Analysis Overview
SHA256
649f22ae060c619fde783418f0dd30de18a71c4c98effebcfc92a3c8419d89f7
Threat Level: Known bad
The file 4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Renames multiple (91) files with added filename extension
Drops startup file
Executes dropped EXE
ASPack v2.12-2.42
Loads dropped DLL
Enumerates connected drives
Drops autorun.inf file
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 18:59
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 18:59
Reported
2024-10-16 19:01
Platform
win7-20240903-en
Max time kernel
145s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Renames multiple (91) files with added filename extension
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Loads dropped DLL
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2440 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2440 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2440 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 2440 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
Files
memory/2440-0-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\SysWOW64\HelpMe.exe
| MD5 | 1774a8b612e51ebb0986781c4c665b8a |
| SHA1 | 8a0ca8cd0053814356fca8402f27ed9ff74e66ed |
| SHA256 | 9decc2f896b3f353c132b8ed5284a52ace13a7f6029698b3c204e159aad5114b |
| SHA512 | 28f94daac624dc2c9b9788db994bcf7f4bbd78502458a92e1db073ec40d833a3e410ee9fc396a93bcf7c7a2843759ece4dc797df8d6f275d48e4b15f13b55bdb |
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.exe
| MD5 | 64e085ff34879ddc5556b00db8be7fb2 |
| SHA1 | 18893c893472b3ac2630d83a3ad5a8112111b912 |
| SHA256 | e5e79e41aaf15f2c2e294c5ffdc9b1b6bef4a8a84fe5f472718f284734ad45f4 |
| SHA512 | 1c5eea59a878372b310a927f3d9d32b381d0fa809201bf895da5eeb2f971c873d092d6d5e18b63e8aa3e9c6bda0f456d7753a41b49f20787990b8270c73d0ff1 |
F:\AutoRun.exe
| MD5 | 4e7c663a42020ca0d70e5ef8f4d953c8 |
| SHA1 | e011c994ba92afbcff3b7c64e1e8ba45592354ff |
| SHA256 | 649f22ae060c619fde783418f0dd30de18a71c4c98effebcfc92a3c8419d89f7 |
| SHA512 | 8e4e4feb3b42764ee6354a8aca70a5226a92cd9db758de4f7fc8bf5c85f961b5c225ae299b1a35824dc3d1c7ff1d2cebd12dbfa8a140b14b74849d152c364abe |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c2c733faf9e539c71deddf076edf9c0f |
| SHA1 | 141eb2823acac370ede80864b71a98636601cde1 |
| SHA256 | d3b22db749f0f866641f4f85787325a413610af7bbe5a1cdf69955433f4b10c0 |
| SHA512 | 22e0e6c54018cb25f23b42496f9d280fe53475c5932248e2951cdb6efde1a631ce99a28a4f00129c6c3baccf9b4d13b3f1865de28e721fd97dc8fe159b8794bd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 10aad460c271ff210f015cdeb87f8fda |
| SHA1 | acb70f569c73be577e25e95c3c3a03d498468cda |
| SHA256 | d9bcf944142c9f2d1e24d16745e3d2fad1ed427ed38ff2b3921e117277acc7c1 |
| SHA512 | ed55931ff34aa8af9ca7df9814699ea3660d5f143e70226fa2f2102cf556ff0dcd2cd49121efe756cb60e23e4331d565f52520263352eb56d9063719d2e60138 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 18:59
Reported
2024-10-16 19:01
