Malware Analysis Report

2024-10-18 21:36

Sample ID 240614-s6pc7a1aqq
Target aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118
SHA256 2ba09d754a14da8ff1a1c8d3b95f30c07b312451c941765e90ed910e150142c2
Tags
persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ba09d754a14da8ff1a1c8d3b95f30c07b312451c941765e90ed910e150142c2

Threat Level: Known bad

The file aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence ransomware

Modifies WinLogon for persistence

Renames multiple (91) files with added filename extension

Drops startup file

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 15:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 15:44

Reported

2024-06-14 15:47

Platform

win7-20240611-en

Max time kernel

145s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

N/A

Files

memory/2996-0-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2996-2-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\SysWOW64\HelpMe.exe

MD5 d7d92855e2ec350e1130af6fb76e5554
SHA1 68728ffdf264158b78d57f4101e2e6f0ff988289
SHA256 56df39c4fc3809a0401d3c3e75466a5a08b71ba678df7ff05e8b53495d0886d1
SHA512 9f950fe4f860bb08a625b8394fc77f4658e83696432c99bba0878b8d9b188bfee3d1ed199418f219337e66b512b0b6d282352dcdf68e9a557c0a29f24e756afd

memory/2996-4-0x0000000001EF0000-0x0000000001F68000-memory.dmp

memory/3008-11-0x0000000000400000-0x0000000000478000-memory.dmp

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2812790648-3157963462-487717889-1000\desktop.ini.exe

MD5 bd859de5efc9bb210e9136a0770fef3c
SHA1 fa6c6cd3f4c5ad51e2b07e36dd3325184e706b5b
SHA256 7b00867f1fa36c53ec8137f3a0e668a162b2458226a69105c6d4b50d1ea47966
SHA512 ead4d2054b9e1478a21fd7e67611d0916e5787b4ef165e922e204c4e5793b7a715aa438941ca266aea6b84c686630424c44b5291f935dd654d2305ec14106132

F:\AutoRun.exe

MD5 aa7f29c0cc4177e3fc288923705caa2d
SHA1 61c693c789e9e4f6ffbbad5d1c1f26249f67331b
SHA256 2ba09d754a14da8ff1a1c8d3b95f30c07b312451c941765e90ed910e150142c2
SHA512 3fe9495c714f0a2b3c1e409e96fe09fab6328f52570e9152314ce8817224e2f35d9de417f290585c2b75f5417ffd5bea10f5531fbc5e6c64e3cf7d9a660beb16

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2d226461ada2bece605a9c131605e953
SHA1 41c2124a5b5343b26ce13713b0b2a61586915a01
SHA256 1f5e67dd4461cf60c831735d3e254063dff2f173b88c16e86f71f5a6488380b2
SHA512 4b5890673a52e2fd5c1fa22d9db2b6d57e1f46dbca29cb5e371e499a34966ed1315454c189da39bb0ee2a01aadd500d3421d5ee32b642910ff06d4b8aa9b74c0

memory/2996-234-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 5992957d3d1d4446dcb95d5ecc7dd617
SHA1 5241e6d64869c3e89094bac3cb44cbab7728bb9e
SHA256 c84c2b9d378a1d0ddd6e45ea9822b9c6918811136aa846ff7746066c737b4598
SHA512 ad41669d621e1c7c752167189270779a530c9c16d52d39a3107185113e89ae724a17aacae408d97c0a56803e711333f66957708df4a8f97149d5b45b4c798c29

memory/2996-243-0x0000000001EF0000-0x0000000001F68000-memory.dmp

memory/3008-244-0x0000000000400000-0x0000000000478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 15:44

Reported

2024-06-14 15:47

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened for modification C:\AUTORUN.INF C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aa7f29c0cc4177e3fc288923705caa2d_JaffaCakes118.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp

