Malware Analysis Report

2025-03-14 23:27

Sample ID 240407-wx7pysag7x
Target e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118
SHA256 8f87e56e12dc78afb8895bb823e3edfd0fe757c3a0c88bc5e18bc5125e687fea
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f87e56e12dc78afb8895bb823e3edfd0fe757c3a0c88bc5e18bc5125e687fea

Threat Level: Known bad

The file e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (5579) files with added filename extension

Renames multiple (91) files with added filename extension

Executes dropped EXE

Loads dropped DLL

Drops startup file

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:19

Reported

2024-04-07 18:21

Platform

win7-20240221-en

Max time kernel

148s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2180-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 d210d7910d11f1a1aee853b084735f73
SHA1 0027bd0b6eb64a04910a03540e0510273b9bd6e6
SHA256 13184bf257d572c80116c6242fff72ab1bf8ab3288024edf5e2e8e496bb26df7
SHA512 09780e520df519528d5c5fca3f2a2960da7f33e41aafadc91ad7a8e6de2bd1df5d3599e1e8b22903dab6c5a20bbe9a728a0f35d8a0ccc79f29199f157c307ffb

memory/1732-9-0x0000000000230000-0x0000000000231000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini.exe

MD5 06b2dbb96d9c538cd4d4d93009491df6
SHA1 0df09d9f08cd9eb5a5a2187f989b0b4f5685caba
SHA256 c6b23a10e45f2b17f84e1568a6a35da97ee6e8a0199037bcf8eadf2e3ed04458
SHA512 95cb872bb474193d86d34c9b49a8c2686f2ed9713348271dbd014db2356752608e1774a3914dd70779688c7d9b3bef8111b8fa8de4587073f00264d011d2d704

F:\AutoRun.exe

MD5 e58fe7f6afccca5083bb1a0a47fee71d
SHA1 894ec727c20fea7c21ae45f7ae836700af510c72
SHA256 8f87e56e12dc78afb8895bb823e3edfd0fe757c3a0c88bc5e18bc5125e687fea
SHA512 5bbf931a57aebdb4402175598d85151373b2af46584de5522b0b77df8973944603632b9ee8e8a3d65c2c98c277fa75b28a0069c6fb5d95820f4527cf2a98e38f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e47347c0a7f40885957c2d92692eb6e8
SHA1 7170bed81f68cbf1557679c3e467178732b5834d
SHA256 1641e0db4ad20162a68694906f86227b8ba4ad16de11716f920c0b78f8c74a05
SHA512 a161d950692ac4a238bf11301372268b42e9c4291976e9a8113edd07ad5cd0d763fab858415e19203ec470b1923c4cc9d75c93b53f60962647679caf6c08591f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2cbdea9f731954239f30819517e9dad9
SHA1 478d8166cb6d823db525f180aa0d2b2c14d9f6fb
SHA256 6861c643a17e9190f34d82872553edc68357aeceaddb08869d4a28085fc30449
SHA512 263dbd0e1e382c12c3e449b427d62347fc965ebb37469521c99a954be40e6d1e86ffa2b6602bfdf3a23b1b877475db75585adad65a359cf35170c4988846c0cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2180-82-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8866f92011710f1d1ecc57fe13f8a923
SHA1 ee933a8d8e24ec3cc9321a0fdb519b693de4b0b8
SHA256 211796442d07c7bbafd049b8dbf458c663f3fe10631db2ac34c77bc05dddd40e
SHA512 6c71812cefaafff28151a1718baf13730f990c2997bcf1618ac26bb7b01070c3127fab05047fad9d9ad65e15688f31788f3cd3ade2245a4b4b1c0187be593d7a

