Malware Analysis Report

2025-01-22 19:55

Sample ID 241016-xdpkpszbpq
Target 4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118
SHA256 17e759c87e2f420967b3f9a8f9a91d850a92563a9bace61309c609dc6201372c
Tags
discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17e759c87e2f420967b3f9a8f9a91d850a92563a9bace61309c609dc6201372c

Threat Level: Known bad

The file 4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Loads dropped DLL

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 18:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 18:44

Reported

2024-10-16 18:47

Platform

win7-20240708-en

Max time kernel

145s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\ÿØÿà

C:\Users\Admin\AppData\Local\Temp\\ÿØÿà

Network

N/A

Files

memory/1576-1-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 d94befe10d6f7bd73928fc3338bd060a
SHA1 eb43d7e036e1d89f13b33605ee15e590e508d736
SHA256 40cf6f8cea929ab6db466a6848e0c50867d4fa41f500a2f8aee629d89ac5d8b7
SHA512 263f26042e29b3093482aa44999383418b107ef76dbb0f870d5ab8b24d73d72a1e77001a09777d8cc60969c04af57b513e6648e3afabb8fd5e694b8a678b390f

memory/1996-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÿØÿà

MD5 4e6c17950ec1b13b73725aeda8a2bdb9
SHA1 101ebc89b79f7dce949b66f0ed1001e80d8f5ad4
SHA256 17e759c87e2f420967b3f9a8f9a91d850a92563a9bace61309c609dc6201372c
SHA512 704ce99f1a918311e41d0d86e977b740e0ec563b7a5af5c5549177b105fcee54e322fa92181ff05ea359627ad2b8aaaf83bed73fcaee78781f82317c30182fe9

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.exe

MD5 edecfc87aa4530d96d87a829758f8bf1
SHA1 fbb836e6df8893b32ea50f02915ba6f740e31ef1
SHA256 5671fd842f199446c0cbb55b848e5d57c17ee1136abecf0c5adc2945500e00e5
SHA512 6edf86a3a8da8c3afe227b5add3eb22d42378ca8244d39124ae0d0b8e27b608e9a2181e90427247bd3504d110c539c4a105b2e3f80822e5097613c5db95807d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 12f8758e0d78306f527ec290e90ded55
SHA1 0da8473c61acc29ec2d9a2548138fff3df081551
SHA256 f600fdca3719f5e2c62c2237bc4da7bed30a85b3bf8b24b2eb2fbf7ce512a4bc
SHA512 5c086dccbe04f9e4011d88847c9cd88dadf2d3cabdbe923142c4f3c79ca865a5a7eaa8476724904578b9839af15d2f20e18dcf78d2825f7a0b0795fef3e8b403

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c58b43a08d2aef67f94442b4e8939192
SHA1 bd074118de15a90d73f5cb3298d7b88328f1469c
SHA256 73508ef80c12ce9849d57cc1890eb2978ed627b09c6e3bb268912fc7dca320fb
SHA512 1f9061fcc2c44847d01bcd18e638fdd550b360e2e3ed8408915761f793a852207fc4598907379cf80aac8c36a449359811a9dd5d78142a349a7107af79df7ce9

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 18:44

Reported

2024-10-16 18:47

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ÿØÿà N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4e6c17950ec1b13b73725aeda8a2bdb9_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\ÿØÿà

C:\Users\Admin\AppData\Local\Temp\\ÿØÿà

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1868-0-0x0000000002220000-0x0000000002221000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d94befe10d6f7bd73928fc3338bd060a
SHA1 eb43d7e036e1d89f13b33605ee15e590e508d736
SHA256 40cf6f8cea929ab6db466a6848e0c50867d4fa41f500a2f8aee629d89ac5d8b7
SHA512 263f26042e29b3093482aa44999383418b107ef76dbb0f870d5ab8b24d73d72a1e77001a09777d8cc60969c04af57b513e6648e3afabb8fd5e694b8a678b390f

memory/3484-5-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÿØÿà

MD5 4e6c17950ec1b13b73725aeda8a2bdb9
SHA1 101ebc89b79f7dce949b66f0ed1001e80d8f5ad4
SHA256 17e759c87e2f420967b3f9a8f9a91d850a92563a9bace61309c609dc6201372c
SHA512 704ce99f1a918311e41d0d86e977b740e0ec563b7a5af5c5549177b105fcee54e322fa92181ff05ea359627ad2b8aaaf83bed73fcaee78781f82317c30182fe9