Files

memory/720-0-0x0000000000400000-0x0000000000478000-memory.dmp

memory/720-1-0x00000000021D0000-0x00000000021D1000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d7d92855e2ec350e1130af6fb76e5554
SHA1 68728ffdf264158b78d57f4101e2e6f0ff988289
SHA256 56df39c4fc3809a0401d3c3e75466a5a08b71ba678df7ff05e8b53495d0886d1
SHA512 9f950fe4f860bb08a625b8394fc77f4658e83696432c99bba0878b8d9b188bfee3d1ed199418f219337e66b512b0b6d282352dcdf68e9a557c0a29f24e756afd

memory/2964-6-0x00000000005F0000-0x00000000005F1000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 44d5865e534e8744db09b8dddb82c0b9
SHA1 4da3ab2f878f5a3ad327b4f721f38d8a6ace352c
SHA256 ec4d8567d38bf79a894260fb4fb46b40c2b3c58f8ed22e6bf532abe6aa5958cc
SHA512 5b3d7129fa3a30d15741fef54b397d939e21972adeee4e5a8d3124556ed84a8ee487bc1fef86137406ad52cbdb4f55bd9f9cf3f59ecace56ae84dbd13a185d18

C:\$Recycle.Bin\S-1-5-21-200405930-3877336739-3533750831-1000\desktop.ini.exe

MD5 f9b8102b64b269e458c5b00dce68e738
SHA1 5c503b0c0454f861db815727bfd04c5333c54963
SHA256 8f97b0eb85e07f5f414d30873868a89abe4124e5e06274cde13ea11865bc1ac3
SHA512 a78cfdea36452c2608906804afc93a323b632f3907170eba40747e64068c8498f2108caed1bf49b45a1e557ff0ed955d19829d7405df0abb0b0721ce12cfd0ec

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

F:\AutoRun.exe

MD5 aa7f29c0cc4177e3fc288923705caa2d
SHA1 61c693c789e9e4f6ffbbad5d1c1f26249f67331b
SHA256 2ba09d754a14da8ff1a1c8d3b95f30c07b312451c941765e90ed910e150142c2
SHA512 3fe9495c714f0a2b3c1e409e96fe09fab6328f52570e9152314ce8817224e2f35d9de417f290585c2b75f5417ffd5bea10f5531fbc5e6c64e3cf7d9a660beb16

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9b526d5d8ed451db2218a6a7bb6b0cc5
SHA1 3eab6a4113a179d724472855c89ae072cbc931ed
SHA256 6317dd819c510b35ade08340115dd7846c2e4c21cab1895bd8aa61e651718d67
SHA512 46bf9c9001f0795d3ba98b066136a3a0ace0a6af0ea7415d45390b437b0724472df4a28bd57ded3cafde4eeffad50239e0b622af6d1ba024c26c98d16a05aab2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ee160927876657493992927251c0c51e
SHA1 eb796c40a2bb0ae7cc16d68a17128066cbfed040
SHA256 034286090ea99d55081627373a5de15a73ad30d3bc8086196f2c6ed42320eb0b
SHA512 5e9e30c52a442dd1d2b3114e99097247a730f267c289d8f2f03503ce84278f056ff03fb48931ba30ee69ee307a2eb5670a0de1b99b72829cf39fe98c30c37a68

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 c07a34d93609213933cf4b8e60d86d12
SHA1 32c679e3f85857006f4d58a7db7a705c6d2a74c3
SHA256 c47815428917cb6ca71a51d3eaa2c67e82f591709d22112190c00acaf8023ed4
SHA512 e98064258f8192b91c829cb01bc016a1f9ee0034e05b960337969765eaa854d03d6725fd5953a434c197646d6e82597031520b26c91d9c17d81e2f8c856dd8e7

memory/720-58-0x0000000000400000-0x0000000000478000-memory.dmp

memory/720-59-0x00000000021D0000-0x00000000021D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 ee287bf0572a06191c14482f74c36891
SHA1 7d0b9b306da5367034fcacc699e6a7707ae05c6f
SHA256 ca39ca7d88a39c1f81b027bd2ce720d02be0fb528442bbe381025e3dfb3ab113
SHA512 89c2449d2a576ba01d8679cbd3cc57d80e0681d56e780d70a43e3974ec9273ddfa8ca799e7ddf87851052c18e6e5bad975da6a05fcfbcae1dc4afd0032c53f6a

memory/2964-64-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b7d98c4e1f0ce80f1a1d1358a031a35e
SHA1 a2322be6d03b844dbe33341a8eb19924d065223e
SHA256 19619836c0a6b354624c4726a56fa040f26530f28c790c29fa5fd919aa516e29
SHA512 0c42c7336f1144581048aa2ce08bae148f77d0446e1cc47506a87f8f375ab731185eb24c05296da05a4ddd95c01866d66903955e86e921a0993a15cd4eae98ec