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:19

Reported

2024-04-07 18:21

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (5579) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\UIAutomationClient.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Forms.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.Xml.Linq.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dcpr.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\System.Windows.Forms.Primitives.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.tree.dat.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.GIF.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\PresentationUI.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\README.txt.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\IRIS.ELM.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_col.hxt.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ClientConfiguration.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\7-Zip\descript.ion.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Controls.Ribbon.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\openssl64.dlla.manifest.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqloledb.rll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Dynamic.Runtime.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.INF.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\ReachFramework.resources.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ppd.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\orbd.exe.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PIXEL.INF.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Pipes.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\LICENSE.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PREVIEW.GIF.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-processenvironment-l1-1-0.dll.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sqlpdw.xsl.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLT.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jdb.exe.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_Subscription-pl.xrm-ms.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_PDF.DLL.exe C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e58fe7f6afccca5083bb1a0a47fee71d_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

memory/3480-0-0x00000000020C0000-0x00000000020C1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d210d7910d11f1a1aee853b084735f73
SHA1 0027bd0b6eb64a04910a03540e0510273b9bd6e6
SHA256 13184bf257d572c80116c6242fff72ab1bf8ab3288024edf5e2e8e496bb26df7
SHA512 09780e520df519528d5c5fca3f2a2960da7f33e41aafadc91ad7a8e6de2bd1df5d3599e1e8b22903dab6c5a20bbe9a728a0f35d8a0ccc79f29199f157c307ffb

memory/2252-5-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini.exe

MD5 feddccd5b7b3e6da9112ca644d797539
SHA1 9774626b383809b94afd01b490ea979f1cbef22e
SHA256 62e3679bfbb78d5b40169c96dd5834fed740c7de563353b4a4d787426bebdd4d
SHA512 489efd97b42b80b3c939126ca2d2d794644a3dade813b7f6bf55338b4cf4a6cb0994e922816498fd552c8c377adc31f77decabb9c366af283e190fe4dd05336f

F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\desktop.ini.exe

MD5 a34998caad06d0ff35837535dbb7c354
SHA1 297e435c78008814131909866296ca74ec1eda95
SHA256 d6a0e0d5d689a3c5afe3703fef8926d4f2a45229194e4ee0a74d267718e6a483
SHA512 ea8c3359c92e78b09c0f79c863eb3133ef006cff046a0f80687edcc2f8f4c18ac2778f3e39a95af7d04c378d83192060765f9d6fc163cbdd5c809640cc72108f

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 e58fe7f6afccca5083bb1a0a47fee71d
SHA1 894ec727c20fea7c21ae45f7ae836700af510c72
SHA256 8f87e56e12dc78afb8895bb823e3edfd0fe757c3a0c88bc5e18bc5125e687fea
SHA512 5bbf931a57aebdb4402175598d85151373b2af46584de5522b0b77df8973944603632b9ee8e8a3d65c2c98c277fa75b28a0069c6fb5d95820f4527cf2a98e38f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8a3c27f883c8ddb9739be816ab628f96
SHA1 3c074f84906eee7eb92b7bec60363049d32230b1
SHA256 1d77f219d0a74b30c1868e1f2045b5bf8323df505ba3b57c83f9f987c9facda5
SHA512 3efe376b86be7696ea162695ffaea5933adca24889aa1b7df5ed1e600af969a44538e36fbae75ca0a83204c0d161be37bbdf1b8e6b6e2e315e0b0db0908621ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a747cdabe5a436e1d96cfb1cf52af734
SHA1 e9c63c94cabf6918e283c78b4b2c6e1134755ee5
SHA256 71c5ffa224632144a453c0053ea10478bba5f982264f428321430b43aa79b4d9
SHA512 dd3ea277e916a9a45c78334d3eef57b1951490aa4ecb6cc1f40231124ed9af0642061df65242a8d4b6bf90154a3fb252f7ab9e551d62492a98f76d2bce02508e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 399118ebb3cb7032d30f4183ece2d578
SHA1 b752bb98729caac1a116a4209beab51b42916e96
SHA256 1c6275ed0a089df28fd812412a5bf7255964123279580df9544d55cc1a6c1a0a
SHA512 3f3ed597fac30cbe3507f5ee4d69381dc14c7449af3244eab01a5cf22c0237ec648d7c7abb7ab39991168336f0cd20f9df94fbac66ca740ae79e0f2e8a51d730