memory/1752-10-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

C:\Windows\SysWOW64\notepad.exe.exe

MD5 7a314ecbab37ec7410ceb8bd38cd10a9
SHA1 6075d9d6caa7f1fe465f9b4b543c1b72a2f4ba25
SHA256 8d8540799729ad5b69c48d81c2f344fb9d3e08749f872046ca269af95b83cd6e
SHA512 931778a816916815553dc706e22adae39238b72e24866bc8976b8d97c608b713c5dcc4798ba2b45cf31c195a8eddc95238208b7dc023c5bf6eca36cff8d7cbab

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.exe

MD5 ae51012bccdb10fb239f169aa6a8e288
SHA1 90615f4ae5e7c2ce129ba4b75d02ed09d41309f4
SHA256 68a735aff27cee9477693c4da3587d418c18f8a780b48ab01a51bffd78956670
SHA512 8e0c56c1ce759be35785afc9ccc6bcbf0dd30d42196180b3bf4a236a54196305872c5e949c07cd59f167c1d00304c68503e756edb7c57809abad4c2a74c10a1f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3484-54-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c846482630457f8d2e07ea4096fe684e
SHA1 445f645992707d5d250617088df2439ee0495200
SHA256 9d0e4a0345e3dd57be1edce593f8fd150cec460a08937db2904a8a7f7eaeed91
SHA512 1fd5b2ec43e4b453b3117ab17ed85e03facfb456968469a00a21fdc10add20d1b9059481b0a48dc82a534ae0e5f59bda46b44994939b0d9bd0d5230285a8065a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7164d56b5aa95c0ef2e7ea779642645f
SHA1 67b4fcc310c6c4af3ee5466a9d9c6164f8ae8fda
SHA256 041b330f47f7d7616c83c4dce8766c101bf9409d3b1554540098bac2dd71c212
SHA512 35b600127d83f69664c4243acafc2f5bc81e76b35f24bb65887bd6b376871fe73f1c19caeb7c8ad29b65c9490294baed174e8f7e3f50d41ed2319ff37435407d

memory/1752-59-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2dc95b9bff11a312ebbd4156ab75363a
SHA1 07e388a754de857db96e2ca691967b7d339fe954
SHA256 434fa5033ac7501819ff5c8688aac0185518dbc55e21707aebfbc3c9e55bf878
SHA512 d22e44607a103915caa7013435a2fa36ecdecc1f4a4528d3e4868306082349c5e570e91a7331a0ca8ffaca648463f0fb5944eb2a45932945a780307dfafc02fb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bfb314a4340bd2108b72279b3097c387
SHA1 66db32885fd3b968c374336e845cc221041048ab
SHA256 f280322929416e2610f12c0d473be0f65cbaf091452166f2c46216da9b60e65c
SHA512 fc55eace66a4d4757f508d73886c3bc770646147791ad0e5d7c5a45172a8f643fc5a5107e4cdad587a404a10b71f99e8e0c63454b81e53fba38e8fdd64f71846