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 fdca1afccdca9e50599ffd11278c0f18
SHA1 ac2d1a43bc9b3f69023ff44d3bb1cc9c79bf1317
SHA256 582230a619e8aba1f17a692a8e31b4e4f95bc44c29b5afde0499841b6abb560d
SHA512 fefaa52f37dfe53051ca91b86fe8381a7ca68a6736b7d107e5e0306584891581733b18c0cbb36c3465607e27f7a87cc543c256effb762a31b1df978956ee5667

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d3d6d850a15156511c0774e76070ada9
SHA1 12fc95d4671a20fa665077920b744864f6a5effd
SHA256 de72abb9d893c82c90a21d17453d1c03dcf36f49cbdad79d96ae656bcb97bc99
SHA512 8eaae9443e4ea67bf8d61722d3436e18459c84a34dda703cafd7e3b0c80b8edef0453555e4cf3e6aa5ca54e97cf2b2482cc390429bb803ac5c69d20d48c24870

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cc3aaae1481b266537621065d7cd9ef1
SHA1 b4f08af7722a89b12de9fecd7407ba42c54df54d
SHA256 ab111aa495633e6601029e2e8f3ce61fbee35a673b7fca00860db622a05d0de7
SHA512 28d1d48707991133d33359a6afedf93fe28ac8d46ac1b9693cbbccf52dbb8370caf51273dbe1b7147fd590c5ec23268fb99d5a135581e773a3b369c0fd98c6f8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 307cb1ecd442d9e26d751087989ad0e9
SHA1 1ab36599b65e10e15680085a3d77764cb2fca182
SHA256 07f0041e591e4ec9d556676068ec51e14d61d85478dc31cb1090507f56a78101
SHA512 bf3dcb4990c5b8b9d548d16896d2da2fe654d168db303738defdcbd9dfca8db39aafb406ec1a2646c39e2304003f760b5d9e0a4e10830c579ec90f1f60405f5f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bcf5c78de824c0cc159eddd50ce7c1cc
SHA1 5bf910293b7bae14063c4811fd35733c6c4c377b
SHA256 9bc35f21e5547b8c38e5185e036240c0a51e33f359891d14c45756228a724728
SHA512 a53d39314422c4889ad8ebf8e6211cfa9fd21d885f06da3982b1f3cfe54ec719757d3f3043d2dfd1fa8b3c7fb0ef770439621ba53f470c2163b962ab56b1e38c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6e6e9b7eb8bf84e7e9dd56ec467f79c8
SHA1 f49903866e3da59bcd7178bf745491b29b3658ee
SHA256 79c48333c086c157c421f70926938f19601e107155e55e40fcd02ab901fe5612
SHA512 0f746931804ae9eb8ac68ebfd9f2451578c7e443807adac9168a346fe42cb95cd01db89f4df7d0e6dd9b7c9a3b0f5c7e931f59444857dbe4257365acc9629856

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 08d2f9fc53fd9c7507f386d12e700c1f
SHA1 b65edd3e81b48eb948f949fdf61e420a9f85d5f7
SHA256 4e03c86082401a762e68702f51a00d397a1deeb84f308782b324b0123b82ef9a
SHA512 19dffebd9b3eaf18cbbb9a7e1f0a4e37baaca969922e21965c3e9e673d4a7d7e7804b9fc526587dc9479732d0bb595e51db90b11fac5b8d965fc324a21149508

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b125659f7581afadf2e414a4a72d88e7
SHA1 57ac0bea025eb9bba3730b50d3b0ac77e9dfa420
SHA256 d4de51c2088683fe6f4378549a10afe16297130e028c6558625923250cda7871
SHA512 e3e6d1d19195aaf9ff53c3e0cdf734f5340a71509ddd810c8950685b580beca0fd28ad3dd4f82a8f79643c53e7d0df0db7d45575d8518ff0eddd405031735fea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1d4e026b771eeb854a127b71396df95d
SHA1 7afe8f57389ad90c9e3e31b8fac793c63a6ee3e3
SHA256 a021d3ba85ac3e20e2ad042f2e26c7f3eab50c20b14257694588201f55ab6811
SHA512 13027187a0e706bcb970ef3412e90a07b59e528f0774ddd8d180c2483d1fa874ff12bf577900cab2e81e78b3d49850663a48654d27f721ce42921d835e96c2b4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 6d19293048c391dc8d116c00e232bb25
SHA1 832a9209d1da51cf3832452efe613a8ae79dbd66
SHA256 580f15d80c3d6070656ccc7ac2550ba66c17dbd6040d5d7de5c05186c3f5805d
SHA512 9b4a8cab854dd9d6444be064848f729169873796fb6c11342a8f1acb6d6891c31fb94ed058e08f484d7cb4d5a1f9db4df57be6eefe36782dbaa377feef9ba047