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6b1a68677185c5a6a3a11b6d5d058c5f
SHA1 1b1fe43b7d5909d18fb9d5c0bc7fc95c2961b9d6
SHA256 c6bc36eb1c9d59dd439f648290a76ce003ded1a84276d29cdfa42bd935b7876d
SHA512 c37025f8459428319f2671cdd5392e633585434a3c308f8a2ad91563851dc94093037850db7dcbaf889fd654991c7f8bc7e0ed3cc2e5f359cf0258f0ef84028e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 17f3ea4630f5d28f189767bbe8d41633
SHA1 c4e4e0db196c567f18bbabf39dfc6180b77f8b1b
SHA256 234b480b0f75574b2083485b3231eded7649497679a02c172c2360d8591d5bd4
SHA512 a0e61706422d663964c924163fbcbe84a526cdaa587220e988be1e08b7eca86c329cdbb9b7430b286bfa5213bd82ee71adae72d462655961681d6351351911e0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 34ca5db973fe85ad1ea2ec641aca419f
SHA1 1c764ead59845502e3404b6cf71d602494a5a0ff
SHA256 fd999e6f38a591f014689e53bf6f167235f48892b9f63d36a160b8eb5e3d3151
SHA512 421f62a131a3b3b9d3dc9a51fad1a0f46f348bd6e7008abb87aa621b2b47ba4760eb87456ce64489ecdaf3ec2bead538d8dd00c26c3ac2e731c8761317ef0381

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a012a6b58f79fa1e90cbe7f8fe8e2d5f
SHA1 2882ecb990366d0fa2685652259b3171f5954af1
SHA256 d48251a363ad236bb38074c614e9afdf5bd05f287dd3ae62fc30bb9a3b35684b
SHA512 c72655652fb1e244559b0729984af89da6f6be4631a83f4a771cdb5ca13ac731e4eea7f2f67b58cdcd0fea3736d8ffe372361ab24b2916be2a596661a8fd6ba8

memory/3480-7246-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/2252-8380-0x00000000020D0000-0x00000000020D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ece6021237d8bc241c00e87b7662fc86
SHA1 d85edcdd1a7867e8faf27e9dc2bafee026f3a4a5
SHA256 764a1d3918932319c8a40320a595c754ff06115ea0c33fcef25d1ad79f73b92f
SHA512 44715cab3bbfbedcd4bdd7ec33d37d7da69db8595f25b52f0d350b834da8a481c37d33aba348bab07e543b22c72b4af74518309d810b33ddb5e93fef12039aac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab2b771bf850742f9dbea929a9517918
SHA1 a08a23f0fc0827aed222fa2bc13e81266557b30c
SHA256 252a909a596b667fe31a6355696408b70fbdaae0f7c51db71c47e75b83940a26
SHA512 ca0657c2b9066d98fb9bfe7a80f1b9e80242251429e4fcb049ce18e977da6e97615521a0880aeaf261e453d27e0061e3ac67fc1ad2104f140119e8007a4ec387

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 837a02471d402de8bbfaacd1f566983f
SHA1 4f7219cda8893b9f8bf0ab1a511d4159478c02b4
SHA256 22e693700552e90c9e07a68ea0d243f53d87d9d7b48a0003a7285c93261f29ae
SHA512 dce079a523e2874b5ed9d0710515fdc71719433785f1a255245e65c9496aa9b99ade62eeb946562b5096156508717fd526fdaf8b5ae08cd98d8a86aef20ceb5b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7913721d4cc037bbbaed118d35ca0f1c
SHA1 9fc6e88578c0dcc717275a09a1bacc92259af85e
SHA256 c05420e56d0dfc93cacf2f58e7a20449d2734628a239309b31e2defd74577389
SHA512 02a408283feaa3abc8c1d9f8a1aa06d8bcca612d68a08b694f29e100e8c5a20712d35b01223decea071ef6e95625f83c3d10b5096573b4d7fb60325f5f046b59