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" | C:\Windows\SysWOW64\HelpMe.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| File opened for modification | C:\AUTORUN.INF | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| File opened for modification | F:\AUTORUN.INF | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\HelpMe.exe | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\HelpMe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3356 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 3356 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
| PID 3356 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe | C:\Windows\SysWOW64\HelpMe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e7c663a42020ca0d70e5ef8f4d953c8_JaffaCakes118.exe"
C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/3356-0-0x0000000002310000-0x0000000002311000-memory.dmp
C:\Windows\SysWOW64\HelpMe.exe
| MD5 | 1774a8b612e51ebb0986781c4c665b8a |
| SHA1 | 8a0ca8cd0053814356fca8402f27ed9ff74e66ed |
| SHA256 | 9decc2f896b3f353c132b8ed5284a52ace13a7f6029698b3c204e159aad5114b |
| SHA512 | 28f94daac624dc2c9b9788db994bcf7f4bbd78502458a92e1db073ec40d833a3e410ee9fc396a93bcf7c7a2843759ece4dc797df8d6f275d48e4b15f13b55bdb |
memory/2604-5-0x00000000020E0000-0x00000000020E1000-memory.dmp
F:\AUTORUN.INF
| MD5 | ca13857b2fd3895a39f09d9dde3cca97 |
| SHA1 | 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0 |
| SHA256 | cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae |
| SHA512 | 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47 |
F:\$RECYCLE.BIN\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.exe
| MD5 | ffcfdf39e6d1cc3e9423bec15ecfa0b6 |
| SHA1 | d502d7f14f0cf1a6fa33b1ac004be9f2751a8adc |
| SHA256 | f20c3f6964de7a31198856fc0014e24544eef34f48cf5c5fd60ac403a3dd6810 |
| SHA512 | 8ac1f37e541e1e61b85bfa2b2ff7bd3ba9047606cf2b5094169cb1be7d1a64beb3032dd36bb698b42b1f7c2231cbfd8b5fbbb604bc594094726dcc26054db56e |
C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.exe
| MD5 | 6a92d276786feac16b0d113a1b5d8d2a |
| SHA1 | 9c161fed3931e8ad609f99baa1e08405b87d438c |
| SHA256 | d6127b294fbdf3c5fa6be9cb01f4e6209922aa15beac4c3b78e1c90a78993b6b |
| SHA512 | 0bb96e5d9607e91e060f4bb2ff1cda5458b3beef433e080cbc760b9c19089d14a340a0accba605c8b317c18c4c869ae1ab73be332d03abb98d5d5f7cef732386 |
F:\AutoRun.exe
| MD5 | 4e7c663a42020ca0d70e5ef8f4d953c8 |
| SHA1 | e011c994ba92afbcff3b7c64e1e8ba45592354ff |
| SHA256 | 649f22ae060c619fde783418f0dd30de18a71c4c98effebcfc92a3c8419d89f7 |
| SHA512 | 8e4e4feb3b42764ee6354a8aca70a5226a92cd9db758de4f7fc8bf5c85f961b5c225ae299b1a35824dc3d1c7ff1d2cebd12dbfa8a140b14b74849d152c364abe |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3356-45-0x0000000002310000-0x0000000002311000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e1112519841dd20b55d9a77e34415f33 |
| SHA1 | 3c6324e3d15b4e21dabe440cca674f5326fb53d8 |
| SHA256 | fb8e6c7a942a1d84906680ef8ae51689ba1b838206d5099348d350849276d488 |
| SHA512 | d7008c9e58379595476a54eb207fabc2730467ddbe08991594bd60662b854cbaa463ea3aabdc181e2263bdbfa7f086587e970e56915e3812c4d09c92317ae60e |
memory/2604-51-0x00000000020E0000-0x00000000020E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e2746579f243558650da40c027cb8251 |
| SHA1 | db81a78d057bb498d84b65e5741a642e99611ac4 |