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 997b4eb8facc3bd236a03610932a2123
SHA1 d97f62ae253b274fd5225c912800a35c71c46820
SHA256 a23a7e6e6c5c279ee641ad82295fcf3f5175207adcf76ec5a7d40080a86af002
SHA512 816d31a8960d3618b61033eb8ae668a277f25fa60cf00805a0ae292c713492f6dbdc65eae1291b74a473044610c08827e791bb627aca3e41ac6c75771a29ef3a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0538759a43401b21ec7025aa733adce4
SHA1 4f49ad1436619ec5ff619f198b2c20e0bf968b4a
SHA256 76add43a33300b32929cbdc6f69f1c13519bcb1534be5c88eb8dfb1b11cc9f64
SHA512 bef9059294b5284d88e85cca1eaf42c04e6ef6f1a9ef1801440e53e7cde115e2089c2271c4eeea4bf14aaeb48a8d553a62617debb634ce13be3c447361cad8b5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 30b9fc7abbc85fc64616c2f010ffab10
SHA1 51fa043ec487ae9c37b83f6324532a507800f7aa
SHA256 527df115834916f5fe90903a83842fbf1d4237b86c91dc2e341e87a854164630
SHA512 af62ff3c25362a2fb4f7aedc9dc4eb4bc7cb2e45c1a68662df1c3bdf5ebe1ad4f70bf8c6d0d523959812283daefb3b639a40190db091bb9f61007c187e9640e7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 557332fb5d6ba03ed08bba651c46fd38
SHA1 91f95d454e64c0037bf79c85b78d2aa0e4ce130d
SHA256 787d285e2942e8a7f22848cfda1a814e88cc5f41ccd1072d56fb79f766074e05
SHA512 9218d85f1d09ce77783d7fda7a354c9a3339f6fe43cad7e876529f1beeb0a5569c258c5f2495c8f4de373e57e55e7fb09b932a2a5de7d20debcf44c3e5b891df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 00ebd80e8c42bf30aab2b1c30b7191fc
SHA1 345caa396d8b135bb324c48feb609b132e72f6de
SHA256 672b16ca7e0ef5442ca29b752599a0519e3a285a684dc5a35d84c8cf585cd00d
SHA512 97e3a0cd65c8ee5abf654b257e009a33c7ec0aea40afec70be34812560ae69c89d8dae0ff8c1c663086ddf121133b516adbeea08b26d5811f485d28cb247063c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d971dad9561ff3abc3e603eea4b696d
SHA1 fd2b64db2a34ea75139ab554ab01c4206bde52de
SHA256 f386d9a18a2c4d4b22d12958f2d89c8f98af15fc88d1b15713b19cce2b318807
SHA512 3a24d61772a72c1e6e76779aacbb33cea7b440d7c872bd6eb45b5f794a539a5dd5aa19d73bea075c11511352dbc802f4728b884b299c2a3e520e00f195bd08ad

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 eb049cb4ab74013842e5ce17175ab829
SHA1 27784cbd1ad6cfd671bed8f2cba52bac8057e412
SHA256 1bc2dc1693d44f52e7e3daafd0a1af3787e94def6ed7a153c4f81dcdde9bd064
SHA512 037af858bd721fe46327fb694f147c69668d5f7e5f502d77b5eeb7ea58d437d0458927a3baee293ddf6840095e5a85b5378e829d2924268eb320efc7026b174f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d4c2a9b61f4ca4883e940e85184b55d6
SHA1 27a4cf704b3a25ca8f7e09f4e849016eb3b0b222
SHA256 4220d2e97a89c03f6ea72620ff92ab91f404d65a18f0f6ce137991d45b0ab26f
SHA512 85cd845d86ca7356a2e2354de159d3195c3110a0948c1232a965a67de85117e0daa23690ad6a3369c6694a18ecc2ff812ef693022d8dca956724cd37541f4b23

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd68c51341455c0c59e6fbaa69f83a14
SHA1 0e2285813766192bc61840835013aaf29b1e69dc
SHA256 92cd4a2414495b2425e432d05ac1a50d5d8ca046459f340c3802414c100df804
SHA512 2299860f9026a7e90877179e2e28402256de51f2a31760acb20227df6a9aa444bb4a7e796619c92d6cc9e3d4af01b22b9685b5fded726ef26a6fd44f16d255e6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 e672783aa4979e08cb38300c1b2b0583
SHA1 abc8713a3a64ebd5fc61a6430594366ce954fb95
SHA256 f070c0a381d2a623c0ad8e59196da298cf09cc9f609eb0cb87fc1dc11c5c6fb1
SHA512 cbdde5e554e76d14aa55d44e8fc05580ad5a7c27ce9a015edea044d4b1b1cafc5e6bba8c585ba882fab7d348c8bf43ba5c14b141e5049314ead184cb55420d35