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 282505d3ea01e4afe185a28be4fa4f3a
SHA1 10f2031c80a918241314ae7329f4563d7023afcd
SHA256 68f43a0741eb48021bdbe45d5e557c174c4ee813c963f9ec94dc7db9456c47b0
SHA512 76e0b99846f8fe4a0a007ffb5bf905af890d3424d3df123ba5f689cb7f8bdda189b70f5013e505203b7ef6a6b1c41d1ae7c9eecbfc9dc5a4c4375ea9c7311481

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 abcff2ef14a3f3193e71d8f1aef6671d
SHA1 de4eae5cb3dd44b7a609e084b50e8e3de60ecd2e
SHA256 2b685b8f500f996cec3303d5bced104688be51c2268f0bdf5a63eb4018efc373
SHA512 c09b3e15994974f9bc293bbc1a811884918baca802392dee36b00e85fee378cdf6ccad1800586f5d67dd0db64762c1a26b572c33d8f967dbb216551af05eefd1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4b4d719ee334a76f2dc7864fab808ba8
SHA1 f16123edb678ca7b3d118fda6418d8f153c4ecc5
SHA256 d37461a185b647cd697e3787b18d32d609365d6f66fd886e589701a144c802e1
SHA512 15d5b5c653bd235300ddcf66d306c4d86aef716aa4aaac3ee4a8ebcdee81830a8b21bb623c211c52f84783c0cf99456ed0e2dbd003fe757b18f6cd27eb2b7514

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bfbcfc10bbed66ac8c34e5a88ea2b22e
SHA1 4ea3b694bda3ea0dc8800e31632d84c02e3ea886
SHA256 9faebaf7f3a0033afd10224447fc9c16e88c30838ccd2ae0cfccab11d35bd312
SHA512 24b8c49be486852de7892e988c5d32220fac9850843a98bed1564ce140c14179f815c9e3ff4a8d5cd290dc67a71c85a567087c520ffabb14ac25bc97b710e01c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 75d8abd3fad6e296b99ef658c6c81fbb
SHA1 c89d73bbdc1be5fb6804fbee56dc6df30e739483
SHA256 ca7acc8ac4c06e0e0e13f6aa12be4fafa49d7b730fa43a4287b9f05e69663aa0
SHA512 49d810eae6f71b79ea1fa599affea7e34894d6887d5500acad90de711a21c3b7f372f19abb5bc5fc5e75cb375b5bf9831fd69cf2baa0a0d7771c66fd74f45ef9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d5d55f31bc3cf05160d43f584b5d33ce
SHA1 977622ccaff7632b48be6b25ccd46c8df5c0e959
SHA256 2cb3eb3ba75cae49e85151f55f8608561c1b7477d30bba048547809a55ff6c32
SHA512 c8512200533346d44ea9c3fb3b9bb00f925d7dc9a543052c98080b3db98cb4d946962b118b220bc54f73021acec9a67c1700a7ec1d41491cb9a43c3f7b1083ca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 37332b17b698a3b05a060ba344adcb2b
SHA1 6323c6fc5eec3b1d2378a54e634d0094b9660543
SHA256 9091c64c8f7f191a7f0c3e44afa2e7678e98fd2f99dde62578c1b9401aa30d07
SHA512 71c231e94703957e35add5886f9823afb079dddb05495f66a0ad75c3c28ed00f3896df5deb1b6a1b336b4de4675f00992ed3c66b272db2790f38c6d5e9b2772b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 953190f472bda24ba63e45e9bb3416fb
SHA1 3e92994b77a31ecfbec57d551ed38e3242591f8d
SHA256 2ea7595b0cfd34dcdc181e3ae1f1eb28a9f93ee7686d2f16756d08c16bb6f153
SHA512 0b2235d582aef0bc486f4f900a6e3a77670de5cabeb02cb49134f246dd6b9e42651f4bed345a1a88fcb0cee9a5b75021c0d2917c95aed470cfb80e6c8dcc6321