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 b0b91be4de2b250c64f008d70a1006c1
SHA1 d2e203bee493bb7d1a219d83f49eaeae9184f779
SHA256 a19828527dd81ea051776946a6f95ad738859e0b29d3017271d7c75d23d80dcb
SHA512 14d2083cbe88f2ea408ac1e412bf1af095db2c6db132dd1f8acc5b172a8c83b5d92538d106e429c899ffa446d718756479ef7edced6863c88375dd2cc77562bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 4277144a670334a25c6758bdb0bd49e0
SHA1 b9bfffc05eca842f91bc234c95e07f5ee9474f0e
SHA256 e73147daac398e35b172771bc17cc10b89c4d34d379be0a3e2ab55f7534326b2
SHA512 9404580c9663b05c5fcd8a165b5d2045c98e07e34bbe2818b355e1fe4ccd6a966cd12c2d1bf9a7754e146613b99ba7c8fb590fa7cf5a090e5ff0b990a261ae1f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a4b83162ada30fb77088c17a7adb4830
SHA1 7bd1e63ecb4d56ba51454ee84f46c2189ddbaf07
SHA256 c33827b58ae43ca481b88c6ca81cd5f13310c84a08b74115961da8ddd67a3381
SHA512 0eabe392a4c1f39a6745aaeb01e6898f2ef57a260e06cb5468f5150678e3af8aa66773dff3c222232dae052447b280dcd9e85416382c5fe82e2c953a668c4362

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 71392b4951d1dcf51c18f412a669d08d
SHA1 49288559398f8ee0d7c9f6bb8e98d13aa69a1600
SHA256 89f9cd6c7aa590ac472e7dc88b1aca2c8af4a3076f2a8fd36859f60d0be6e661
SHA512 9716be85c928f42bfc4119ff99265e9420b23b4a11d20e2a2c8053f518d9d1dff702de2af33c3ee0da46fa824a930364951a2fdc28903306873fbbe68cb2b7d9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 36ca2453283a1204a4f51dd3d306ddd1
SHA1 3add1aa7192d2455ede47d6768fcdc0bb23ce781
SHA256 9816a28221e040a9ca94e3a3f2826b7373f3ae9c762dcafcf352e9a9bf7ef65d
SHA512 946befc5bcd4dc2f676df6a71183adec0720296fbcbf27d7dd4bacb1f8e9e3cef49b13a2e7614451ceb5328fd1f0bc81ac7cca44a3a627577e69b4fa4778955b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 87154ea7a9c8513a1f52021c43f81f8f
SHA1 f367bfb27cfa841194299130ee822b0736253a5b
SHA256 c08b2c7507878300aaaf003b2cfa81418308fee58ab4e3aa223f959ec6fe4144
SHA512 2e24cea6050355caf60a710cd9715a9429741839fe8581291213c5e3fd60c76acbdfb115583d597f6ea9b2f95e3e9fa5fe1ab319fd229bba30a525413f3514d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 58dcf654614676db6a92bfda7cf14635
SHA1 39ed875236e5095fb7ce7bf2207afede7c9d983a
SHA256 4773663782d8f91c5704b4162555c5153c38598588a00e397a7b096d74e9cccb
SHA512 f4192e0916dee7203a30c7e19621fef401036be8268b048b0446d320210d6da1145cc9adc6c0ea3b5b568913d49024e217986643b4c98af9d4ea4c143a099681

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 952ea4b21c32cc5c4ef2b5e85aef18aa
SHA1 5d6b32facd0bd55be350a74bbb26d417196b3300
SHA256 1b3864f2c51d815f20d7db51c0ffa3322349dffb82e97f2054bfd401d1d540ff
SHA512 42e131ec254ef618387c146dfd8b9337df5b297d38bc99a9223346344b7779c7722841e40c56256983ced3ea0d4cd4904f396c1534761a307c0aaa13aa7380f9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 8f6b8855054ec549eb9098cfff76d585
SHA1 f5685fd103439f66e9c960d2eb370fa4c45f5e3b
SHA256 222072370179e6468363e1fb6f01aee8b31568b9bd0480fb21e3f806bcf64a33
SHA512 26f880a349f08efe54ef943bd4cabe5e4102962a9507bd76ec447f7863961ff630eca5f563c17f4c10910a0ffff784836441a783de059b1baa88d5f8409c1640

