815538ec289e33f5ef032efb0e83864156116e4971656ee49353f8715bc5ce46d1e1d2594d34c267b712d5a89d26f604673641cc5c7f36851b8bc78c4e7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 99531063a3f892108d163ee2e9a51e43
SHA1 54867c15594feb2cdacb93109c27085a98b4d979
SHA256 51bb3376b6e617c576f881e4889ecf8acb71944253475e54012ca75f08e1dd36
SHA512 a5e23c07e088c63d2fc0b69cec7c40531da90221505e76ee79e93289b4308d6f80a16c0b56ef1e1d0273df15b9ed491a4cdb9de3b0407fabaac91dda21a1542c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6873a9d07e06dc22bb0f6dbd50d52a12
SHA1 d4f4bd7878bb5701e79d107f73d97718ecbe86f3
SHA256 96ffc1faabbf465a9180bce0b2dc087ef1d93ffd10525d63aed9512bb4933ade
SHA512 e203ae43626ca31f7801c06cd7871de862096bca99d4cd3644d107f96660c0dfabc07831e8d45a828e6a845c91e5853811540e9be4332bc8bf7deba03b80ab3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0c41f1c497ac95a46176172d3fe2e48e
SHA1 feabcae5be7fda56d81bcef89acc65e23c1f9a13
SHA256 a155595976c58078e7d3cb90e43fc2acf3f403e995b920b8227d2434c3ce231e
SHA512 4e10833b09ca15c125869a5d660cd1935780ae94111bfce94c9fc388a3b614f7091e82b50658754e0163c39716550b415c86e3bc6616c1cd42a28240ad9ff46b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 18dffde408a9175a684cbfea1a2a7130
SHA1 c3888f933e9ff1ca877277beb254d082b504f1cf
SHA256 53e594747c37f08aa92be7cefbcb95d469656da783bf0dea2f66ca795a6ac7f9
SHA512 7975ea34dbee834c913058249240b02eac7e6968424342b8e6e5fa2b8e50f09435c7bad3242f2f5c243107ed7f8449b02fe83465966f41defb0c10af162d3b89

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6ec5d3eb9e9385dec6eec324c2db7277
SHA1 5d4175deaacd03f67dd1c5f03120934451932f10
SHA256 71da909cb519938185399ac831e3b37f2f0300ca3ab815f6dd56d92af6d1c581
SHA512 1efc2bad72609c914eb4621d73ea08ca693ff97533d6df679f0922d5e1029558fe45f384718fb9ba986576ad31df00f434471519d41ae35af00c21c7f213d577

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9548eca639b35565237a3719299413c0
SHA1 0ee7ac7ca7c4e81295f4e029ab7de8ae231035e0
SHA256 56bf0455e98f7e8b418f8a40a8c3166863148503aeb083923505744d464fa550
SHA512 8d15275a8adc300966a997fe34e05935e9edd2502c8d234c09306e5ffa944905466f9a343cd9ad6b00ef3307e4e424b3c92b004fe4eb35c71539c9cb3cc2e8b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cbafb55d4e020337d957deb0940ddf7c
SHA1 b2c04be69793d01be4317f3226b048130026e48b
SHA256 597b8698d9c9ddaf5445abc0fff46cfb464f46756c916f66553afe79b2ba30cb
SHA512 2112c3f65832f92dc08232be7682b2f727f9cb10d388300b87132d0c16a741a96c812d6645a044b197624ce3c7e9eaefb8f530e1b17719bb1dfc495da4c6ee04

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7247909fda850f75bb68155ca5fead87
SHA1 e3d26041445462113d80b60ae8b89189d4789eb1
SHA256 785d311a022f5293955828406d1bbecb4eaa9c32b014c02b98608e3838f21d57
SHA512 7962a6a12dfd68d30a816d26cc1bde2d738f8af972bd684d34262660abd2695c9620ecafaa6b435c440b8ef8255e5298fa92a9b9cd0aadd7be2efff010ff0511

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f82b939db48b25b476eea4808745e82d
SHA1 310c469a051df1b7e1f8a4fad0630fc2814a7c45
SHA256 b95477ab78b06f343bdfb9c0f4f83558a4c7801f5524367143f4e098ed6c9787
SHA512 8c33f7f58e008415f74bde7b36dac6d26171ea585ec51c3627ac98255101faf79b7c9075241dd6f5a0122bff38dbc314117303a6ba8cbf5b74793f8a6e910fbd