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 3326ea400805e93c3fbd827e96b1d328
SHA1 87d705028d049dbd3fbedcb60481d41027291aaf
SHA256 3ee629a2e8ecd64558a5deb89c1b43bd2b61032417a01fc6113315a4396deb1f
SHA512 99b95fde1455af8e41e6dd2a33202a8baac7e2cb2b4fc4044ff96d9f16b88e02b0a26f1cb7cd2e3969a5d78dfe7e5ea270f6769c5854e88b19de170139bb9794

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0ab75f140c8b9a651d6442e99f48c0c7
SHA1 b6ff8355dbe2bf323f474e95c82bd484742b76d6
SHA256 6d96593f8a559a5e5019d2e4ebfe1934ca4f1db2a1e8642825d7d9411c51a430
SHA512 3186e89b9f1d9c400ca864aae8002bd035b9962a15033794694be9d1946a26dd2bf0a8f878693e69eb2344e0a80bac8e49ec44669cc702f511c612c4bd20f304

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a34365277b4a92e62cd84b228d0a3031
SHA1 af950cae61bb8d2f4c2324dadc26b3e96a598c56
SHA256 10f47a49e652ffe44e85d7dec7bb26f7573735698cf72186cf1261939dc419eb
SHA512 1de5eebe38634004309d3cf5e4c9541ecd24a693aba395d35257a458623eab46285a307e6dff0f6f8c6d3cc687aa3fc0eee129af140c523c47715a9d24305821

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 36cc6f4c9e8c507d008b6e595d28ee35
SHA1 90eb03ac3a38a4858a3e9ab6097fbf1cd4764105
SHA256 3e39e43d9d8b804bc10c627181bea662cfca553578dd9914795b0c5cdbc76e09
SHA512 a3cdb6ce34c16f84de4f296108039269925aa7f7f46688ccc5fabc5a35b98d216de921dcbbe9bb525c2cca982ed4d35c1ffcb10252c7566d302c0ca11c3d2e35

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 38a3eb8e07a8aabfde18591ee6453449
SHA1 f18613799904c1909a1d42dc8d947416982d9212
SHA256 767b63797bf76f9a57d5c34a13c591526480105d35c284676f17d2ecfa70513e
SHA512 82c6600759127884f610a72b84fad71665a8a79b1af4043b3bacf2b50e960917951677aa4933cd818f4fe56123ad52693c770d4761a83e99fb35c71966b972e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 883bace18a3faf05b87bf0ad4025c80b
SHA1 6c643439acee205cae326234f3c79d88c086ee63
SHA256 ee2b026d13cf520e171b7296d410e225b983459ebe2824d18e76d178e51e18c5
SHA512 40b728a5b4dd1ad02f1f7f898c9f7ce8f3fcb5cf76de06d31a0f066aef0edebe1866fb6965ec1fb1756b0dd9fe0aa07f5b77bdc52b97ef82faa9d950572da12c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4cbe1ab321187597d37c90b749914bcd
SHA1 9b778afb30138da373745883f0ee471f51fed9d4
SHA256 b509d6efc6ac9cd44c768c2e3ac82520e4a9258e6c424925384909e4b905a91b
SHA512 76ddc39718c826393f80e6e6d7ca4b6937b7abb65f38727e8925aa1a8d07bc5cce5fa89fbc27f18ea840e50a83ee907ebb7c6690018464aea76bfa936ab74f50