| SHA256 | f72678c2cdb7ec466448ce0b7a0cf3de40e1fc2038d935230073fff47001249e |
| SHA512 | bd44463673fbe2b9af0577530db4d25eb06c4a2e12594882da69e70c6d6472f183b8e5afe9da71539a08560a7f5c908087d379d47faee09bf14e54b95cdd71de |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 04e77b15e7a95fc0b84bbc06b8bfc172 |
| SHA1 | 2a26ccea405c82b3dc0796a17d824503b1b83d23 |
| SHA256 | ed17c3a9138ef451c474227eca2426ec3aaa13d8dfee84c70618edb32a07371b |
| SHA512 | 6c3988db482b13c1332ea731491c9d2a2e89ba785859ddbf0758b2d5267f2486cfa2e01bb8468f108611dd2297a1646e009fa62cf1c71d9e0592ee2fadd1ca53 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 462ad8f4d9bf07a8de89afbc77d2a314 |
| SHA1 | 7940f5df434fc6db9c028e669ddaddf1bc4732da |
| SHA256 | 2bda3168fa18bb7578ace3dcfd39924cd90db9996ec761d01389067866a80e9f |
| SHA512 | a1b9815791742698d8fdcb59d55b04bd9f843dbb28040099804c28b033c3630bef1a62eb5f495eddc4dc40eb02ee9e7e509a69c367f4acefdfc716768e73e815 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d8f584393bfd1cfef9421cd5f226b3a8 |
| SHA1 | 163d14f391dddece3d512903447f688b21865802 |
| SHA256 | f3a09d6a18fc76cde0ceebc5a22d27cdafe817c1be041c84f366037120bf54c0 |
| SHA512 | 413c03356517d637a99d35568eb2ae97021977ebf2291f7d49c06ce04a9aaaa26982b6ddad042bbeb5da7a8caf8782a7a68e1b4d155089704ec7a173475650cd |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | f85ab0758ab8435926806c7f79c8b03e |
| SHA1 | 52c2fb7f24334be799b839e0c1f9d8d67f2267cb |
| SHA256 | 36ec7b107821131b26fe6dd588bb316d9075ce31914f83453949e58d92d635d9 |
| SHA512 | f0559eb9fd11dd6985e8f33a2cb574859e0837bf587abdf26f0664aa6274c7bb80b1e83e093283b9e48eff69ad96440e64c60073bcc0912d3db82a5e5e87e70c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ca84288c0482fa2f8c543fa286250cb3 |
| SHA1 | c4ec4fbc07890077ed6b5541590a9d8eadc119aa |
| SHA256 | c64ea8103931166d5f3d423da2f61edcf602b634a66c7637df43d4b3699a9b0a |
| SHA512 | a456a59a05b45f3104793a93b151d926a58bdf8e1c4ec5fbd516143d341f83646d64a7d9fbd74fc58dc2a757c8d3b1f8696d7749a79b9895a7ced52294c53c27 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4750ca0ba59c4e5186353f5261824667 |
| SHA1 | 452ec0b11c43649531e05f9ccb042735bee280db |
| SHA256 | 9cc40e8f1150bedf750ffc6c69be7d9e4e93778223add597cd0da2a8d75c29ea |
| SHA512 | 4344d3458070eb6c739ddb1f733ec176bcec53c7867b72cc41a321ef80077ee700c298abd79bc4a0df1e4f3a7b4dffdee7af8695199144d3f8cd546c4bdbb27f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0eadc6c9511f6dbb3f157957eba59373 |
| SHA1 | 30a0d82309510b4dcca6855736863cf4b06159e2 |
| SHA256 | 11ab236ef9336724da7e0e02e9f17e6faa1338e5be2044ea71652712ddd4f592 |
| SHA512 | edc6093fcf06d594e8cabffec703fd83802ce1080789d4a764b48158def0085d2ff9df82dbb8a7811c78449e73401468aeeb422c7c9e6fa07e2322df90b06936 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1013c30fd496e5e22e65a35e2a426198 |
| SHA1 | 5f59e50bfbf08811cb1f3e65fa75d68f12bd5cd2 |
| SHA256 | 89b00fcb94dc7d5188ca955dd49b05eeb4da043f9f2f6475f60d6913e4883109 |
| SHA512 | fca25b6b2d98b8de912f17556e98a34c0836b5a959435037340bc78dfde5609c84355d0a12532936afa356050dd9e4d7a9f1f8781b06b2c389102356bdf09895 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 84c1ba7a2027b1a455ce19e0126ef44c |