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 7d767a8babacc4b9400885186e210d8a
SHA1 bf6f95c3912e3d0766c70e1d07202305d9826076
SHA256 e46acdb059b7128b465e047dcca0544e5b14680638c96d166c988f51fa0da668
SHA512 f14fe8028794344bf4570418b37e287a8473fee8897a2a01f789b5447736819b484093f00e9ed4d56d1674ae00e878f0379a60685db54960f2cf12cf0d755f8e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 0a32aaef0fd432c9280dbfbe549030a5
SHA1 288385c63006186998557a6135c32125bd99dae3
SHA256 d7dedcc32583f131fe54c0a10e757040bc9009ab238f537a278978622a8be0b9
SHA512 8250bd6932d266876352031e618bc93a6d7d7e486817b8ddfa9104a8b4df9ca0970985f36f2e631afb2b9c0d3db6a1b9d3ded7aed61cb5ebdb3f868170e2beb4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2755c1e969921a79c32b7cef3bd4ba62
SHA1 ae4cfd228ff667d1a211da8fa96b1f8121032b00
SHA256 2e8da52e369a97348e3ea41b84c99181b11888d5b50a35dfa345f107b17de676
SHA512 1ccbd06e70c0b3422b68c1c954fec6043bb0ca61269ecb2bdfe80f3da7ffb68907436bc55100280d84731edb017cf978a9a47bcaa58fc6cc4117ea5d234f3903

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1cf9aab50bbc54037be441068a892518
SHA1 5517ac3c41f3588e6aa24864e889416faf34a2ac
SHA256 b9fe871ad3d36b8f39f2353bc6685cc05262555b28e44d6723dfa1b77a4424fb
SHA512 306cd963c626005421fb95b6c56a38a400458b9ccb8cb94d4e7c01634c6116c813b0556f3617e150f9d63a97d4426950bde36bd0c3dc5d306183e5038ebd48d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d164dfc27218b51cbc9c1fbbf04c241a
SHA1 828476b26b133ca30be3805f5dcf70310bd27c53
SHA256 594675c341d66c87dc76923cd1245d9ef327695c1aaf7dcb7befcb7f8e063d37
SHA512 9bef396a010981663bbc2cbea9ed5b622c04d4e2847feeb0c09a7dc67d44ad24b8303c233b6635d8b3e262ea0720e01a1aa5d669ba7e6994b926727ad9843524

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d097de7cbee00768fe02e426da250233
SHA1 529c55f48aafd24992e64899f0c3f9d3c4f2489f
SHA256 ee200615568f5ee1eb93c205e08e75038cd10d3efe3ef9bcc2f6003f39d8105c
SHA512 e0fdaaabda6fb5497ec4f4548141e5e686b510dfeead969a2cc1c037a45df32ee0c69e8f87960b09708be208bc33aee51b263c5466397bd125ac94084b7cf708

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 746e86f747764d85af95a3584a85d6e9
SHA1 b2e45a8606002f0f2da738f619681a861b193c88
SHA256 2a898a4b1945976141acb3fd1ab1578a9a60c0cd4f981780bab3703e96287044
SHA512 cba4b8a0c2450279f4bb893774d42942b8f6ee20f1d0a3d722f83435e6b98cd6a1f078e88712da28009b81dc8c3ea86db895abb47fe451f5ebcd3414b9a0cacd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 78117cfa8b76372b9cdacc8d80576a24
SHA1 039f46565607b2964e7398c1d9c8263ab1db871a
SHA256 6af7146ecafabba1698da68a060e1f2012a2b3dc735f857383261d9cb7f8f2b1
SHA512 2a4b15b7d12ee1cd70b68cb7f07addd08568233f06017f29e43d0aa22ed181a6aa796ff64eeac51a1b9fa1c11e7e70e1aec743e36846331ccf4b4758cbe88e86