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9480cbc0dd57c5ce2e866aba933170b2
SHA1 03cbd91597db949042b9d7cadcfcdf60b0b093ca
SHA256 7b7ac14f9332e6a2dc3e8b5ee10cb8fb8c8cbb7537daefa47f67cb4eac9a9d25
SHA512 b0de2b8fde5aa081a92bc37d32d1297003d094d14f3f5f0570c5b711b50265904d765f6a6051802fd52d64d577ebd290a3079df1220d04bac0e8ac19300f714a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 87671cece9daaf69ade30a165676565a
SHA1 13868d3a66a61228eea831b7f8024ae961a18437
SHA256 041ab986e47fb79f689004a6401dbae946d27fbf7c71c93aee716353c680d840
SHA512 c5172231346d8701a59c87aa0580997a387215708fe151a058ddb911a2d247408c6ca8d7ad01f813753b4f0899248ccab52e95514f3a46584a7d12fa74b9c0ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8cf75b72206428f41f604c7c9f5ffaf5
SHA1 9e68c2577330c80caf7e03b7978ed21ab9657e1a
SHA256 75d1ee8f56f8e2f7be371f1f281aa1b3a21e2fd6cf1e1248664d2f9b68f526bc
SHA512 1e873f82d598018e74ca20f7d63de86255e48bf6eb8f0f5ab844335bfe7f6e3ef426d2171824152fc9d2884a9a8817b362d6685944424edb4efbe7c2ab19b081

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d8ad64eba800633ed1d3f013d244c05a
SHA1 96d34faa39eae0712d1faf125601347c5a4a4b2f
SHA256 697f5a0adbd4576c84d65a34e2cdbe725716db3f87eef5e1b3253e4a2d80b10f
SHA512 b1029f706a4acc96fa0c2c450c13aab25a0697bbcd1680db2ad6341879dc93029dada5d9e9004a6d5c5b9de41d10bc772339bff1c468890448c7e527731c3425

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1a496d20b3d90353eef424bfff8b27f9
SHA1 843f3943abf10252ca4430e465339cdc063a7aca
SHA256 16cf8f40821ff50c3f456f441247b476af7826f8e6c060a88f9743d77f880aa2
SHA512 e90259aaebbd511f1e08f22cecd4f6fb106ea988b3db7fde4d1b28e0a8238c63ad52296f6c5ae63ba5cf9562ad8139a253e74242173df19d9b7fc872959683f5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ebbd4ca0db576d9d61c398323514acbf
SHA1 cd8d11f590c7a24f581e7745002372a9e03036f4
SHA256 7e9645f0a677cf1b5895f8226141d4f5e8e38350d591b2948b75f9e6a3761a93
SHA512 b57a86c59875f6333035ff357117740bbcc5c8d9182672fd983315e6b39a675a61c4128d8c1f4b285ba00cb13125a41fd21a4f3e80420779c274980233bca6d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cf1e88c9a8b7bc15e2feff3f0e56e71b
SHA1 d924f94d330db733e6ac0aff20ff375a6c8ed474
SHA256 b144061a6489ca77e7373c7499b68eb6c695e721acd5bdcc6fd8bec168bc62db
SHA512 0d2c3372506f4e9c4c8faa456be292e3724cd0aa0fda040ac9a4218692c46a6d06d3ca70465ad14b3294363b85bccfb1d926b4a6a85cf4323de1c74be3982c26

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e3de91429d48bd9562cfb8646ace564c
SHA1 1aff1e61fb96e159fd7ec8390bd773e84bb6ae4e
SHA256 ab3b26f03aceb58a6c292e5088af45df54370ded4b0e70e4a4e3a2c0fefd32f0
SHA512 0f362347c36ebd289eab2723ed9afc1a7d7790eac932d93582ad958b92ba817a8636fe807f7b0209721330d07ca7fb1f6e052631dac79fac387388692da20c7c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6511ebe4dbb4ae81c0390190480a4c49
SHA1 c061a33d315dbd16d23c7e856e5feb4405099545
SHA256 0f76d4800675ac38bc16b17b280951f05c49335b50b5c3b9c047238cf66af77d
SHA512 2405638f2de86d5059b1831d7a0401c4e5e9115eac1340cb34c3ada1c093ec11ac2c755a9366c9b37a8f79fc517d4ac5db3a257668abf754f1ccfe1e7cb6e9ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 84f9e23ea41d67bc678012d994cd3ab2
SHA1 d81302e080b27ffded38bee4292eee2df6133ea5
SHA256 eed8b2e037c0c4cde6b2918a3274280e06bbf416681ed6d1ffb0c4922420bbc8
SHA512 b9e65d15417516c80937949e2810e1351d11b5a1a0785c4324c1750c04c0ae95205524267e75d3c78d62a7eda10c95d3e52bc19a0aa7b080e618e13986de577e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 176a9c9483a30bc32431c975f830b46a
SHA1 2e11bc4c51331fec4ca8b0a8d22e5faa1c2c3db0
SHA256 456e154a00667e924507514e04b2519fbe1cb3ba053add078a1daf61a38bcb14
SHA512 4b53d104426010903dea1a1f6a9ce63b130096427a025907935d256572823557e44520ffa4893d7685c45a4451d086c736e1151fcc0cffd6560970e3203db324