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 17dc17326c3db4431ffa031f6f03c192
SHA1 219eca2cdb040a820aba1c0b082ca30823431298
SHA256 22355514ba593fdaaa5e977a5ceb0b2d52f0145cb2c3ad7a8bbd46bf62d96e56
SHA512 95efedf5ca1cda17b57b3f6272ac8f2c77076998e03691d7dce2d9235e8be8087dd36ffa80a8c3cba931fff640cd2d02756f7317faaf153f6a0a3d0907ff303d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7546bf6c0d29c2fabceb2ca2cae5eded
SHA1 e65f97dea646bd661d0966dab4dfe79136b8b04c
SHA256 99296b7c4aef9bb48655facedcdd3c8d287445886003bf177da3d7871c29ab78
SHA512 81bb5810a137d785540be15669eb6e0644ac0304ba76e3282aa0fbed20358fb5217c8c9272d5fe735607cc8728575ed73daed7b3947c9bf045a48d330db6f85d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 778271a40c7e9905290f8f2b0f0a2088
SHA1 8d475f20099dc79521bc7df1ea00eace213c2a8a
SHA256 9b3991aa18a6baff60b79b9a55e0f2c32e91276d66ce446164f1d39894f8bbc5
SHA512 3b4bc12a191166b768333c6c50f9f3ec477947aadfc5837c0cdadd6455e420147dc7d35167292491d295bf84edfbb97382743ebf83097b616fbd40e3c9fccc1f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bd1159d550271f411cd1e78d4ea413a5
SHA1 7e22897dd27b969c6e3168b5685bb50b6535d883
SHA256 6bc7224aeb1ee73c0c2aca2f26132bcfaccf8482bd0999b916814e581b0428e9
SHA512 f4af5ed3f52c5ef016ff03c4dc4c8dfe662b2cca4b19f56aaa8a82d2490fd4dcfa15ee55d666c120f156881542e6669533bcb64fdb8d316d5646d28c672a216c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2bf106045c0b5d95d64f3902b78e5a0a
SHA1 9956bae89cb0def1bf2947a61fff7b0621314d88
SHA256 27f099dbd8494c8e275d6cec521038911543ca6e7d071542a3f464cf0cd4d02c
SHA512 8432620cb088f49ac6b23baae820884806d077ec77bd4f597c113d77dbef78145c7f670039a15fead769b7111785fa75dd0a07fdf43e4702ef352a280f959b10

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7e9018c7b2705f2b406585ecc0cd80cf
SHA1 742814ed40e861e5cd4160e8959ead18983502ef
SHA256 1086dc6837bca2d17141b57c70b4524b2eb4396d7f8ccb0a8fc8d2a1f7cccf4d
SHA512 0aa9e7fb4d0247cfd102ad74e66cbe7195ee1c4e9566cf0d98f9f6bd8d782ec1332c085d11f277b5e84b3ea85594509b07e7ed40f693f68cbe656dedd685dcc1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 dafa225a66016d4b1564cdfbf1957a2a
SHA1 8b9a2ecafb4be1904d3251e5db56625219ee54a0
SHA256 0814ff34f93dfb90f911ebbe7a243a3ddf814e3f2ec907fa43552c52039c41f0
SHA512 bd1f2a80ac305d78f9d8629f54b6b01ac431b644cb4a13cd386babe1b578f628caba9b889d257376bddd33b6bb3a5dbdb28e3e30bee4c74c6e8da30bca0828cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0a780e37c6be544dbdfaeaa96ecccb81
SHA1 3f92c923d998bc5f15d180e4115bb4f078866ec6
SHA256 99e3c0e2a39078f3b21724f5bb17a27cc88dd78a896e728512c80e43e20fe619
SHA512 fdad12b5050aabaadaeeb900be56cace483d6dfd0d89223c75876a4fe9afda28ed9a728bcefc23a77ccd2799e6019c84bf6174358729991fb81af962f7ee2fb0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 504a438454ac57b6cd89b8db9744c039
SHA1 a89125c6daba76bd3c950674bbb972073b368466
SHA256 1894cab8dada07646e2f9c9f8749942753dcfb770aea01618a4e501c47b1807c
SHA512 a784652d7ab39719b23d26f4d26bc09665172ba778e60834ca1a08895f5f21eaf83fddd418ac0a17dbcedaf18df174c2e5fa3e44d0adcbadecc22e7337fbf99a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7081a4c113db1d60057bcafe52277d1f
SHA1 a56e37aacc9f28fea262f1993cb217767d4ad737
SHA256 3380450987d53ac407cc6ca413f816eea7a363ed544872d8f8fe527741b3e8d3
SHA512 dca2991db7ee71649ddfd1cff3d62c173c6e6b7108958d3e28b84dfaf73041057fe32eaff9ad17fe7e638c0b930213d45a4f293455002edc3597995553d9988d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 440c4d06fb065eaed501ff73085e9948
SHA1 039736ed31509b4e621afd4e886d574e3078ae15
SHA256 e795a830599e45c7b642b53261acac05fd8f2b761d4416b284faa0edc5869817
SHA512 ea241254643e604acf63208c9e6a1920a4b60e088db7f21a5cfb8b3c6af164ddcd808bdb956cfee05fd761fd74b7e44e1bbff7e2fe2b5583e41940d92c35257e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c7743071445318a4ad9631f567752f26
SHA1 01e3199c66328fe3ff8b674d7a24d458306e836d
SHA256 315b029d4d0647ff941e8d584f27d6f37d9a06c82f1145706108215e4add31ba
SHA512 81a9a421ce7e1d135f2e8383c607df7125d784c43fe261a9fc0fb99f474e096af32afc5e3d4420e1d00a4065dfb1d9a5328ad459dfecbe89d23cf3b2f391d4ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 11a5fb4335d5c1d5bdda248cc217a67e
SHA1 fd2823b0aa26ec9cb82346c9b94d5cd6fb9c2cfa
SHA256 2b79b612c287f4a5c4ff9aee35952e89a5eb1df15f21e5ca576613cb8bb2c4f3
SHA512 3d827f8ea9f23b0dd77713ff71a64e798e360831edb6db95efef454ced6b4f564417b53293844657a138dd5589697f0e46d83f46e6f8a9720629fa5547e349b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 00d671d8ce4a70a9584fb091efd370b8
SHA1 9f119aaffd5120f479742f47f689adf90c2369b2
SHA256 81ceea9236370a38481fa18b8a23eca47d2e2e6da5359b9d12675af0374d2e4a
SHA512 063a9a678f23f9e6ded682f995240261e9b7524e8a87c58da42dc2602a31dff6004fcbc3921d2e54bf2ffed5bd3b39cac113be22312d2e9494d455876bf171b8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 583645a2318e90a814748ba6bc136587
SHA1 26728f647c72f60b00e435ecfe76cd6401a5f854
SHA256 b12f7e7f931a6e674d470e1c091537bfde25f05d1377cb4715f902305654abc7
SHA512 4a84f4950dd1ebcdcdbe121724e3d010eddd36cb3cfd6ed91db2d95b168d378713ca674389b47703ff7e7ea2de4cd5a57af62178370ad4e1608a5c3d0f135f03