| SHA1 | 1406178959fa2ae7184c7a88327eb702d84fffca |
| SHA256 | f92ee6aed67c38e988ac7c4f70d0056d547a99c4a2ee838e7cfdcba12f15c237 |
| SHA512 | 0519a4622dcb9ad44a2502255b6dde11ea52401eda0a14d1fc8cfd4ef8bc574970d5cc762a4ba9d17e4f4dddce9f5279a66530c61180474419cded4d0f300525 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6abd198bc19aff61bc42bc65c57b1b5b |
| SHA1 | d524eb0b1f72a28c1bfe98dc5155c5158cfd340c |
| SHA256 | 7751afd4ddb1e6694460f960a318742e71618b163bd6972eb40b6a50889f3cbc |
| SHA512 | 214d952dc298acb10710a5c290fab3d2c181fa14d46d3c10e4d7b3a5fd3aecce1909b3707d5aafa4cb5a8214249dcf35a63c2350e12a1a79a54f18975e05bd18 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a12286b22d9ced758999e08edb5bae76 |
| SHA1 | 997c7998d9cfa31fdaa81d3b02878ea23c42acb1 |
| SHA256 | 74218f2090bdb2086bf1288165337c231b997e90538ce18d0d7644f61f68c2be |
| SHA512 | d04f92fdcc6d32ae0f73f5c4de7db0be2979bac89df2bd96ca8446f83d757efd1358b14e44c724ecd960c26e2414f4ac616a2792296145345c65fb8ed19ac651 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 838fe17c145d81937b18d37077b1ed91 |
| SHA1 | 144f934f8b467ade88f4503ea87784b91d1a9d79 |
| SHA256 | d9b1e5a31c8553d25862801479de12ab313b8b34fea1c5cbabf7fa75615edeec |
| SHA512 | 3911936b19059a29045efa5042f88775b671c007ff207ccdd70cdbc8325d0bf05ebf3b6da2fde6b7bea75e26b2590fd613a43da90d7e9346739b67211ad13ad1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b76a7763730bda09123d06678c247973 |
| SHA1 | 5045bd3757b781d4727368f4da26695806b0108b |
| SHA256 | 00edc9157dc65f069799b6e2caa41fc7d0e83c206ed48b2d8e456e8055cd7559 |
| SHA512 | 5a39be263cedb21c0d1785c31564d160a4ff7d4c7e2b8c5975f782d3653d2e6c47af59842ccd96444c6d1775392bc6d3a20bc8304db8d49b8e625434e1029fa4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | d8a7eeeca1c3abbceb8e89a451d1ade9 |
| SHA1 | 2be91467459bdf9eda2d3892a80163d1005297ac |
| SHA256 | 0f412c57e24b79f8aa51ac09ae4f9a199d8061748a41f61af0d8f5ee34d98db5 |
| SHA512 | dde14040bde01e88abffc6eef88da240227c17ba789feed40410f970a954f921deb471ad8841d78b14503c076515f904aa67ad558631ea040183b0e4e1f76ba4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 68e22b703ee31fcf0c885d9138ddafc6 |
| SHA1 | 973b9243bfbc75235fb3a26534409ec7970fd108 |
| SHA256 | c9ec859d335c0f41fa52afdcc582e97608fdb5f40e20b109536ba72cae9e30bd |
| SHA512 | 6f9da8ba80cad026a43156b59e3a2f154521320e3e966d3c146be85a9967ee5c0bbf17a0ffe143397fda64788fa6fc594bd947060fb4bdfccc71ff6c739791f5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 86cdb3c11fd318e1106d905492189894 |
| SHA1 | 2b913b7544c023e4ffa6503c5beb4e760645e0ce |
| SHA256 | 2fb3b549df56cc8b6f2209efe49e9903a896eeba5d019db1fb1832e6d693defc |
| SHA512 | 31f0fc29d59a32aeab7649087a39d2569e7ca899bab566bd60147216b8740a89bad294648ff29e883f704a4524d20d3d677ee1ca67e32c1004eab30eb8077ea7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e4dd01fdb4e6a31834cf9ce7d75b329f |
| SHA1 | 93e91d11ef867fa017dc04ca260cb832d6741ceb |
| SHA256 | 2fa32a565fb86e2ff374bf0e918725304aa85ba825a78f9b7bbafe5aee4aab5f |