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ced38d3ecb1d6bc0eef76dc805280096
SHA1 acb257cc379c3aa2eb7a412b29f7a999eff84e12
SHA256 81b60ffef7daeea8228810fc1a80924f0a12379a1898bc40a0849252c325d9ca
SHA512 771ab580872972bc94eb7d6420c61222c7bcb7783e016a3d59e833b219f3ccd86ef5a422f55df91a8fba452e8172df011d065cdecbe1072c26b1a5a42bdbaead

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 03cd7b009d4c31e23854e27ef51bc48a
SHA1 96d3e56b023a23f638d5196fda94d78eb3c826ae
SHA256 b2085dbc78668466e094d3dd4192e6758dea0c8ca1fd3fe11d27b709b118f230
SHA512 f1e194b36587514bbc7df818f36be15bbb4951a7eb3f55d2d9c4bfba716b95e7e59b7eb138af953ff1310d1fa979c8bdc35b9864a511f626424668d8b802316d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6ebe18442390b716ae46e46a9683d3a7
SHA1 5fc077be85f06a043323e4dac295e686c2133921
SHA256 0575d8bacb10df4def8f475da06ac063c576fab5215caa05dc6e0a234d43e4be
SHA512 ba119d011f1a6aef15cdf6b3e60404d98254e09a34f7b622dbc902c691c85e4dc44e11568f483031e2b782bc4d9a1760b2d63955a8fe7ced73db782c025bbb7e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 88c5da1d38f16be4ae178add35d4c209
SHA1 3a38870e78d02b78c4a7d1c044b77346abf4229a
SHA256 2f3fa49bd4d64f609ad1da174cfd89c9cdeb5291a416f806ab7b40ec38108ada
SHA512 d13be7bd5786aef35dbe1d96accb7cb31a8c1263f86d64479e7255d11e8d0fad5c1eb5efd7e102e77ba5f5d67638afc306dc37008a2ca2ab10e0b4aa8aad990f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d744d46c5d8e161ec22e54c192b72f03
SHA1 b1c3ee9ad258e5861e9f3bce66ed728d2f21e037
SHA256 a55f615958b274145b2233e2014f7ab46687b052d335cf81b2984beb0b8c0f49
SHA512 ca5e9dfae721ad58776a8348f0cb96231cc75c2b20b6cfa4a0b583902b7e5a64d6638e8c559468860899af18c1583327f7dc66a5f853bba75e0bee8ab1caf5d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1e5b4e8a007d9991003d4d4b6956d2c0
SHA1 6bda2b6994ea1d705b15b17465899afbea82896c
SHA256 4f3681f1f7221c0dd3ed25ff8b334ca5510953d1b00772d3a7a67ea7262d2af5
SHA512 fcdd129e817c7e29e3260c027fd2badcf64910f67234ba1e7dc52f7a7c9d4163d4dbf973964517a553ad140cdd696dd31df215b325f59f520d27d22a968a40a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 49d9debf0f3cfc1c61bb03c53438f3a9
SHA1 75eb41377b1f3710887ea15269b27f03c50179b0
SHA256 61b5c5cfa02bf1157d8ad5054b76b831e3156bd17a0d28b80761354fc83a8942
SHA512 3e2c256ac0931df39f012aaa85d12dcf472f77fd2c2213de9dae1a27efc94fcc4f94a2159d8be6dac3635a0f488713a2209fd71c9785e2ea88b34a4692eb5083