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1966f93d71429d097a1fe5e7855f2c84
SHA1 f8cef0cbf701cfb93d3b6f16fb77cc7a98705ed0
SHA256 00ed83acf80a9598d5af0118bb04e577a9ded59c040acd08085eaca2847e496e
SHA512 5acd5222ee70af5c7175248369f9c90cda04f23e167827d7018842da161ac86a16679e11b2501009cc4861c9963dcf4bc37c51dd4fbef4929ebeda07426bd71f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6f9350b59a59128238e4be70bbcda0c3
SHA1 43644ade9a3dc3fb532b64b2c9dbee48f149a9ea
SHA256 578a608194d30a5c8812cc8fce735f3002e77fe86454fffff26ae0e0ca6c4513
SHA512 f9ff417ad644b173595b2de5e1fd352cb0be73887c35bfb9e5762c875bdda21d656d640f44563181288589d95adeee54b29555ae2aada93e8f545ade08e7b3dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9f761f2c2e25ff04e8f70dbb5972b17d
SHA1 166759f17df81e9928dbefd786a2bcd47dc31a04
SHA256 6c0049f8160bfd13d72d593ef867e24defcd335a9af8050ed27c7fb9486b869f
SHA512 2d5804e57df67ff4da614bf8864e6cfb4d3fb876e20a6352fa08aa43386aded34495d0d42a9164ffb68732baebc5045ea4d2cf7b333133c5d2d6d61aaffea5e4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 913ad0901dcec8b2aa3b0ba9872dd8b2
SHA1 b1f8a6ab23ec85b49b74b6fef864b69fc454a184
SHA256 86904d29c927a0bb3570a2573683efe0951848b293104f12a5b45b700298d0a5
SHA512 5e320b8a35c42f474aec71ad3f8ad33065529a5d15eae59c865023ee8997703e3102df7d4ce7fa1424c010b3fa643c5ebb1d8449a65020c43e65a176e602af20