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 db606399060d9aa56b335238d6ece832
SHA1 c120f02ef1a8a053671e03d5c4fb603521650849
SHA256 0b7049680eabf6f412d5ba6d8d6e192c878c1a1197542ad22c8ceedb18c16243
SHA512 946e7c05341fab35bf433d4336fc336bf0561be7b1223b46c5a86561c12c86183b5c05070a452e1462ad6642d7026384279a0e3a995b65388781e8cc9e7f7677

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a2c07200fd59f2cc2af37cd61faf0e4e
SHA1 073343623e903cc5340a35cc12e67dac764e33ab
SHA256 aea0ae37f4bcbaf27e3e8bf123a6d72c1fb92d276594af63bf063f90e54c3d2f
SHA512 823517d7e40be1ad7f1c9226d8ae78c3fd777df3ef8cae52bbd2e31d932e1394e963dafbc4642e5b1260fd64c956c42ea23701bf75eb4bb8c159b00d291a3be4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 bf7d8c922d36159f09927707eadd0e9c
SHA1 7d5d5b4936076c900eac21a94bf62f03e5242739
SHA256 5601dfd5ee72656f33cfe3c58fa02f2ceb9756ae37da46d89cdec86bf9ba4054
SHA512 2dea78a9399fdcaef237bbe067f1a3ab503cfee14303cad2e5eb62b142f9f5b70210f44a2f487b20baef0577741a4e6d802b079d88ad63f6ea6960ca71c6e80b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1b6117feae21ccb3bc2cd0499be78fd8
SHA1 e943997aeab9a9c306203facfdc78404ec94fd6b
SHA256 8801998f8bdf8b2c1af0a337bc2db350cbfa8717cf765fe54f9e9f4fd8efd581
SHA512 820b6765770ed5277f96d0793e57224f9630940be7968c4038d69feac8a914611711c26743cab49cd0cb33a424b8b88bba2511b8ce420cf9f52ca2f7cee33110

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 9d679cb878afa53669a8744b853b2566
SHA1 ea564b13fab5d2bca2d5864014ea72b44404623c
SHA256 0a135f9d3bba3c48acde49a1063f913281d40c36924b5969cd53b65870d3b769
SHA512 86370ed9ad88110c5fe29500035ac26bd5bd38cbaaaaf7896b9a6f5d2d611911760285f1152b7703aa52dc1227fe42fbfd0a03f3533a44556e92b907be94de4f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 463b1375c7fe3b615971c2ef74e80d7d
SHA1 cc3954d2b11b7bdd3e3d7cc5ed168b465c0180a9
SHA256 e98e7abfa8bd8210a5ad9eb90a1c2483335f88169cce6a8e0556d7d20bde8b5c
SHA512 c890f17ea2e0280df58c05ee0b894a64aac16c87eee31454936ec6a0d6e46fdc8b75d9ec4fa2f2b45ce6d1b846c39a670eac4e3b3dabca2524e000768ee90b93

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 744b35b158e564841a2f1b8a04011b7b
SHA1 25566241ac99041704c43568ef66a94aae85ea0e
SHA256 1e1fe30c3050a0ef78cb0cb7cb85db6792885398d405be19a18154913791f809
SHA512 eade33729e07c43c37773d4e457dcbe297a43706e39893456e22946c43b57d7b68486583319bd5abe378cc9b7b28895945709b046a37a03b5ebae40b9f4186c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 685f602bf682cd81127b3593ba41e57d
SHA1 51b1a85566abb5fedaed71d76772f4485c1801fd
SHA256 15abfc87008580b9b1f0c4f3fb4a79aa45dbf0aeacccea27073bbb568eb52579
SHA512 ed4710758286db44452be4c3e70a65eca1fa7ce3ad8220452e11bf7500a3a18fb38ed4f031db175528399e2f8ad184dc9b96afd2e76d0045733f4300b45a30da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 72a4a20132e2eebab383fd26fc2f3551
SHA1 fd5fbc094f2a431c0616f863a1a7472716982325
SHA256 72cbfe1d8b456c524d4b5aa47e00d78042bad7625187253b2f35e1d8da880bb2
SHA512 a81b32e94e8e330559851a088880157640a136d97126286529384a5eb31a6133c1b03a577861ac5c1d3de2377e873c30d356ed580b42fb0a78cacd753bbe2d9f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 d9ddd6d7342974f495dfcf49361eaf6b
SHA1 ddaee61bbf151079061087db9b50b238d42aeb5e
SHA256 54797fa32c347d449f4022b8ea3d83072c6c637d6bb6a4d3f616504952341375
SHA512 1388cdc1a3d7d7bfb92dc6e4a2c4c375fd23e68ddf1e1ddef4f716c539152982e1dedcd02f707659c3785bc6a6f6c552e0fbde782b43f608f728e05b493e6d33