| SHA512 | 090c307fa9cccbe48b7a89abc7b689fd4524844b6dde7899e5a7bd44f38f2423c6478943394f3c61eba31872fc4923e7ed02de03410c3feebbb06381b032b42f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | c00d708d6484a0496d2bfc6f8e3d788e |
| SHA1 | 2dc6936e7fe01340f18cc0bbe7ee9c8c175fa86e |
| SHA256 | 6a9a93262866128a36c099facc96136c966279b003060350d81577ef7bc465a1 |
| SHA512 | 9a26b40fe19b0278a9b494029e1c0f7a77ea6cd87d9d808e2987403a2982ba0ce675bfb0ddb9ad003bbb83d707056679ece68332c6def2f809c089c9aac864ba |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 0f3fec1fdee48565440bd18c67446089 |
| SHA1 | 41fae402ae598d73887bc118bab39d7e77fd952d |
| SHA256 | 9289cecf2a96cd14f14e4198f1f0638eb10774887dfe41fb88d9457df378665a |
| SHA512 | b0951e6c79eb38c5c2bb4a98cdc95e1320ab55580a5a8a2072afacd98c03a8056385a82e14f4a043c3afde45ca343610ccc682a5f344034cc96d7acf8ee349c1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | ad427fd3423429e44620a7ff17425641 |
| SHA1 | e917e420f949f0583d37b8ba48b7bfcd40a5691f |
| SHA256 | 9285cc5ff02f597ff0ea6dfb5a442a0cc14a915ee0184d74775849fc6d568e0e |
| SHA512 | e7e25406f1387c00e9a637524db785c7622654c2a637e2a969875514fd971f2db3b4086ec2ae9a8e6e30b2862c8ea82abae4a340028aa32f38ebb7c1185e0656 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 4d5359d72449f4c3ad0c975b9d7cb1ee |
| SHA1 | c1bf997ba55f3313b1a828ea2f9ad42adb455e12 |
| SHA256 | 2d56106d928c3474b8e72cd3a636a5b86bdea1581ee9019908e5b60c182a2351 |
| SHA512 | b0701216b59cad4398625ce8fb12a6614ac3124401fb8f1350933a6bb325e5da106386f31542ce3faf98eca6e7888cc35f217b8c62813ac30c0332b0d19d8375 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 299f331ec94fe5feec82f0d9df00a241 |
| SHA1 | 73b59dc56d05635fb82a4529ae3a39a2181af566 |
| SHA256 | 3dfc106d75c2595c2495fac21aa2e9a2af5d0e383b252cfdf9c6cf40845fb2f7 |
| SHA512 | eafde363a32dcba90faf3683a65c2efc1be68f36b78b56dfb21f8d60d7a9c406939e617524d2952554bb3f695cdf831864a8f830b5600767fc423aebf8d10fa9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | a8c9c92adcf46f42268de77293f2fb9a |
| SHA1 | 7f51019f9c440cb2ce205b2c5dadb8adca18272b |
| SHA256 | f72e6bf749dd33e20981dc3eb667ffebd52b25b7bd8e3bdf7067cbe8d73568cb |
| SHA512 | 33d9caa6cfb59cea1ab2e9419177e4c50fb08d82776418a3f9d1f375189dd4c4023e8efa7a1028a2c0875c7242b33169614bad073e2e3da62af0b37ba7908412 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | b0b2f43093cf8d6338b625cd4e0a480d |
| SHA1 | 05c3eab3e8648a81c97e56240d653897ba63b078 |
| SHA256 | 4023a6928f36fc565aaf7273a559276ea8617907b91824e10dff8f8d44f04320 |
| SHA512 | 31fe62543a69772c0cfe1a097138cf0db4dfd474d37746ebe617ece1ac602bd3dc4b9656ac27bb6bde001a2dc8cd33fb146373e4a80288d07abb31256432d844 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | dfbaee7da2fc0314b842650b58663800 |
| SHA1 | 35869a7c46a528b78bab2ac1171238ef0c2b5def |
| SHA256 | bf7f0f456cdfe2faf3fba332f224e714291c58a173eca0c94c0174b186bb25d1 |
| SHA512 | 75c5ea9fb5af9c170823a24096938780b782ab29881c1b9f6b49e2eaf2535c60a2cd9c48f2e4fb3d730cd35e107cecfd616635c4fb6c7d8a425f34460c7e4325 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 81e0ec54b8b5becc890de1fd52fd7ca3 |
| SHA1 | 12b2995cf9e6d5a8914d0096f8dd6ec94cba9326 |