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6529cb4804f9bb4a7ffdffa460ecb8db
SHA1 1cd4d6b7e19b3a22d0f273ba66e6c50d6fccf9bd
SHA256 505f830a9562e565081b6dc6a64ab431a9309219b4b157f026e307a196961750
SHA512 c584c938dfe7ba27e1049358223ca67a5943d474eebe28bb765a388d8188455036f499faf0682995258f775e58f3bcb6f9c864842ea0cd922247f2357fd6360d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 51124d2b65d790f3d21ce2901148e3e2
SHA1 ab77c65f9f325b6ee041ef28e9d1f2aedbff9bbf
SHA256 1061d3851b0ebde6c31b46a32c0fe99d3c3e24408b5abdbbe3049f0320ead492
SHA512 408b3cfaee0900db0c50d554dd0508b22ee6dbaa317943614d0e67b1431f548b302c57b90ea670ce01080f4d76072d8f5abf5b61c9e914d12d851eaf066daf95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0d3d73be198df075c2f306ea2d054b2f
SHA1 a42891e4af81a7c45eb2c5963af96ad2764e36d7
SHA256 3fd2194942004d4a6cad7cff3d56e11d4ca0851876177074c8daf8ae0858614f
SHA512 ef07963a7153e52ac99d4b4f772717a907dbaf8ff9ee6db9a2d1e7d7c5c0e7311c9e7848bd5fd6d5364efb2590916f3f80eedbb5468cca609312e00af5f9477a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 77cbb0c37d6044919cfdb849b844cabf
SHA1 cd1b9dc4ce52df4e8c42b5f1de984e6d553cab4b
SHA256 0bea9297447a32a7b79ec7b7d434ef657ebd693b3a9f8033c17029c0d80fb058
SHA512 c0be8b4f998627bd0f69a3a53b1001c2776d3d0cecc71a545782d75fbeeea652650078bbd29b8ea03342b2ae9a35c08192c5a588969773f716f3d2c9b9af0d11

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 62590aa0eada9548cb5423c639c75b71
SHA1 1cd1e7d4f15e63d0ec80b89c3990024a2ceed19a
SHA256 d2228a504e9b26626b1bc0952db287da32c476770e93b9d03b4c718e5d663c08
SHA512 d8daf0dd991c9f696883af417725b847c4888f711cb3e6e528417a68e398fd1920996b26c3608b94f3b59b172744487c0015f4617d4e85a12126ae5537e889e8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 884ff78d9bbb98458a659dfcbb2f9ea8
SHA1 1b82719ce8c3e3556496c82b9af5f844246df295
SHA256 52e8c1db5242d25ce726b7e7c3751c812de089291e397c7f85f526aec83e4661
SHA512 756015b13a4ca352766f56ba2c2d0c513bd1f7da5182c38301df7692b886a6d0aed32d3700aed9bfcd77d483527803913ea13ef1f9d8502ddc6d2e95c9fa042c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ab041f2a1531fb836c5fdb497abeb9aa
SHA1 34c84999561526282d312c84a8be18e8b6380164
SHA256 b42a79a43b4fc5a38f80d441a39751322ff5b3b7a1a28a865cff9b430f56c944
SHA512 ac9a067f6b48950ac1621e370f5857dc9b94019a7985f262aec3b4048a7b76e72eae429ed6c9c0d1d21cc58479e3cf1e0e7ebffc7d1686a723fd276c5250a387

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d16d7346ceaa535e4913d2690a81c4be
SHA1 94b89e376312a898148c34fd2f89e0ade07add69
SHA256 f595b707e1c749e895f8152e94163f7a544b213d42df028173c99dc96a9f4e6f
SHA512 09be21f7d2259d10b311325965a4d3450f835f6aa26b2a70daa1f56547fd47c62be4b5bf0309f638dfa7b932e41875411ece124801bb8fd9d1b9bf1691b3d795

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 40728014b553e56365ca24eb6d618d34
SHA1 a37fec80deeb810c1664fe7fbba4f56d1de50c95
SHA256 09d1f4956b09ce860bd12374490755907f7062b0da30c4cb9b80583c7c771c1e
SHA512 d286458b830e3ddcbf328f98aa096cca3d5ac530adb5b8645c3452b3d543a25fd0f5200eb1a96e9b2d86e9a6c067ba637eebd3db15f8e59dec7cf25951fb0a5b