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 2154919693aa8511d8eda79a72c46ff2
SHA1 99b2f91e67eaba102ac7c28165f8ca8bf6f9296f
SHA256 4ee05cc46f717c7d8a69b58d03480a5bd42f74625dd3c67d6f45e2732924a9f0
SHA512 a177983bd32479b40131244900909d37bfd0bd8f0af54febc8f6ad42d33df67f1fbff53fa32c4badc4c2a6f9acb400cbf08e661956f0d72d79ea5241edd60e22

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 cd254b3777470f1897601ea9e437c0fd
SHA1 afc76a802340a4c2d5eddf59b6c58bc7185cc04c
SHA256 d4c848770351e1af4e46a4b1880ac912ee10ee46142a39e7129a7b67f462e9f8
SHA512 a89d78efb0126120ed0567db1ec5b0cde3455d0b07aac064eb1d9adc3eb32c3b6ee52c848b579a3ee4b93ea41148a97f95c9751b4a42c28270a9befbf3e3e8cf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 15577f98aa8042d6681a391898463bf8
SHA1 f98bf214b876335e676a97afa9801634149cc493
SHA256 86810bb107ae1085274b4a7b6995fe1b6b4e800cf4f23191f2adc193a526dcdd
SHA512 dfb4684f4203c1e67d1af40615d4baa203f2b5689561a81354f80cd52f2800d72908661dbe1333f1aa91ed5151687bb65d90066f64628b9940ce69de881f6fda

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 505d5397373cdee5112e276c48239a15
SHA1 ed2a05ec1826415454e5767d4c2a08664c3d32c3
SHA256 5c251de3d4198337a9c246c080ed595132e2cdc8a1fbd44e74e1178d0f3b3d4a
SHA512 391bfb7dfda2ca9fc070265d0fed63236fe1b4cd7e6548aca3bd076dabaf4126a773a2bec0156c41c310c35b393e3c09e900e18d671f810cf7a3a46444f0b3cb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 a7c33d3412a5c25d04222f7e66c2d465
SHA1 cd9c503a3bb555dc56067fd767a7e074bedebda8
SHA256 cc1fb2c6a5ebffad15a278936e80e1ce2b5a2fcc8a7fc234254e33aa838486cb
SHA512 30793b20a28413f0d242892c90d08ea83821a5feb6e32605612cb410a2dc8fd1c8dfa696113567f801eee30136297240339cfea241c764d2dbb2b2468723a9bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 1e71c59d445e51b7099dd0fd7699d8e6
SHA1 b4b2cd63c4f54fd78d4d8c2126ac1aa2bd49de0d
SHA256 61d41735ff5b321b4d8220ffddacbb25580920b4b1f2b749caa43297f7318dca
SHA512 82bec1ba6ce299aca1fc8264ada02a013e41605a98f70cab4e3ab9c2f392c1c3f45cb9b05992c97511cfb08612259b2799492a9ab17932e6853ecf1aa108dbdd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 f3f4d57fbe70f298bd326b0ee038ceb0
SHA1 83fdb160e8faa8afd5b16567d0c947fd84a503bb
SHA256 23eebad8b3d86762955fcd79f0da77b2402342ffb516e02a0486951ac190ee17
SHA512 20d08a3dd58c3672e4607aaa40aa344e6d57df48ad11b7c2b174128cf65f034fb2d5bf8736ddebb538195107f2cdcacfa2891023488f032e8ea5571f7ab6cfd0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

MD5 50ed507a6cad3f9b8e98026153852d02
SHA1 dd2bc02b280fb687ca55ec23762ccc89ab485f74
SHA256 98d49434a62389de83100450c7f2750eb85fefa22df80bd0efe6ca7399629d9d
SHA512 054642c4cb15aa0239331eed0da1117e775da150c824a63776455171efeacb5de1e5e346cab117a14c05d93a1506d03c771f5fb1f39f3b7c69cff1e104812f6b