| SHA256 | e20c131d1d7b7751fa89410cdda2b506dac61dc005fe27137a7c160860c32442 |
| SHA512 | e0c87096e9f32c8850151a28e645c5c46126db4fb86035b3433080dd07e6814fc4c16b2b7630ebd5dec532aa2393ca3962f8f8a688c9ce62f5d5bb14f82588f2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 6e27a90804f95a401400052105d45f4e |
| SHA1 | 3dc02cedb25fa1f0ac2c39a30287ffe16c4cc88c |
| SHA256 | 1f4a0f2faf59c452fd71ac19e0c4398e627acf1cc3264599814bc0588ea623f7 |
| SHA512 | 5a069126a90ff50daf93bd6027e5a545d0fe8b0eca87a8bbb87488b24ad83ef77e2b78ee951ca629f9b7a099b7dff3be4c9ea9c47c7012da5cdda0f8cd0a877a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | fe13530e770f215bcd58b1d62a382503 |
| SHA1 | 1cfd9f807560107021a27e56e625a54609f5952c |
| SHA256 | 46489e5b600633ef3f68acd75aee02321a898e0fe73c4ad6569f66e9536f4867 |
| SHA512 | 43c935ecaa6a4b39a91bfcc961d646fc32dd406527ab13cd5063f240f10dc15c978ea78491f41d9df0736ad8382502dac056d4e45a535902286a6b50ebd05eb8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 8d7b184ad7508c537f81531ebfd78912 |
| SHA1 | a3d6669ca04894bbe81a60d1b4268fe893496faa |
| SHA256 | 2a6bba063337b1f390bb40447adfc1bbf73062316b946ed982c263c967dd03bc |
| SHA512 | 48b955c6edaffdb9cf1ad06f7a1272c75b0f5edb34b18358701b21aef89d43839cc260c0e0a8167ba766647975b9b26a8d1d8784194e5dff3a85c9d905515f0e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e4a4d0c1013943d79150ef6f42731e55 |
| SHA1 | fd7092534b37300e5498edde2c808222cfe0e414 |
| SHA256 | 585840ed955b0b375bbae8c8153a28c5b2a6eec06da1ffc8547cb8e30ae1a729 |
| SHA512 | 09aed4ffe84051cfba9d93e0db0f1b5733ab5034f0ed0040a2b9ac2739ac12d8fafceef9620b72e8e20d41cdb874b5ba2c5fa7d77bfb32da90f5bca310136693 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 703f4a326fe3dee95d3d5790330a3e2e |
| SHA1 | 26d6ada82a691bc09f7ef9f633b5a8e012861f69 |
| SHA256 | 18b79f03552b52a8e2d5787af6af3aff8b75e1e83daa45f50d709894f44041f7 |
| SHA512 | 4b1d36262304510cc473b640df0e3d36d028185047bb10425baf460f22e33784f1c1859f112e3334d7f7c82387399b74fb87898184c9eb2039748c627c467087 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 1ea9092d3a5bb76d6478277c1a7f3fa6 |
| SHA1 | 6783cf8fc99742d571adf4a6ca15bfa31bdcc1c9 |
| SHA256 | fe86111d3905aa29d0094aed17b9b9931193fb11634bb4fd9ddcb99a8ce83dcd |
| SHA512 | 003f2124911969bacba7735729671f8305ef7183521588859ffcb3eb5fd311a2f5617dde2d5d9c3d00d5e3b1d34bc5499776a72aef65087de3ef9c62b8d089c9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | 8df6687da630f80b10be76a42c0369a9 |
| SHA1 | 2f0cb3533daa2fd2a3cefc2430b8d2d12714c15e |
| SHA256 | f6bed6e514eddc80b5a4677a6f408471e7afa38642e1fb05700331859f1ed1a4 |
| SHA512 | f9c0889224e15cb7b42af588aa0794a18d7bfcbd03b351dbe7b0606eb0642d53725dc01bed59212191ca2b27fbca7857eeee30e341a64ff93681a032ed0145b7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
| MD5 | e13050f336cdae8997d1dbbf25b73280 |
| SHA1 | 0e92c933cc3394c5d5509cfb57408740500e28ea |
| SHA256 | 63f68ecdbeef775eb45141c2a10074fe382ff15f7e780c7ed237f51bb4979ed6 |
| SHA512 | 353552baf77b96e832be80b01687fa3ebddc4801e5563947cd0cfa6e79388c8ffd29fa50ae6e5571fe5445eaaf772143f54843f3ab0b51e32efc5e5abbc8d95a |