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d95705f3bdf2dd3aa7701a315ccae94b
SHA1 d2307c01523a3851028548f37cf5b06b46a82542
SHA256 51f602b52b98fe8f132854f7cda435199a5f3d214714c124cd074ed691d41881
SHA512 eca4f800a3914f0a27c353735ac1e9bdd603d3c11ffef39eaf5adfd81c922abd5721ffcb7d4d96229af2cb850e5b7ac3d9a7b3b15163859a43610e6b43a997d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b12bf42b5f6ac2c5675a10c8a105593b
SHA1 650fd8e55549074842cdb34aff50a96f0c58f7bd
SHA256 853bba6f3637f3f8db9c29c69c74920448ba280a0c9f62cf365a443876fdf590
SHA512 d170b38f2f21ac511faa2b5ca45403679cac27d5c40f74dd6c216657d974b4b3fa244e3239c89cfa73e717f060a6830c7d758bf1c74c667f4c3d67673013daad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f438fd8797ca4f7a0c3fa2eb4cb852ef
SHA1 b3d5d734e460726698dc6b29f97e76ba54a9aed8
SHA256 cfb3b5008655bf83241df2c0a6148c88f45a8c21e9bf470af7363bcad370f49f
SHA512 dde9652d17ee57a4407060e1da3a564d1928b61492f6c40e1e8c2219907d6fbf20c70f00a5f7035d9bdad7ee4c227611bdbd5659c698ffd2607681b70c7fbcda

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 67c7ea753389f831418e9486941940cc
SHA1 8f606c1668fc5d6ae3bb9f5ebcfef448cffcc895
SHA256 98cc1b7f3c6d9d799db000808823cd6a6a67ed9501a139342c43f4fd4cb36b45
SHA512 da2f54b572c9fbcfca3d637535a030fe00bd710e09a379c22f3df1020030b954a84cfdc2da6779d21812c3e13449c654af181d286ffaa64b8b939da1bcd6a412

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 76f70654fcc617b62c9512fdd567cd76
SHA1 c98a3511ca02d12a78cd7d47bfa9d758ca918008
SHA256 cf206344a07db739651cbce1835629bb4d1f376e1453919df234aff3aaa95037
SHA512 2a3c68743bd2307ab1368b2ec4713f0f69e90f1182c396dc9eecba69708b053fc4a7d1fa0b3490c93a226faecb996518e83c8dbfcab5270bb03cb68f6ed92b38

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b2c254451a62adc1f33eec48f825dedd
SHA1 9180b5c00d085a42ff955e34b6ef7ec7c99aa309
SHA256 9d3cc429e70b05e846d2cac22858d5e00c3c5bfada95f4ba2e9f4920b691ed32
SHA512 c453e7ae6d45a861450c14d09376e68f7849c043c14d29e5e0edc34b7f6666996eb135ffbacef275f0056e96bb3a70b1fad9a258a89369e2c8f7c17a74637c68

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d09f32bf4fd77ca398ddf5f26b15c536
SHA1 6bf3d8d7527acc3b677afd58b9af188c41a64a49
SHA256 f7b28e48941153d0abb15964a76ce30ab15df45bca8cf3c27bcc4aeea882db24
SHA512 21c60df5b15476e5173159151a7908c8b7e60134386a307d6fa5160956497ed37a732789170323d8a7bb09f1eef2e3d2406ba4c57549afdd0f53d58e9a0bb9bb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b3affca48a52f73e4bf4731baf0917f2
SHA1 a837864e8e9053dca1bace7baac9bbc32b52197e
SHA256 d5d8b258c664ab80a2756664397b57f5624ff5663704812641758dbeefb8245b
SHA512 e237f19783370419c9b1540d588b33f68de6aefd8631f2e5f8c5d12a3b1caeb769a4896548c2617f8185e23e51d368c53ab1cac9528b2670c997e783040f174b